29 may 2012

TOR + Polipo + Firefox + Tsocks + tools en consola | Set completo de tor, incluido vidalia sin GUI, todo en modo consola

Configurar TOR + Polipo + vidalia SIN GUI + extras

Set completo de TOR



Como sabrán, uso SL6.2, un clon de RHEL6.2, como lo es CentOS, asi que esto es valido para uno como para otro, asi como para Fedora.
Antes que nada, haré algunas aclaraciones.

1.- El paquete torsocks no esta en Fedora, tampoco en RHEL, solo tsocks, la version old, dado que fue escrito originalmente para Debian, el que desee puede compilarlo y decirme que tal anda. En Opensuse si esta, pero no lo he probado.

2.- Esto es un tutorial 100% completo con todos los usos de TOR, para ser usado en consola, o sea, sin GUI, pero con la funcionalidad de Vidalia y demas chiches


Dado mi problema de no tener vidalia en SL, si en Fedora, me puse a hacer cosas para manejar TOR desde consola y tener control sobre el mismo, sin usar la GUI, de paso, es mas rapido, ya lo van a ver, mucho mas rapido!.

Paquetes necesarios a instalar:

tor (si usas CentOS, RHEL o SL desde rpmforge)
polipo (Idem anterior)
tsocks (si usas CentOS, RHEL o SL, desde el repo EPEL)
lynx
sh
bash
nc (netcat)

Empezemos:

yum install tor
yum install polipo
yum install lynx
yum install nc
yum --disablerepo=rpmforge install tsocks

Ya tenemos instalado lo esencial, comenzemos la configuracion

Primero que nada, configuremos TOR, para ello, usen su editor preferido, nano, vim, vi, y editen /etc/tor/torrc
La config probada es esta:



## Configuration file for a typical Tor user
## Last updated 16 July 2009 for Tor 0.2.2.1-alpha.
## (May or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc


## Replace this with "SocksPort 0" if you plan to run Tor only as a
## relay, and not make any local application connections yourself.
SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests from SocksListenAddress.
#SocksPolicy accept 192.168.0.0/16
SocksPolicy accept 192.168.X.X // CAMBIAR "X" POR LA IP Y RANGO DE TU PC //
#SocksPolicy reject *

## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
##Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
Log notice syslog
## To send all messages to stderr:
#Log debug stderr

## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
RunAsDaemon 1

## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor

## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22

################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.

## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised
## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
## line below too. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORListenAddress 0.0.0.0:9090

## A handle for your relay, so people don't have to refer to it by key.
#Nickname ididnteditheconfig

## The IP address or full DNS name for your relay. Leave commented out
## and Tor will guess.
#Address noname.example.com

## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)

## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies to sent _and_ to received bytes,
## not to their sum: Setting "4 GB" may allow up to 8 GB
## total before hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
#AccountingMax 4 GB
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00

## Contact info to be published in the directory, so we can contact you
## if your relay is misconfigured or something else goes wrong. Google
## indexes this, so spammers might also collect it.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>

## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised
## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line
## below too. You'll need to do ipchains or other port forwarding yourself
## to make this work.
#DirListenAddress 0.0.0.0:9091
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /etc/tor/tor-exit-notice.html

## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers
#MyFamily $keyid,$keyid,...

## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://www.torproject.org/documentation.html
##
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
#
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even if an
## ISP is filtering connections to all the known Tor relays, they probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
#ExitPolicy reject *:*
#mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion


Esa es la config de /etc/tor/torrc

Ahora, que es polipo?, no me voy a extender mucho, solo lo basico, el que quiera saber mas, como siempre RTFM, Google it!

Polipo es un proxy cache similar a privoxy, para usar HTTP request a traves de socks5.

Configuracion de Polipo, editan /etc/polipo/config con nano o vim, la config probada es esta:


# Sample configuration file for Polipo. -*-sh-*-

# You should not need to use a configuration file; all configuration
# variables have reasonable defaults.  If you want to use one, you
# can copy this to /etc/polipo/config or to ~/.polipo and modify.

# This file only contains some of the configuration variables; see the
# list given by ``polipo -v'' and the manual for more.

### Configuration from Fedora RPM
### *****************************
daemonise = true
pidFile = /var/run/polipo/polipo.pid

### Basic configuration
### *******************

# Uncomment one of these if you want to allow remote clients to
# connect:

# proxyAddress = "::0"        # both IPv4 and IPv6
# proxyAddress = "0.0.0.0"    # IPv4 only

# If you do that, you'll want to restrict the set of hosts allowed to
# connect:

allowedClients = "127.0.0.1"
# allowedClients = "127.0.0.1, 134.157.168.0/24"

# Uncomment this if you want your Polipo to identify itself by
# something else than the host name:

# proxyName = "polipo.example.org"

# Uncomment this if there's only one user using this instance of Polipo:

cacheIsShared = false

# Uncomment this if you want to use a parent proxy:

# parentProxy = "squid.example.org:3128"

# Uncomment this if you want to use a parent SOCKS proxy:

socksParentProxy = "localhost:9050"
socksProxyType = socks5


### Memory
### ******

# Uncomment this if you want Polipo to use a ridiculously small amount
# of memory (a hundred C-64 worth or so):

# chunkHighMark = 819200
# objectHighMark = 128

# Uncomment this if you've got plenty of memory:

chunkHighMark = 50331648
objectHighMark = 16384


### On-disk data
### ************

# Uncomment this if you want to disable the on-disk cache:

# diskCacheRoot = ""

# Uncomment this if you want to put the on-disk cache in a
# non-standard location:

# diskCacheRoot = "~/.polipo-cache/"

# Uncomment this if you want to disable the local web server:

localDocumentRoot = ""

# Uncomment this if you want to enable the pages under /polipo/index?
# and /polipo/servers?.  This is a serious privacy leak if your proxy
# is shared.

# disableIndexing = false
# disableServersList = false


### Domain Name System
### ******************

# Uncomment this if you want to contact IPv4 hosts only (and make DNS
# queries somewhat faster):

dnsQueryIPv6 = no

# Uncomment this if you want Polipo to prefer IPv4 to IPv6 for
# double-stack hosts:

# dnsQueryIPv6 = reluctantly

# Uncomment this to disable Polipo's DNS resolver and use the system's
# default resolver instead.  If you do that, Polipo will freeze during
# every DNS query:

# dnsUseGethostbyname = yes


### HTTP
### ****

# Uncomment this if you want to enable detection of proxy loops.
# This will cause your hostname (or whatever you put into proxyName
# above) to be included in every request:

# disableVia=false

# Uncomment this if you want to slightly reduce the amount of
# information that you leak about yourself:

censoredHeaders = from, accept-language
censorReferer = maybe

# Uncomment this if you're paranoid.  This will break a lot of sites,
# though:

# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language
# censorReferer = true

# Uncomment this if you want to use Poor Man's Multiplexing; increase
# the sizes if you're on a fast line.  They should each amount to a few
# seconds' worth of transfer; if pmmSize is small, you'll want
# pmmFirstSize to be larger.

# Note that PMM is somewhat unreliable.

# pmmFirstSize = 16384
# pmmSize = 8192

# Uncomment this if your user-agent does something reasonable with
# Warning headers (most don't):

# relaxTransparency = maybe

# Uncomment this if you never want to revalidate instances for which
# data is available (this is not a good idea):

# relaxTransparency = yes

# Uncomment this if you have no network:

# proxyOffline = yes

# Uncomment this if you want to avoid revalidating instances with a
# Vary header (this is not a good idea):

# mindlesslyCacheVary = true


Bien, ya tenemos tor + polipo, ya podriamos, añadir a Firefox FoxyProxy addon, y setear, http proxy, puerto 8123, destildan socks y solo dejan HTTP, direccion 127.0.0.1, puerto 8123.

Al activar el proxy en FoxyProxy estariamos navegando via TOR, lo pueden chequear en paginas como http://icanhazip.com

Ahora bien, faltan cosas, saber la IP de tor sin usar un navegador, renovarla sin reiniciar el demonio TOR, iniciar y parar polipo y TOR, entonces?.

Primero, para iniciar o detener TOR solamente, usamos este comando:

torctl start // para usuarios de Fedora # service tor start ó systemctl start tor.service
torctl stop

Asumiendo que se hace como root o bien su -c "torctl start", yo no uso sudo, aclaro.

Ahora bien, si quiero iniciar todo junto porque deseo navegar en modo TOR?, para ellos, me cree un script llamado torhttp, y es este:


#!/bin/sh

# torhttp: is a shell script to start tor and polipo, and stop tor and polipo from command line
# Description: Shell Script for start / stop torhttp
# Licence: GNU GPLv2
# Author SynFlag


start() {
service tor start
      service polipo start
       
       }
stop() {
service tor stop
       service polipo stop
       }

case "$1" in
  
  start)
start
;;
  stop)
stop
;;

     *)
    echo -e  "\E[1;37m - Uso: httptor [start | stop] - \033[0m"
esac

exit 2

El uso, es facil, torhttp start, stop, y se corre como root, dado que TOR requiere esos permisos, para hacerlo seguro:

su -c "torhttp start"
su -c "torhttp stop"

Bien, ya podemos iniciar TOR + Polipo para navegar, pero, como sabemos la IP? y mejor aun, como navegamos en consola?, como elinks, lynx, vamos a ello.

He creado un script que hace lo mismo que Vidalia, la GUI de Tor, pero sin GUI, en linea de comandos, llamado tornew

tornew code:

#!/bin/sh
# Author SynFlag
# Licence GNU GPLv2
# Script for renew identity of TOR and show the IP from command line
nc localhost 9051 << HERE
AUTHENTICATE "123456"
SIGNAL NEWNYM
QUIT
HERE
sleep 2
echo -e '\E[47;31m'"\033[1m"Nueva IP: `tsocks lynx -connect_timeout=5 -noreferer -dump http://tnx.nl/ip`"\033[0m"
exit 0

Eso lo pueden ejecutar en modo normal, SIN root, es la idea, y les va a indicar la IP en colores. La salida es algo asi:

~]$tornew
250 OK
250 OK
250 closing connection
06:47:37 libtsocks(12517): Call to connect received on completed request 3
Nueva IP: 173.254.216.67

Pero bien, para que este script funcione, necesitamos otro, llamado ip-ex e ip-tor

ip-ex, nos dirá la IP publica nuestra, mientras que ip-tor la IP Tor publica.


ip-ex code:


#!/bin/sh
# Author: SynFlag
# Licence: GNU GPLv2
# IP-EX: script for know the public ip from command line

curl -s --connect-timeout 2 http://icanhazip.com

ip-tor code:


#!/bin/sh
# Author: SynFlag
# Licence: GNU GPLv2
# IP-TOR: script for know the public TOR ip from command line

echo -e '\E[47;31m'"\033[1m"IP TOR: `tsocks lynx -connect_timeout=5 -noreferer -dump http://tnx.nl/ip`"\033[0m"


Bien, estos script, se guardan en /usr/local/bin/, y se les da permiso con chmod +x, lo mismo que torhttp.
Entonces, como root, hacemos:

cd /usr/local/bin

Donde previamente creamos o movimos los script, que NO poseen extension .sh, no es necesario, sus nombres son:

torhttp
tornew
ip-ex
ip-tor

A cada uno, le hacemos chmod +x nombre, para darle permisos de ejecucion.

Ahora, para que hicimos todo esto?.

tornew: Renueva la identidad de TOR y muestra la nueva IP, en solo 3 segundos
torhttp: Inicia y detiene TOR y Polipo para poder navegar usando Firefox
ip-ex: Nos dice la IP externa publica, tambien lo usa ip-tor y tornew
ip-tor: Nos dice la IP que tiene TOR en ese momento

Configuracion de /etc/tsocks.conf

# This is the configuration for libtsocks (transparent socks)
# Lines beginning with # and blank lines are ignored
#
# This sample configuration shows the simplest (and most common) use of
# tsocks. This is a basic LAN, this machine can access anything on the
# local ethernet (192.168.0.*) but anything else has to use the SOCKS version
# 4 server on the firewall. Further details can be found in the man pages,
# tsocks(8) and tsocks.conf(5) and a more complex example is presented in
# tsocks.conf.complex.example

# We can access 192.168.0.* directly
local = 192.168.0.0/255.255.255.0

# Otherwise we use the server
server = 127.0.0.1
server_type = 5
server_port = 9050
default_user = synflag
default_pass = 123456
local = 191.168.0.0/255.255.255.0 ## colocar la IP de su LAN, si es 192.168.1.30, poner 192.168.1.0/255.255.255.0

#TSOCKS_CONF_FILE=/etc/tsocks.conf

Por ultimo, si desean usar alguna app de consola, como irssi, elinks, lynx, links, ssh, pueden usar este comando:

tsocks irssi
tsocks firefox
tsocks xchat
tsocks pidgin
tsocks skype

Es el equivalente a torify, solo que por algun motivo en RHEL no funciona, pero es lo mismo, uno llama al otro.
No es seguro de ningun modo, usar ssh o cosas con password con tsocks, tampoco torify ni torsocks para los que usan Debian, la misma web de TOR lo dice.
Tambien pueden lanzar apps torificadas, como firefox, sin configurar FoxyProxy, xchat, pidgin, skype, etc

Bueno, espero que les sirva, haya gustado y si tienen dudas o preguntas las dejan aca, luego de la moderacion las respondo.
Si el modo de poner esto no es colorido y un poco tosco, bueno, yo soy asi, no pongo colores, etc, y tampoco esta orientado a usuarios noveles que usan todo en modo GUI.
Les recomiendo que no olviden usar el geoip, tambien de mi autoria, para por ej, chequear de donde es la IP que les dio TOR, sin necesidad de abrir un navegador, el enlace es: GEOIP


4 comentarios:

  1. chido!
    me ayudó, pero no creo que debas despreciar las GUI, por algo existen, apoco te gustaría un OS con puro comando? jajaja

    ResponderEliminar
    Respuestas
    1. Me alegro que te haya gustado. No desprecio para nada las GUI, pero al menos en esas cosas, se me hace mas facil usar una terminal que ya tengo abierta (por lo general siempre poseo una abierta o sino, abrirla demora menos que una GUI, como xterm o st), para cosas como tor, etc. Saludos desde Argentina!.

      Eliminar
  2. SynFlag, tu explicación me parecio suficientemente detallada, a la vez que concisa. Es posible lograr este nivel de anonimato en Kali Linux? (no pregunto si de la misma forma, por estar basado en Debian).
    No soy un usuario muy experimentado (aún), sin embargo pocas cosas me interesan tanto y no temo a lo complejo.
    Espero tu respuesta, en tanto sigo buscando y probando.
    Desde Argentina.

    ResponderEliminar
    Respuestas
    1. Claro que si, es decir, aca se explica como instalar 100% tor con todas sus funciones y usando la terminal, mas alla de la distro. El nivel de anonimato te lo da el software, esto son solo instrucciones. No conozco kali, si conocia backtrack, pero el nivel de anonimato esta dado por el soft, no por las instrucciones o la distro. Lo que si no uses nunca es el firefox que viene con TOR, ese tiene backdoor de la NSA, saludos desde el mismo pais!

      Eliminar

Dejá tu comentario