Forum Thread: Tor Website Hack?

Foxtrot:

I like you creative thinking, but there is at least one problem with your strategy. The ping would come back through the ToR network. The ToR network encrypts the IP, that's how it maintains its anonymity. All you would get is the last hop IP address.

What if the program recorded the Ip address in a text file then uploaded that onto a server? What if you put into the program a script to reset tor and then run it before tor has a chance to initialize?

how about not reset and just shut it down

Because if the server admin realizes it's then he/she will likely move locations changing the ip address and needing to start at square one. When you restart it hopefully the admin doesn't realize it so you have time to do whatever you want with it

One other idea that i just came up with now, what if we make a little website page that we can load onto the onion site? You have sites that show you your IP address so why not make a page that shows the Hosts IP address? Would that be possible?

Foxtrot:

I'm sorry to say, you have devolved to nonsense. If you put up the site on the onion, you would already know the IP address.

but would it not be possible to lets say its an image board. Upload a .PHP and then open it up as a webpage, Since it's on the server it may work or am i speaking delusional

what exactly are you trying to accomplish with your hack, besides find out an ip address ? If you could connect to the website in the first place all you have to do is just do an nslookup or a Dig you wouldn't need to upload anything to find out an ip address.(where packets are coming from).

im pretty sure you can't nslookup a tor site or use dig. Maybe you can and i just tried wrong

Also I could be wrong but in order to have a website run a program you would have to upload it into the server thats hosts the site and then inject or add some kind of script to the actual website that would run it.

yes im sure you're correct. Im not very good with SQL, I've not yet read the tutorial but would you be able to execute the script via SQL injection?

when you say tor site you mean an onion site

correct

we really need a chatroom

we have one I believe it's just that no ones on it and it doesn't log the conversations its on #nullByte

yeah no ones ever there though #borefest

i usually leave it connected on my computer

We seriosuly need a chat imo.

yeah it would be nice if someone logged the chat too so we can go back for reference

It seems your goal would be to not only compromise a tor website but then de-anonymize the users connecting to it?

"Is it possible to upload a program to a website then get the website to execute it?" Yes, absolutely. Tor sites just like any other website are vulnerable to attacks that would allow you to upload and execute malicious scripts. In fact Kali has several ones to use (/usr/share/webshells/). Metasploit also has php and java based payloads for web applications. Even a nice php/meterpreter payload I have used alot.

However like OTW stated all the traffic coming and going to the site is routed through the tor anonymizing network. Not allowing you to see where it actually originated.

I believe getting the IP address of the server could be possible through executing a command that copies the IP Address and uploads it via text file to a server such as pastebin. De anonymizing is a different matter. If im correct based on the various sites I've read on, ToR works by encrypting the website running it through proxies then decrypting. Then my question is could you embed a code that executes when decrypted that copies the IP and a text file and uploades it to a server?

So your goal is to discover the IP address of the server hosting the .onion site? Not the users accessing the site? I may have misunderstood you.

Of course the ultimate goal is to completely compromise the network. That's anyones ultimate goal. But I believe to do that you would first need to be able to compromise the majority of sites. If you compromise a majority of the sites you massively increase your testing ground.

And as i said in the other post. might it be possible to set a script that runs when the site is decrypted? If so it can execute the code once decrypted and bam Ip Address found. however im not very good at coding so i don't know if this is possible

This is getting annoying.....That would not be called "hacking".

why not?

Are you guys for rfeal!!!omg shut up its about being ...anonymous online .. Your blowing it

I don't see the issue here. All were doing is beating some tech. Thousands of people try to hack ToR or I2P. When someone beats it and doesn't tell anyone, then guess what. you're no longer anonymous. they could sell info to CSIS, NSA ,Anyone. ToR will not remain safe forever. If someone really wants to find away in. They will. I just want to be one of the first to really cause some havoc. Besides there are people i don't like on ToR. And I love fucking with people.