Saturday, August 5, 2017

Statically Compile Tor

The Onion Router (Tor) is a great open-source tool to help protect your privacy online. It's useful for journalists in hostile nations, and allows us the freedom to find information online without being tracked via IP address. It does this by bouncing your connections through multiple encrypted routers on the Tor network to hide the source of the request.

At Nullable Security, we sometimes use Tor as a transport mechanism for client penetration tests. We had a customer who wanted to simulate how an APT-style attack would look like when it originates from, or connects to, the Tor network. Most organizations don't have the level of network awareness to alert on such communications, and Tor traffic tends to go unnoticed. Whenever we use the Tor client in a customer engagement, we always want the software to be as up-to-date and portable as possible. And we of course want to be transparent on the software we're using in their network. This post will describe how we wrap up Tor for easy deployment.

The Tor software comes in three major forms: a bowser bundle, an expert bundle, and source code. We'll be focusing on the Windows variants of Tor for this post. Most people use the browser bundle, which is a combination of the Tor client and a hardened version of Firefox. The expert bundle comes with just the Tor client. And source code contains all the code for Tor and it's accessories. We have little use for the full browser bundle because we don't usually need a graphical browser for our pentesting tools. All we really need is a locally listening Tor socket, which the expert bundle gives us. But when you download the Tor expert bundle, you'll see that it contains two top-level folders: Data & Tor. Data contains geoip data, and isn't required for the Tor client to run. The Tor folder contains two executables and eight DLLs. Of the two executables, we only care about tor.exe, which needs six of those DLLs. But we only want to deploy the single tor.exe, and not all the required DLLs. To solve this, we will statically compile the Tor source code, and include all the necessary DLL code into a single Tor binary. This also lets us use the most modern source code for Tor and its dependencies. We'll begin by getting the necessary pieces of software we'll need to compile Tor.

MSYS2 is a software build environment similar to Cygwin, which we'll use to build Tor on Windows 10. Run the MSYS2 installer and accept all the defaults. We used the 64-bit 20161025 version of MSYS2. This will open the MSYS command prompt, where we will install some packages needed to compile Tor. The pacman command will be used to fetch updates and dependencies. Run this command twice to ensure everything updated.

   pacman -Syu

Now pull the build environment.

   pacman -S msys/make msys/perl msys/tar
   pacman -S mingw32/mingw-w64-i686-binutils msys/binutils
   pacman -S mingw32/mingw-w64-i686-gcc
   pacman -S mingw32/mingw-w64-i686-make
   pacman -S msys/pkg-config mingw32/mingw-w64-i686-pkg-config

Open the mingw32 console (C:\msys64\msys2_shell.cmd -mingw32) and enter these commands to download the Tor source code and it's dependencies.

   mkdir openssl && mkdir libevent && mkdir zlib && mkdir tor
   tar xvf openssl-1.0.2l.tar.gz -C openssl
   tar xvf zlib-1.2.11.tar.gz -C zlib
   tar xvf tor- -C tor

Set a few build environment variables

   export INCLUDE_PATH="/mingw32/include:/mingw32/i686-w64-mingw32/include:$INCLUDE_PATH"
   export LIBRARY_PATH="/mingw32/lib:/mingw32/i686-w64-mingw32/lib:$LIBRARY_PATH"
   export BINARY_PATH="/mingw32/bin:/mingw32/i686-w64-mingw32/bin:$BINARY_PATH"

Compile zlib

   cd ~/zlib/zlib-1.2.11
   make -f win32/Makefile.gcc

Compile libevent

   cd ~/libevent/libevent-2.1.8-stable/
   ./configure --prefix="$HOME/libevent/install" --enable-static --disable-shared
   make && make install-strip

Compile OpenSSL

   cd ~/openssl/openssl-1.0.2l
   LDFLAGS="-static" ./Configure no-shared no-zlib no-asm --prefix="$HOME/openssl/install" -static mingw
   make depend && make && make install
Compile Tor

   cd ~/tor/tor-
   export LDFLAGS="-static -L $HOME/openssl/install/lib -L $HOME/libevent/install/lib -L $HOME/zlib/zlib-1.2.11 -L /mingw32/lib -L /mingw32/i686-w64-mingw32/lib"
   export CFLAGS="-I $HOME/openssl/install/include -I $HOME/zlib/zlib-1.2.11 -I $HOME/libevent/install/include"
   export LIBRARY_PATH="$HOME/openssl/install/lib:$HOME/libevent/install/lib:$HOME/zlib/zlib-1.2.11:/mingw32/lib:/mingw32/i686-w64-mingw32/lib"
   export INCLUDE_PATH="$HOME/openssl/install/include:$HOME/zlib/zlib-1.2.11:$HOME/libevent/install/include:/mingw32/include:/mingw32/i686-w64-mingw32/include"
   export BINARY_PATH="/mingw32/bin:/mingw32/i686-w64-mingw32/bin"
   export PKG_CONFIG_PATH="$HOME/openssl/install/lib/pkgconfig:$PKG_CONFIG_PATH"
   export LIBS="-lcrypt32"
   ./configure --disable-gcc-hardening --enable-static-tor --prefix="$HOME/tor/install" --with-libevent-dir="$HOME/libevent/install/lib" --with-openssl-dir="$HOME/openssl/install/lib" --with-zlib-dir="$HOME/zlib/zlib-1.2.11"
   make && make install-strip

And now we have a tor.exe binary in our MSYS2 home build directory. You can find that at the default path of C:\msys64\home\<username>\tor\install\bin. Here's a demonstration of Tor successfully bootstrapping to the network, using only the newly compiled tor.exe binary. And a bonus attribute about your new binary - since it's custom compiled, can be renamed/packed/crypted, and made to listen on any port - it's more likely to bypass AV signatures

This executable can be passed a standard torrc configuration file, and may be easily embedded in other malware. For Blue-Team'ers, the most effective way to detect something like this is to watch for Tor traffic on the wire. Creating firewall blacklists and alerts for traffic to known Tor entry guard nodes will show you which hosts on your network may be running Tor enabled software. Monitoring for Tor exit node traffic will show you connections originating from the Tor network. You can retrieve IP lists from the Tor project and other third-parties here.