PAS-28: Detect likely Tor Handshakes

Issue Information

Issue Type: New Feature
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.1,
Components: SSL/TLS ,

Created: 2016-02-03 14:23:01
Time Spent Working
90 minutes
90 minutes
0 minutes

PAS-26 implemented a list of unresolvable FQDN's extracted from SSL communications.

A natural extension to that would be to look for likely connections to a tor entry node (or a bridge).

Assuming obfsproxy etc aren't in use, the following should be true for any entry connection

- SNI name will be present, start with www. but be unresolvable (and random looking, but not sure we can test for that)
- Node will return a certificate with a Common Name following the same rules as above but will not match the name used in SNI
- Certificate issuer, again, will follow the rules above but won't match either the SNI or CN

Meeting all those requirements means it's probably a connection to Tor, so the dest IP should be checked against a list of known Tor nodes for confirmation (haven't decided yet whether to have the script do that itself).

For all unresolvable domains, we'll need to walk ssltraffic on a per-connection basis (because if the IP's change, that's interesting to note too) and match against the ruleset above

Issue Links

Toggle State Changes