Tor Relays accept arbitrary destination address and port and leak information about reachability
Tor relays accept arbitrary destination address-port-combinations, including RFC1918 addresses, in EXTEND commands, and leak information about reachability. Here's a little, unreliable, pretty much broken PoC: https://github.com/thejh/tor/compare/master...fake_relay
Usage: Configure the target relay as bridge, set loglevel to notice and run the modified tor client with some IP and port in the bridges network as last two parameters (for some reason, it seems like the IP has to be in backwards notation... don't ask me why).
Example: $ src/or/tor -f torrc 1.178.168.192 80 [...] Aug 27 10:30:34.000 [notice] CREATING SPOOFED CIRCUIT Aug 27 10:30:34.000 [notice] CIRCUIT WAS DESTROYED
$ src/or/tor -f torrc 2.178.168.192 80 [...] Aug 27 10:30:00.000 [notice] CREATING SPOOFED CIRCUIT Aug 27 10:30:03.000 [notice] CIRCUIT WAS DESTROYED
192.168.178.1 is up, 192.168.178.2 is down. As you can see, the response time reflects this.
If there are firewalls that DROP traffic to ports that aren't witelisted, it might even be possible to scan them to figure out which ports are whitelisted, thereby figuring out operating system and network structure details.
Also, it might be possible to extend this attack if the relay uses global IP sequence numbers - opening a TCP connection, exchanging packets and closing it certainly takes more IP packets than one SYN packet, right? This would mean that a variant of idle scanning could be used.
Trac:
Username: thejh