Analysis of Traffic Generated by Tor Browser
11
Hugo Rodrigues 2019 Analysis of Traffic Generated by Tor Browser FER – UNIVERISTY OF ZAGREB HUGO RODRIGUES
Transcript of Analysis of Traffic Generated by Tor Browser
Hugo Rodrigues
2019
Analysis of Traffic Generated by Tor Browser
FER – UNIVERISTY OF ZAGREB
HUGO RODRIGUES
CONTENTS
1.Brief Introduction to Tor Browser .............................................................................................................. 2
2.NetworkMiner ............................................................................................................................................ 3
3.Capturing TOR traffic ................................................................................................................................. 4
4. Analysis of the Captured Traffic ................................................................................................................ 4
5. Conclusion ................................................................................................................................................. 9
References .................................................................................................................................................. 10
1.BRIEF INTRODUCTION TO TOR BROWSER
The Tor (The Onion Router) Browser Bundle is the web browser used to access the Tor server,
this browser consists in a modified version of Mozilla Firefox, that was altered in order to become
more safe and secure.
Tor is a server that keeps users anonymous on the internet. The anonymity is kept by directing
Internet traffic through an overlay network consisting in more than seven thousand relays, this
allows the concealment of the user’s location and usage, protecting them from anyone
conducting network surveillance or traffic analysis. Tor makes it more difficult to trace Internet
activity to a certain user. So, Tor main goal is to protect the personal privacy of its users.
Tor is useful for anyone that wants to keep their internet activities away from advertisers, ISPs
and web sites. We also have to keep in mind that it’s still possible to link activities to the user,
even though it’s using Tor, entities like the NSA can see that the user is running Tor making them
more likely to target that specific user and try to figure out its identity. Although hacking the Tor
server has been proven difficult, hacking the Tor browser has been done by the NSA, and once
they access the browser they can get information of the rest, so “man in the middle” attacks are
possible.
Figure 1. Tor Logo
2.NETWORKMINER
The Network Forensics Analysis Tool (NFAT) that I chose to perform the analysis of the traffic
generated by the TOR browser was NetworkMiner.
NetworkMiner is an open source NFAT. It can be used as a passive network sniffer or packet
capturing tool in order to detect operating systems, sessions, etc. without putting any traffic in
the network. It can also parse PCAP files for offline analysis and to reassemble transmitted files
and certificates from PCAP files.
NetworkMiner turns the task of Network Traffic Analysis (NTA) easier by providing extracted
artifacts in a intuitive user interface. The way the data is presented is simpler and saves times for
the analyst.
In contrast to other sniffers like Wireshark, NetworkMiner's display focuses on hosts and their
attributes rather than raw packets.
Figure 2. NetworkMiner Logo
3.CAPTURING TOR TRAFFIC
Outgoing TOR generated traffic is encrypted, so it’s difficult to get relevant information once the
traffic reaches the TOR network, but there’s still way to get information.
Tor installations have a SOCKS proxy listening on TCP port 9150 on localhost (127.0.0.1), this is.
used by the TOR Browser, which connects to the proxy to have its traffic encrypted and sent to
the TOR network. This means that by sniffing traffic on localhost it’s possible to create a solid
forensic trail of all traffic a PC sends to and from the Tor network.
Figure 3. Diagram of the traffic in TOR
4. ANALYSIS OF THE CAPTURED TRAFFIC
After making NetworkMiner start capturing traffic on the localhost (127.0.0.1) and browsing the
web for some time via TOR browser, I was able to generate a PCAP file with the contents
necessary for a demonstration on what content we can get using this NFAT.
Figure 4. First view of NetworkMiner
One of the first things that’s noticeable in the first page of NetworkMiner is that we can see what
was the Operating System that the person used, in this case we can see that it was Windows.
We can also see the number of packets that were sent and received by the computer.
Furthermore, if we open the Host Details options we can get a quick view of some of the websites
that were visited.
Figure 5. View of Host Details
Now looking into the Files tab, we can see a list of all the files that have been reassembled from
the analyzed PCAP file.
Figure 6. View of the File tab
Here we have a vast compilation of files, we can see there are some of html files, by opening one
of them we can see a reconstruction of the web page in the moment we visited them.
Figure 7. HTML page generated in NetworkMiner
There are also some other interesting files in there, for example we can see the CSS files of some
of the pages.
Figure 8. CSS file generated in NetworkMiner
Also, another thing we can get via NetworkMiner is JPEG and PNG files, that were loaded when
we visited some of the websites.
Figure 9. Images view in NetworkMiner
There’s another important tab that is worth to look at, it’s the Credentials tab. Here, if the user
logs into a website that doesn’t secure the user’s username and password, it’s possible to see
the credentials that the user used to log into the website.
Figure 10. View of the credentials tab
5. CONCLUSION
By using NetworkMiner is possible to get a good log of what someone running TOR browser was
doing in their computer, so if someone is running NetworkMiner secretly in somebody else’s
computer can get information of what they did in the TOR browser. There are still some more
features available in NetworkMiner, but more relevant ones are only available in the paid version
of the software and what I did here was using the free version.
REFERENCES
1. https://www.netresec.com/?page=Networkminer
2. https://www.torproject.org/
3. https://www.torproject.org/projects/torbrowser.html
4. https://en.wikipedia.org/wiki/Tor_(anonymity_network)
5. https://sectools.org/tool/networkminer/
6. https://www.netresec.com/?page=Blog&month=2018-12&post=TorPCAP---Tor-Network-
Forensics
7. http://www.vetstreet.com/
