Me and a few of my friends are were throwing around some theories on how to hack Tor websites. Almost all of the were complete garbage as one could assume. But we did come up with one that I believe plausible. Is it possible to upload a program to a website then get the website to execute it? What the program would do is Ping a server that would record where the packets are coming from. or maybe make a TCP connection to he server much like nmap does. Would this be a viable solution to hack a tor website or is the just a useless pursuit?
Forum Thread: Tor Website Hack?
- Hot
- Active
-
Forum Thread: How to Track Who Is Sms Bombing Me . 4 Replies
2 mo ago -
Forum Thread: Removing Pay-as-You-Go Meter on Loan Phones. 1 Replies
2 mo ago -
Forum Thread: Hydra Syntax Issue Stops After 16 Attempts 3 Replies
2 mo ago -
Forum Thread: moab5.Sh Error While Running Metasploit 17 Replies
3 mo ago -
Forum Thread: Execute Reverse PHP Shell with Metasploit 1 Replies
4 mo ago -
Forum Thread: Install Metasploit Framework in Termux No Root Needed M-Wiz Tool 1 Replies
5 mo ago -
Forum Thread: Hack and Track People's Device Constantly Using TRAPE 35 Replies
6 mo ago -
Forum Thread: When My Kali Linux Finishes Installing (It Is Ready to Boot), and When I Try to Boot It All I Get Is a Black Screen. 8 Replies
7 mo ago -
Forum Thread: HACK ANDROID with KALI USING PORT FORWARDING(portmap.io) 12 Replies
7 mo ago -
Forum Thread: Hack Instagram Account Using BruteForce 208 Replies
7 mo ago -
Forum Thread: Metasploit reverse_tcp Handler Problem 47 Replies
9 mo ago -
Forum Thread: How to Train to Be an IT Security Professional (Ethical Hacker) 22 Replies
9 mo ago -
Metasploit Error: Handler Failed to Bind 41 Replies
10 mo ago -
Forum Thread: How to Hack Android Phone Using Same Wifi 21 Replies
10 mo ago -
How to: HACK Android Device with TermuX on Android | Part #1 - Over the Internet [Ultimate Guide] 177 Replies
10 mo ago -
How to: Crack Instagram Passwords Using Instainsane 36 Replies
10 mo ago -
Forum Thread: How to Hack an Android Device Remotely, to Gain Acces to Gmail, Facebook, Twitter and More 5 Replies
10 mo ago -
Forum Thread: How Many Hackers Have Played Watch_Dogs Game Before? 13 Replies
10 mo ago -
Forum Thread: How to Hack an Android Device with Only a Ip Adress 55 Replies
11 mo ago -
How to: Sign the APK File with Embedded Payload (The Ultimate Guide) 10 Replies
11 mo ago
-
How To: Use Burp & FoxyProxy to Easily Switch Between Proxy Settings
-
How To: Find Identifying Information from a Phone Number Using OSINT Tools
-
How To: Crack Shadow Hashes After Getting Root on a Linux System
-
How To: Install & Lock Down Kali Linux for Safe Desktop Use
-
How To: Scan for Vulnerabilities on Any Website Using Nikto
-
How To: Crack Password-Protected Microsoft Office Files, Including Word Docs & Excel Spreadsheets
-
Hack Like a Pro: How to Find Directories in Websites Using DirBuster
-
How To: Make Your Own Bad USB
-
How to Hack Wi-Fi: Cracking WPA2 Passwords Using the New PMKID Hashcat Attack
-
How To: Use Kismet to Watch Wi-Fi User Activity Through Walls
-
How To: Enumerate SMB with Enum4linux & Smbclient
-
How To: Use Metasploit's WMAP Module to Scan Web Applications for Common Vulnerabilities
-
How To: Build a Beginner Hacking Kit with the Raspberry Pi 3 Model B+
-
How To: Set Up a Wi-Fi Spy Camera with an ESP32-CAM
-
How to Hack Wi-Fi: Cracking WPA2-PSK Passwords Using Aircrack-Ng
-
How To: Set Your Wi-Fi Card's TX Power Higher Than 30 dBm
-
How To: Manually Exploit EternalBlue on Windows Server Using MS17-010 Python Exploit
-
How To: Detect When a Device Is Nearby with the ESP8266 Friend Detector
-
Hack Like a Pro: Reconnaissance with Recon-Ng, Part 1 (Getting Started)
-
How To: Hack Windows 7 (Become Admin)
27 Responses
Foxtrot:
I like you creative thinking, but there is at least one problem with your strategy. The ping would come back through the ToR network. The ToR network encrypts the IP, that's how it maintains its anonymity. All you would get is the last hop IP address.
What if the program recorded the Ip address in a text file then uploaded that onto a server? What if you put into the program a script to reset tor and then run it before tor has a chance to initialize?
how about not reset and just shut it down
Because if the server admin realizes it's then he/she will likely move locations changing the ip address and needing to start at square one. When you restart it hopefully the admin doesn't realize it so you have time to do whatever you want with it
One other idea that i just came up with now, what if we make a little website page that we can load onto the onion site? You have sites that show you your IP address so why not make a page that shows the Hosts IP address? Would that be possible?
Foxtrot:
I'm sorry to say, you have devolved to nonsense. If you put up the site on the onion, you would already know the IP address.
but would it not be possible to lets say its an image board. Upload a .PHP and then open it up as a webpage, Since it's on the server it may work or am i speaking delusional
what exactly are you trying to accomplish with your hack, besides find out an ip address ? If you could connect to the website in the first place all you have to do is just do an nslookup or a Dig you wouldn't need to upload anything to find out an ip address.(where packets are coming from).
im pretty sure you can't nslookup a tor site or use dig. Maybe you can and i just tried wrong
Also I could be wrong but in order to have a website run a program you would have to upload it into the server thats hosts the site and then inject or add some kind of script to the actual website that would run it.
yes im sure you're correct. Im not very good with SQL, I've not yet read the tutorial but would you be able to execute the script via SQL injection?
when you say tor site you mean an onion site
correct
we really need a chatroom
we have one I believe it's just that no ones on it and it doesn't log the conversations its on #nullByte
yeah no ones ever there though #borefest
i usually leave it connected on my computer
We seriosuly need a chat imo.
yeah it would be nice if someone logged the chat too so we can go back for reference
It seems your goal would be to not only compromise a tor website but then de-anonymize the users connecting to it?
"Is it possible to upload a program to a website then get the website to execute it?" Yes, absolutely. Tor sites just like any other website are vulnerable to attacks that would allow you to upload and execute malicious scripts. In fact Kali has several ones to use (/usr/share/webshells/). Metasploit also has php and java based payloads for web applications. Even a nice php/meterpreter payload I have used alot.
However like OTW stated all the traffic coming and going to the site is routed through the tor anonymizing network. Not allowing you to see where it actually originated.
I believe getting the IP address of the server could be possible through executing a command that copies the IP Address and uploads it via text file to a server such as pastebin. De anonymizing is a different matter. If im correct based on the various sites I've read on, ToR works by encrypting the website running it through proxies then decrypting. Then my question is could you embed a code that executes when decrypted that copies the IP and a text file and uploades it to a server?
So your goal is to discover the IP address of the server hosting the .onion site? Not the users accessing the site? I may have misunderstood you.
Of course the ultimate goal is to completely compromise the network. That's anyones ultimate goal. But I believe to do that you would first need to be able to compromise the majority of sites. If you compromise a majority of the sites you massively increase your testing ground.
And as i said in the other post. might it be possible to set a script that runs when the site is decrypted? If so it can execute the code once decrypted and bam Ip Address found. however im not very good at coding so i don't know if this is possible
This is getting annoying.....That would not be called "hacking".
why not?
Are you guys for rfeal!!!omg shut up its about being ...anonymous online .. Your blowing it
I don't see the issue here. All were doing is beating some tech. Thousands of people try to hack ToR or I2P. When someone beats it and doesn't tell anyone, then guess what. you're no longer anonymous. they could sell info to CSIS, NSA ,Anyone. ToR will not remain safe forever. If someone really wants to find away in. They will. I just want to be one of the first to really cause some havoc. Besides there are people i don't like on ToR. And I love fucking with people.
Share Your Thoughts