If you haven’t yet read about my previous research regarding finding bad exit nodes in the Tor network you can read it here . But the tl;dr is that I sent unique passwords through every exit node in the Tor network over HTTP. This meant that is was possible for the exit node to sniff the credentials and use them to login on my fake website which I had control over.
This article is an update how my methods have changed and how I work towards making the Tor network more safe and trustworthy for everyone.
Note: The methods I’m using is nothing I morally stand for. The research content that I’m sending through Tor is only supposed to be sent from and to me. The images provided in this article is not what I’ve been using and is only used as an example to show how it may look like.
Note 2: Huge thanks to canarytokens.org for developing and offering a public service with similar function as described in this article. Worth to mention is that I’ve been testing their methods to detect passive sniffing in the Tor-network but only on a small scale. Also worth to mention is that I’ve been writing about these methods a while ago.
The new methods
The key to developing new methods for detecting sniffing exit nodes, is that the data must be readable and this data must also be reuseable.
But to make it really good you need to have something the exit node wants. This could be credentials, secrets or just interesting looking links. Because from the sniffers perspective you will use the most interesting parts of a complete PCAP so keywords such as "username", "password", "email" and "login" should be used.
The way I’ve been using these methods is simple – I just try to imitate a Tor-user and try to look as "normal" as possible to the exit node.
This method has three detection points. The first and the most unique preference about this method is that if you open the PDF you will navigate to a URL that you specified. So if someone actually opens our PDF we will get notified about this because every PDF has its unique URL and each PDF is linked to every exit node in the Tor-network.
I host all the generated PDF’s on my phishing website with names like passwords_adriana_jan_7_2016.pdf in the path /personal – but all the names are unique so I know which PDF that was sent through which exit node. Like this:
passwords_julia_2.pdf ➝ BC630CBBB518BE7E9F4E09712AB0269E9DC7D626 passwords_anna_07.pdf ➝ 3711E80B5B04494C971FB0459D4209AB7F2EA799 [...]
The second detection point is that we are still hosting all the PDF’s on our phishing site so if a PDF has been downloaded more than once, we will know which node that sniffs traffic.
The third and last detection point is the content in the PDF. The PDF has some unique information that can be used by the sniffer. In my case I had the username and password to a well-known site that saves logins (spoiler: it’s imgur.com). So if the sniffer uses the username and password to login we will see this either via the list that shows all the login history (can’t be removed) or if the password has been changed.
Note : Opening of links only works in some PDF-readers such as Adobe Acrobat and the built-in PDF-reader that ships with Chrome so if our sniffer does not use these PDF-readers they will not automatically navigate to our unique URL.
You can try out an example here: https://s.chloe.re/test.pdf
Posting links via PM/DM on dating sites
This method is really sophisticated because it looks real to the sniffer and it uses real websites that is most likely already trusted or known by the sniffer. Also, the data that is sent through the exit node contains no credentials but rather data that is secret and only meant to be shared between two people (and is based upon that).
The method is pretty straightforward. You send a message between two users that you’ve created on dating and porn websites such as Pornhub, Redtube and XNXX. Because none of these websites offer HTTPS (which is stupid!) we can POST data that can be read by a potential sniffer.
As you can see in the above screenshot I sent a personal message to my other user on Pornhub containing a link to a well-known image host website – in this case Imgur.com.
The key is to use an image host that has statistics on how many views an album or picture get. Imgur is one example but there are more websites that store precise statistics about how many hits an image has gotten. I’m using a total of 4 different websites to keep track how many views my images that go though each exit node gets.
The way I use this method is by generating unique images that I later upload to a public image host. Then I use each [unique] link in private messages on dating and porn websites including a static message to make the sniffer wanting to press the link. I then later check if any of my links has gotten any clicks, and if that’s the case I will know that the exit node is sniffing traffic because each link is linked to each exit node.
onetimesecret, goo.gl, bit.ly
This method is much like the above because it uses services that are well-known so they don’t look too suspicious to the sniffer. Websites such as onetimesecret.com , goo.gl and bit.ly provide an easy way to see if your link has been clicked. For the link shorteners (goo.gl and bit.ly) you just append a "+" after the URL to see the statistic:
Onetimesecret.com will be removed as soon as it has been read. So if any of my links has been read I will know which exit node it was.
Then I just use these links in different ways
Onetimesecret.com has an API so I can easily create "secrets" but goo.gl and bit.ly has no API so I had to code something that created over 1100 links for each exit node. So that was kinda painful…
Summary and final words
So this was a short explanation of some new methods that I’m currently using to detect sniffing in the Tor-network. I will not share the results publicly, but maybe at a later time when I have more studied telemetry.
The one thing I can share is that a few (10-15) persistent exit nodes has an IDS/IPS installed which triggers my "traps". I’vewritten about these before. I think this is worth to mention once again because data collected by IDS/IPS:es can be shared with third parties.
I am planning to release all or some of the code that I’ve written. The last code that I wrote for BADONIONS have been released to those who asked for it. In fact, I’ve been cooperating with students from different universities with their research regarding the privacy in the Tor-network.
If you feel that I could be to any help with your research, please don’t hesitate to contact me via
If you want to contact me regarding anything else you can find my different account on my personal website; https://chloe.website