Nmap Development mailing list archives
Service probe for Tor ORPort
From: David Fifield <david () bamsoftware com>
Date: Mon, 12 Jan 2015 22:10:52 -0800
Here's a version probe for the Tor protocol. Tor is tunneled inside of TLS, so the probe relies on service detection's automatic tunnel detection. This signature is for the ORPort, the port that accepts client connections and connections from other relays. Here's how it looks: PORT STATE SERVICE VERSION 9001/tcp open ssl/tor-orport Tor 0.2.4.11 or later (supported protocol versions: 3, 4) Tor can run on any port, but it most commonly appears on ports 9001, 443, and 9002. You can derive the ports from this JSON document: https://onionoo.torproject.org/details?type=relay&fields=or_addresses Parse it with this Python program: import json counts = {} with open("details.json") as f: details = json.load(f) for relay in details["relays"]: for addr in relay["or_addresses"]: port = int(addr.rsplit(":", 1)[1]) counts.setdefault(port, 0) counts[port] += 1 for port, count in sorted(counts.items(), key=lambda x: x[1], reverse=True): print "%5d %5d" % (port, count) The output gives the most commonly seen ports: 9001 4553 443 3379 9002 109 8080 90 80 84 Therefore I set "sslports 443,9001,9002". David Fifield ##############################NEXT PROBE############################## # VERSIONS cell indicating support for protocol versions 3, 4, 5, and 6. # https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt (see sections 3 and 4.1) # Structure is: # CircID 2 bytes # Command (7) 1 byte # Length 2 bytes # array of 2-byte version numbers # We can't detect protocol versions 1 and 2, because those require you to # do the SSL handshake in a particular way (version 1 requires you to use # specific ciphersuites and send a client certificate ("the v1 handshake") # and version 2 requires a renegotiation after the initial handshake ("the # v2 handshake")). # Versions 5 and 6 don't exist as of 2015, but send them in the hope of # catching future changes. Probe TCP tor-versions q|\x00\x00\x07\x00\x08\x00\x03\x00\x04\x00\x05\x00\x06| rarity 8 sslports 443,9001,9002 # Since 0.2.4.11-alpha - 2013-03-11. # https://gitweb.torproject.org/tor.git/tree/ChangeLog: "Support a new version # of the link protocol that allows 4-byte circuit IDs." # https://trac.torproject.org/projects/tor/ticket/7351 # https://gitweb.torproject.org/torspec.git/tree/proposals/214-longer-circids.txt match tor-orport m|^\x00\x00\x07\x00\x04\x00\x03\x00\x04| p/Tor/ v/0.2.4.11 or later/ i/supported protocol versions: 3, 4/ # 0.2.3.6-alpha - 2011-10-26 # https://gitweb.torproject.org/tor.git/tree/ChangeLog: "This release also # features support for a new v3 connection handshake protocol..." # # Also matches this independent JavaScript implementation: https://github.com/Ayms/node-Tor match tor-orport m|^\x00\x00\x07\x00\x02\x00\x03| p/Tor/ v/0.2.3.7 - 0.2.4.11/ i/supported protocol versions: 3/ # An independent implementation that "only returns the highest # understood version matching what the server supports, instead of a # list of all supported versions." # https://lists.torproject.org/pipermail/tor-dev/2015-January/008135.html match tor-orport m|^\x00\x00\x07\x00\x02\x00\x04| p/Tor/ i/supported protocol versions: 4/ _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service probe for Tor ORPort David Fifield (Jan 12)
- Re: Service probe for Tor ORPort Fyodor (Jan 13)