3 Nov 2016

Building a TOR-ified virtual router for fun and profit (and testing)


A while back I read a blog post by Sev (https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide) and thought I’d give setting up a test environment a shot.

There was a link in the article which, at the time, didn’t work, so I thought I’d so some hunting and see if I could put something together myself that would do the job.

I’ve had VirtualBox installed since forever, it’s just really handy for trying out other operating systems (I’m a bit of a tourist) or trying out a piece of software without fouling up your host OS. If you haven’t got it, a simple

sudo apt-get install virtualbox

will do the trick.

Next, I got myself Debian net install- stable branch will do it, this thing is going to be doing a very minimal job, so we need a very minimal ISO I guess.

Setting up the VirtualBox components

While Debian downloads, there’s a couple of bits and pieces that need to be done in VirtualBox.

Firstly, make a new machine. The wizard guides you through the process, and since this virtual router isn’t going to do a lot we can get away with making it as slim as possible. I went overboard with mine, giving it 8GB of storage and a whopping 2GB of memory, in reality this box will need much less.

After the machine is created, let’s take a look at the settings. Everything we need to change is under network.

I set my adapter 1 to be a bridged adapter, attached to my wireless network adapter on the host. This will assign it it’s own IP address in my home router.

Enable a second adapter, and attach it to Internal Network.

We now have a machine ready to rock n roll as our router.

Attach the Debian ISO to the VM, and boot. Go through the usual rigmarole of installing a Debian system, there’s not a lot to do in here- we don’t want a desktop environment or any other funny business, we can leave the file system unencrypted, and the partitioning is simple.

Once you’re up and running, we will need a few packages- let’s su, since it’s easier to do this stuff as root.

apt-get update
apt-get install vim isc-dhcp-server tor

Yeah I got vim. I like vim.

Now we have some editing to do.

First things first, we need to sort out what our network interfaces are doing.

vim /etc/network/interfaces

You should have a couple of entries here already, for lo and eth0. We want to add in a second entry for doing the grunt work in our internal network.

#Second NIC for DHCP
allow-hotplug eth1
iface eth1 inet static
address 10.0.0.2
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.25

That last line is pretty important, for reasons that will become apparent soonishly.

Next, let’s take a look at DHCP. DHCP is remarkably simple to get up and running.

vim /etc/dhcp/dhcpd.conf

You should be able to find the lines we need to edit already in the conf file as comments, so we can just edit those. Alternatively, just add the lines to the end of the file.

option domain-name “test.local”;
option domain-name-servers 8.8.8.8, 8.8.4.4

default lease time 600;
max-lease-time 7200;

authoritative;

log-facility local7;

Subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.50 10.0.0.100;
option routers 10.0.0.2;
}

Save this file, and start DHCP

service isc-dhcp-server start

That’s it. That’s literally all there is to it. If we attach a second guest to the internal network, they would now get their IP address from this Debian machine.

The next step is to get some routing happening- getting virtual machines to get their IP from our Debian box is no good if they can’t do anything with it. This can all be done with iptables, the Linux workhorse firewall.

Let’s drop in a few basic rules, straight on the command line-

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

After dropping these rules in, we can do the following to backup the firewall rules-

iptables-save > /etc/iptables.rules

And add a line to our interfaces file to rewrite these rules each time we power up / restart networking. In my conf file, this line is just before the first line of the eth0 adapter settings.

Pre-up iptables-restore < /etc/iptables.rules

And last, but certainly not least, we need to make one more fairly important change. By default, the kernel doesn’t forward packets- we can make this adjustment quite simply by editing a file-

vim /etc/sysctl.conf

The line we’re looking for is

net.ipv4.ip_forward=1

You can add this to the bottom of the file. It was already in my file, but commented out. Our Debian machine is now ready to serve internet to the masses. Give the machine a reboot, and any attached guests should now have full access to the internet through this machine.

Our last step is setting up tor, which again is ridiculously easy for such a powerful tool. Let’s have a look at the guts of tor-

vim /etc/tor/torrc

Add in the following lines-

Log notice file /var/log/tor/notices.log
VirtualAddrNetwork 172.16.0.0/12
AutomapHostsSuffixes .onion, .exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.0.2
DNSPort 53
DNSListenAddress 10.0.02

Save and exit, then add a couple more firewall rules for these new ports

iptables -t nat -A PREROUTING -i eth1 -p udp –dport 53 -j REDIRECT –to-ports 53
iptables -t nat -A PREROUTING -i eth1 -p tcp –syn -j REDIRECT –to-ports 9040

And let’s back that up again

iptables-save > /etc/iptables.rules

We’ll need to make sure the logfiles are ready to go for tor when it starts, so

touch /var/log/tor/notices.log

And make sure the debian-tor user can use it

chown debian-tor /var/log/tor/notices.log

And set the correct permissions of course

chmod 644 /var/log/tor/notices.log

And now we can set tor to start at boot-

update-rc.d tor enable

Now, after a restart, if we connect to the internet on one of our guests attached to the internal network, the traffic will all route through our Debian box, and be behind the tor network- we can test this by opening a guest and navigating to https://check.torproject.org

Magic!

THINGS I DIDN'T TEST (and probably should have)

1. Whether DNS was actually going through TOR
2. How hardened my iptables rules were- they are pretty basic 

Next steps in the project will involve setting up packet captures and some traffic analysis tools- and maybe trialling this project here http://www.inetsim.org