BitTorrent Protocols Analysis

The “BitTorrent Protocol” is, in fact, a set of protocols, used in different stages, such as torrent discovery, peer discovery, download, seeding, and so on.

Let’s take a look at the following diagram.

screen-shot-10-27-16-at-11-26-am

We can see the different protocols in action.

Let’s take a closer look at them

  • HTTP Tracker Protocol
    • This is the oldest (and original) Tracker Protocol
    • Typically, it consists of an HTTP GET request for a given torrent/swarm with the following arguments, announcing the peer’s interest in the swarm and querying the tracker for more interested peers
      • info_hash: 20 byte sha1 hash of the bencoded form of the info value from the metainfo file
      • peer_id: string of length 20 which the downloader uses as its id
      • example
        • GET /announce?peer_id=aaaaaaaaaaaaaaaaaaaa&info_hash=aaaaaaaaaaaaaaaaaaaa&port=6881&left=0&downloaded=100&uploaded=0&compact=1
    • The HTTP response will usually contain a list of peers in the requested swarm
      • Each peer entry in the list contains:
        • peer id
        • ip
        • port
    • URLs for this protocol take the form: http://tracker:port/announce?peer_id=X1&info_hash=X2&port=X3&left=X4&downloaded=100&uploaded=0&compact=1
  • UDP Tracker Protocol
    • it is similar to the HTTP Tracker Protocol, but it is a binary protocol and it is UDP-based
    • it is usually lighter and faster than the HTTP version
    • URLs for this protocol take the form: udp://tracker:port
  • Local Peer Discovery
    • this protocol introduces a mechanism  to announce the presence of swarm to potential peers in the same LAN, using “http over udp-multicast”
    • a peer can broadcast its swarms to these multicast groups:
      • A) 239.192.152.143:6771 (org-local)
      • B) [ff15::efc0:988f]:6771 (site-local)
    • An announce broadcast message looks like the following:
      • BT-SEARCH * HTTP/1.1
        Host: <host>
        Port: <port>
        Infohash: <ihash>
        cookie: <cookie (optional)>
    • Usually, a peer broadcasts these messages every 5 minutes
  • DHT Protocol – “Distributed sloppy hash table”
    • The purpose of this protocol is similar to the previous ones: to find peers interested in a given swarm/torrent, but with an interesting twist:
      • it is implemented inside each Downloader, so that no trackers are needed
      • therefore, torrents announced in the DHT are potentially easier to find, albeit kind of “more public”, because their public “visibility” is not restricted to a particular set of trackers
    • Node
      • in the BitTorrent terminology, a Node is an entity that implements the DHT protocol
      • typically, a Downloader contains a DHT Node that implements the DHT protocol, cooperating with the other Nodes
      • each node is assigned a globally unique identifier, the “node id
    • The protocol is based on Kademlia (A Peer-to-peer DHT algorithm Based on the XOR Metric)
    • DHT Queries
      • ping
        • to keep the connection alive between two nodes
      • find_node
        • “id” containing the node ID of the querying node
        • “target” containing the ID of the node sought
        • this query can useful for torrents that specify specific nodes instead of trackers
      • get_peers
        • get peers associated with a torrent infohash
        • if the queried node knows some peers with the infohash, they are returned
        • otherwise, the node returns a list of nodes that are “closer” to the queried infohash
          • in this case, the querying node should continue by querying these nodes
      • announce_peer
        • Announce that the peer controlling the querying node is interested in the torrent with the given infohash
  • BitTorrent Protocol (a.k.a. Peer Protocol )
    • as the name implies, this is the most important BitTorrent protocol
    • it is used for symmetrical communication between peers, including
      • data transfer (torrent “pieces”)
      • metadata transfer (for torrents)
      • extended protocol data and metadata exchange
    • it can run over TCP/IP or using a BitTorrent specific transport layer, uTP over UDP
      • uTP can be used to improve congestion management
    • typical message flow includes:
      • handshake + extensions
        • each peer sends an handshake message to the other
          • the handshake includes the desired torrent’s “infohash”
            • note that when contacting a new peer, the originator peer believes that the target peer has some of the desired torrent’s pieces
              • because it found it through some tracking mechanism based on the infohash
        • followed by
          • extensions supported
          • and a never-ending stream of length-prefixed messages
      • base messages
        • 0 – choke, 1 – unchoke
          • for bandwidth control
        • 2 – interested, 3 – not interested
          • specifies if the peer is interested in the pieces that the other peer has available for downloading
        • 4 – have
          • a peer can inform the other peer of which torrent pieces it already has downloaded
        • 6 – request, 7 – piece
          • a peer can “request” a given piece
          • the other peer returns the “piece”
      • a peer will keep requesting the “pieces” it hasn’t downloaded yet to the other peer
        • the other peer will return them
        • if a peer detects that the other one is not allowing it to download as many pieces as it should, it may “choke” the other peer, which means it will not allow it to download more pieces until “unchoked”
        • if a peer detects that the other peer only has pieces that it has already downloaded, it should send it a “not interested” message
    • the BitTorrent protocol can be extended with new messages, which peers can use to check for extra functionality in other peers
      • extension examples:
        • DHT node support
          • (was not present in the initial protocol version)
        • Torrent Metadata exchange support
          • (was not present in the initial protocol version)
        • Peer Exchange (PEX)
          • (was not present in the initial protocol version)
    • Encryption (or more precisely, Obfuscation )
      • a weak encryption can be used in this protocol, to try to hide the BitTorrent protocol from ISPs that block or perform traffic shaping over this traffic
      • an encapsulation protocol (called Message Stream Encryption or PHE) can be used for this purpose
        • it uses a completely random header and a D-H key exchange in order to accomplish its purpose
      • a downloader can announce encryption support to a tracker by using the following extra arguments
        • supportcrypto=1, requirecrypto=1, cryptoport=X

Conclusion

This concludes this quick overview of the protocols used by the BitTorrent network.

In the following posts, I will show some low-level protocol examples.

References

 

 

 

 

 

 

 

 

 

 

BitTorrent Architecture Overview

According to its proponents, BitTorrent is “a free speech tool”.

This is indeed the case, as it allows its users to distribute content without a centralized authority, using mainly each user’s network and computing resources in a distributed fashion.

A user’s network and computing resources are somewhat shared with the other users (also called “peers” in this context), so that everyone can benefit from expanded availability and reduced censorship properties of the BitTorrent network. The content can be stored in multiple peers at the same time: so that if a peer goes down, the content can still be obtained from the remaining peers that have a complete or partial copy of the content.

Additionally, BitTorrent allows a user to download content from multiple peers, instead of downloading it from a single server. This feature can often enable faster download speeds for its users.

Privacy can also be enhanced by using BitTorrent with minimal or no logging, whenever possible. This contrasts with downloading content from a server, which is usually logged.

Main components/terms

BitTorrent has a complex terminology. So it will be interesting to clarify its meaning.

Let’s start with:

  • Original file/content
    • The content to be published/shared with other users
  • Downloader
    • Application that implements the BitTorrent protocols and specifications
      • there are several such applications
      • examples: uTorrent, qbittorrent
  • “.torrent” file (a.k.a. Metadata file)
    • a “summary” file that summarizes the original file contents
      • the user can share the metadata file with other users, so that they can download the shared content
    • “info_hash” is a SHA hash for the “info” section in the “.torrent” file
      • this hash is used to identify the torrent and for searching for peers seeding the torrent
  • Magnet URI
    • a URI for a metadata file
      • even simpler to share than a file
      • the user can share the magnet URI with other users, so that they can download the shared content
  • Piece
    • a segment of the original file
      • the original file is split in multiple “pieces” for downloading and uploading
  • Peer
    • another user with whom to share file “pieces”
  • Swarm
    • a group of peers sharing the same “torrent”
      • downloading
      • or uploading (also known as “seeding”)
    • identified by the torrrent’s “info_hash”
  • Seed
    • a peer that has the entire “torrent” contents
      • has already downloaded all the “pieces” (or is the original publisher)
  • Tracker
    • an auxiliary service that behaves as a kind of “name server”
    • maps torrent’s “info_hashes” in lists of peers that are seeding each torrent
    • peers “announce” that their are “interested” in the torrent identified by a given “info_hash” and simultaneously receive a list of peers that also “interested”
      • “interested” peers are willing to upload and download “pieces” of the torrent
    • trackers are setup and maintained by voluntary entities
  • DHT – Distributed Hash Table
    • another auxiliary service implemented mostly by the full set of BitTorrent nodes
    • also behaves as a kind of “name server”
    • peers “announce” that their are “interested” in the torrent identified by a given “info_hash” and simultaneously receive a list of peers that also “interested”

Step 1. Creating & sharing a new torrent + swarm

screen-shot-10-21-16-at-06-33-pm

In order to publish a new torrent, a user typically has to perform the following steps:

  • 1. Create the “.torrent” metadata file
    • select which content (local files) to include in the new “.torrent”
    • optionally select which tracker(s) will be used to announce the new torrent
    • optionally select if the torrent will be private (not announced in the DHT nor in public trackers) or if it will be public (announced in the DHT and in public trackers)
    • optionally select “web seeds” for the content
      • (these are just HTTP URLs pointing to some web server that is also serving the same content via HTTP)
  • 2. Save the “.torrent” metadata file and “Magnet URI” for later use
  • 3. Announce and Seed the new “.torrent”
    • Announce
      • In the “Trackers” defined in the metadata
      • In the DHT
      • For Local Peers (in the same LAN)
    • Seed
      • allow any interested peer to download from the initial seeder
    • the “info_hash” is used to uniquely identify the “.torrent” file
  • 4. Share the “.torrent” file or Magnet URI with the intended peer audience using means external to the BitTorrent network
    • web sites, emails, chat, sms, …

Example using uTorrent (Windows):

screen-shot-10-20-16-at-07-50-pm

Example using qbittorrent (Linux):

screen-shot-10-20-16-at-07-20-pm

Step 2. Finding and Joining peers for a given torrent/swarm

screen-shot-10-22-16-at-12-28-pm

In order to find and join a torrent, a user typically has to perform the following steps:

  • 1. Search for interesting “.torrent” or Magnet URIs using means external to the BitTorrent network
    • web sites, emails, chat, sms, …
    • NOTE: BitTorrent does not provide a “content search” mechanism, as some of its predecessors did1.
  • 2. Download and Save the “.torrent” file or Magnet URI
  • 3. Calculate the “info_hash” for the “.torrent” file or Magnet URI
  • 4. Query for peers seeding the torrent and Join the Swarm
    • using the calculated “info_hash
    • announce interest in the torrent
    • get lists of peers
    • through the Trackers, the DHT, Local Peer Discovery
    • ( and also through Peer Exchange, after some peers have been found through the other mechanisms )
  • 5. Download and Upload content “Pieces” from/to other Peers
  • 6. Reassemble the original file by assembling all downloaded pieces together
  • 7. Become a Seed
    • Keep seeding the contents
    • seeding all “pieces”

Adding a new torrent file example:

Screen Shot 10-22-16 at 01.18 PM.PNG

Screen Shot 10-22-16 at 01.19 PM.PNG

screen-shot-10-22-16-at-01-19-pm-001

Trackers example:

screen-shot-10-19-16-at-12-15-pm

DHT Example:

screen-shot-10-19-16-at-12-16-pm

Step 3. Downloading and Uploading torrent/swarm pieces

During the download and even after a full download, the “Downloader” also “seeds” the “pieces” it has already downloaded. This means that other peers can download these “pieces” from it. This allows for extra availability and extra bandwidth, when there are many peers in a swarm.

When one or more peers go offline, some of the torrent “pieces” may become “not  available”. This means that other peers which still don’t have those “pieces” will no be able to download the full torrent until those “pieces” become available again.

As previously mentioned:

  • 5. Download and Upload content “Pieces” from/to other Peers
  • 6. Reassemble the original file by assembling all downloaded pieces together
  • 7. Become a Seed
    • Keep seeding the contents
    • seeding all “pieces”

Download Examples (with uTorrent)

 

Screen Shot 10-23-16 at 12.27 PM.PNG

Download status for a specific torrent/file

 

screen-shot-10-21-16-at-05-07-pm

Peers in the swarm

screen-shot-10-21-16-at-05-06-pm

Peers in the swarm

screen-shot-10-19-16-at-12-21-pm

Fully downloaded torrent/file

screen-shot-10-19-16-at-12-18-pm

Peers in the swarm with decoded countries

screen-shot-10-19-16-at-12-20-pm

Fully downloaded torrent/file in “Seeding” status

 

Final remarks

BitTorrent is a very powerful and popular free speech tool.

I will be describing more protocol details in future posts.

References

Nested virtualization using VMware hypervisors

Nested virtualization is the act of running a hypervisor nested within another hypervisor.

For example, it is possible to run a Nested VMware ESXi 6.0 hypervisor over a VMware Player 7 hypervisor:

nested-esxi-6-0-screenshot

We may need to make some changes to the Nested Hypervisor virtual machine configuration file, as described in (VMware: Running Nested VMs – VMware: Running Nested VMs ).

It would be interesting for a guest machine to be able to detect to be running over a Nested Hypervisor.

I haven’t found a direct method (virtual hardware-based) yet. Some network testing and MAC Address and ESXi services correlation could do the trick, when networking is available.

For example, consider the following NMAP scan:

# nmap -vv -sV --version-all 192.168.189.134 -p 443
Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-22 10:45 EST
Scanning 192.168.189.134 [1 port]
(...)
PORT STATE SERVICE VERSION
443/tcp open ssl/http VMware ESXi Server httpd
MAC Address: 00:0C:29:BD:16:1F (VMware)

NMAP detects that there is an ESXi Server at IP 192.168.189.134 and that its MAC Address is 00:0C:29:BD:16:1F, inside the VMware virtual MAC address range. This indicates that this machine may well be a Nested ESXi.

More details in the full paper at VMware hypervisor fingerprinting Tool ( & Paper)

References

VMware hypervisor fingerprinting Tool ( & Paper)

Just published a new tool vmhost_report.rb (and a paper about it) for VMware hypervisor fingerprinting. The tool is released with an open source license (GPL), you can use it freely.

In the paper, I show you how to determine hypervisor properties (such as hypervisor version or virtual CPU Limits) by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor.

This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software.

I have developed a reporting tool vmhost_report.rb that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Currently, Linux and Nested ESXi are supported.

You can run it as “ruby vmhost_report.rb“. It will return a lot of useful information in the vmhost_report.log file.

These reports can be used to learn a lot about VMware internals or a particular guest system or network. You can find report examples in the Paper’s “Annex A”.

Some of the described methods can be used even if the VMware Tools are disabled or not installed, or if some of the methods are disabled by host configuration. Some of the methods require “root” privileges, while others do not need it.

Downloads

Screenshots

 

Domain Specific Languages (DSLs) – SLIDES

I’ve uploaded some slides about DSLs, you can find them at:

 

 

Reposting my previous post about DSLs bellow.

Screen Shot 09-01-16 at 04.54 PM

Byzantine mysteries

Domain Specific Languages (DSLs) are special-purpose programming languages developed for a specific domain. Some of its most interesting benefits include:

  • increasing productivity (by reducing the lines of code that have to be written manually)
  • test generation
  • formal verification

These languages work by using higher-level constructions and restrictions. They can be either textual (declarative or imperative) or graphical, and can include multiple views for the same domain.

I’ve used this type of languages extensively in my work and it saves a lot of time. “Preprocessing” is one of the tyipcal ways to implement them. Some subtypes include:

  • Macro processing
  • Source-to-source transformation (conversion between languages)
  • Pipeline
  • Lexical processing

( more info at http://www.rose-hulman.edu/Users/faculty/young/OldFiles/CS-Classes/OldFiles/csse490-mbse/Readings/DSL-Survey-WhenHow.pdf )

You can use these languages for several purposes, including:

  • Defining an entity model
  • Protocol definition
  • High-level user interface description
  • Automated test case description
  • Software architecture description

Microsoft has some easy to use DSL editor tools in Visual Studio…

View original post 78 more words

VMware Cloud Products Survey (Slides)

Regarding VMware vCloud Suite components, VMware terminology can be confusing


This presentation tries to clarify some VMware component names and analyse VMware vRealize
Operations in-depth

The vCloud suite includes almost all VMware products, including:
○ Hypervisor: vSphere (ESXi + vCenter )
ESXi: Single-machine Hypervisor 
vCenter : Handles multiple ESXi’s
● Handles vMotion, High Availalability, Load Balancing
○ vCenter Site Recovery Manager 
■ Policy-based disaster recovery and testing for all virtualized applications
Full presentation at:

Preview:

Screen Shot 08-25-16 at 06.25 PM.PNG

TOR client: low-level footprint analysis (Part 2 – “whonix gateway”)

In the first post in this series I presented the torhost_report.rb reporting script (see original post) .

In this second post, I will be analyzing the “TOR client” installed components in a Linux host, using torhost_report.rb for that purpose.

More specifically, let’s look at the results for a “whonix gw” virtual machine (Debian).

 

$$$$ TOR Host Analysis Report [Version 0.10]
$$$$
$$$$ Analyzing local host TOR environment ...
$$$$ (Starting at Thu Jul 14 15:25:35 UTC 2016)

$$$$ Important TOR configuration files:

$$$$ torrc

# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos at riseup dot net>
# See the file COPYING for copying conditions.

# Use this file for your user customizations.
# Please see /etc/tor/torrc.examples for help, options, comments etc.

# Anything here will override Whonix's own Tor config customizations in
# /usr/share/tor/tor-service-defaults-torrc

# Enable Tor through whonixsetup or manually uncomment "DisableNetwork 0" by
# removing the # in front of it.
DisableNetwork 0

 

We can see the contents of the /etc/tor/torrc file. This is the main configuration file file for TOR. In the “whonix” scenario, it also uses includes the /usr/share/tor/tor-service-defaults-torrc file, so the script also gets that file’s contents.

There are interesting configuration options here. You can check the full documentation for torrc files at https://www.torproject.org/docs/tor-manual.html.en

I would mention the following configuration options:

  • SOCKSPort [address:]port|unix:path|auto [flags] [isolation flags]
    • opens a listening socket for SOCKS proxy to the TOR network
    • clients connecting to one of the SOCKS proxy services can have access to the TOR network, as the TOR client will forward their requests trough the TOR network to the final server in the internet
    • a “TORified” application should use one of these ports
    • the default SOCKS proxy port for TOR is 9050
    • the user can specify circuit isolation flags
    • multiple SOCKSPort can be defined, for multiple isolation levels for different applications
      • for example, “whonix gw” defines SOCKSPorts for
        • Tor Browser, IRC: XChat, Mail: Thunderbird with TorBirdy, Instant Messenger, apt-get, gpg, ssh, git, Network Time Synchronization, wget, whonixcheck, BitCoin, TorChat, aptitude, yum, Tor Messenger’s default port
  • DNSPort [address:]port|auto [isolation flags]
    • TOR TCP/IP-based DNS service port
    • client applications can use this port to perform DNS requests anonymously, whithout needing to use UDP
  • TransPort [address:]port|auto [isolation flags]
    • similar to SOCKSPort but used for “transparent proxies”, for example “iptables”
    • by properly configuring “iptables”, a system can redirect all or some TCP/IP connections though this port
  • ControlPort PORT|unix:path|auto [flags]
    • an application can connect to this port and control or get status information from the TOR client
    • the TOR control protocol should be used, as defined in control-spec.txt
    • the default control port is 9051
    • arm and vidalia use this protocol to communicate with the TOR client
  • DirPort [address:]PORT|auto [flags]
    • Advertises a TOR directory service
    • This is optional, note that is not used in the “whonix gw” VM
$$$$ /usr/share/tor/tor-service-defaults-torrc

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

# Please use "/etc/tor/torrc" for your custom configuration,
# which will override the defaults found here. When this package is updated,
# this file may be overwritten.

## You can find the original upstream tor-service-defaults-torrc under
## /usr/share/tor/tor-service-defaults-torrc.anondist-orig


#########################################
## Upstream Defaults File               #
#########################################

## These defaults are taken from /usr/share/tor/tor-service-defaults-torrc
## on Aug 2013 on Debian Jessi.

DataDirectory /var/lib/tor
PidFile /var/run/tor/tor.pid
RunAsDaemon 1
User debian-tor

ControlSocket /var/run/tor/control
ControlSocketsGroupWritable 1

CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /var/run/tor/control.authcookie

Log notice file /var/log/tor/log

#########################
## Enable / Disable Tor #
#########################

## Tor is disabled by default.
## Users are supposed to enable Tor through whonixsetup or manually
## removing the # in front of "DisableNetwork 0" in /etc/tor/torrc.
DisableNetwork 1

#########################################
## Leak Tests                           #
#########################################

##+# #OptionalFeatureNr.6# Leak Testing.
##+#
##+# Manual Leak Testing:
##+# See Whonix/LeakTests. Activate this while testing for leaks. (Step 0)
##+# Deactivate after you are done! (Important!) (Step 9)
##+#
##+# Scripted Leak Testing:
##+# If you change the following two lines, beside removing the hash (#),
##+# beside commenting them in, you break the integrated leaktest script.
##+# See leaktest_whonix_gateway() ed.
##+# See https://www.whonix.org/wiki/Dev/Leak_Tests
##+# on information, how to use the integrated leaktest script.
#ReachableDirAddresses *:80
#ReachableORAddresses *:443
#FascistFirewall 1

#########################################
## General Settings                     #
#########################################

## ControlPort is necessary for tor-arm and Vidalia.
## - Vidalia has to set /var/run/tor/control (default) as
##   Control Cookie. (Not installed by default)
## - Arm autodetects the Control Cookie. (Useful terminal Tor controller.)
## - Tor Control Port Filter Proxy
## - Not using HashedControlPassword or CookieAuthentication.
##   Gateway is no multi purpose machine. It is solely a
##   Tor Gateway. As soon as an adversary has physical access
##   or compromised Gateway, it's Game Over anyway.
ControlPort 9051
ControlListenAddress 127.0.0.1

Log notice syslog
Log notice file /run/tor/log
#Log notice file /var/log/tor/log

## Not required:
#DataDirectory /...
#PidFile /...
#ControlSocket /...
#ControlSocketsGroupWritable 1
#CookieAuthentication 1
#CookieAuthFileGroupReadable 1
#CookieAuthFile /...

#########################################
## mixmaster remailer                   #
#########################################

## REVIEW: Are the virtual IP addresses 1.1.1.1 and 2.2.2.2 appropriate or are different values better?

mapaddress 1.1.1.1 k54ids7luh523dbi.onion
mapaddress 2.2.2.2 gbhpq7eihle4btsn.onion

#########################################
## Misc Settings                        #
#########################################

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1

###############################
## Workstation Trans/Dns-Port #
###############################

## (comment mirrored from /usr/bin/whonix_firewall)
## Transparent Proxy Port for Workstation
## TRANS_PORT_WORKSTATION="9040"
##+# #OptionalFeatureNr.5# Best possible protection against Identity correlation through circuit sharing. ^5^
##
## TransPort is not used for anything preinstalled by default.
## Only as a catch all for user installed applications,
## which is documented.
##
## IsolateDestAddr should not be activated by default,
## if people install filesharing software it would be a nightmare if all connections to the massive amount
## of destination IP's would go through separate circuits.
##
## For the same reason IsolateDestPort should not be activated by default, since BitTorrent (in some cases)
## uses random ports.
TransPort 10.152.152.10:9040

## (comment mirrored from /usr/bin/whonix_firewall)
## DNS_PORT_WORKSTATION="5300"
##+# #OptionalFeatureNr.5# Best possible protection against Identity correlation through circuit sharing. ^5^
##
## DnsPort is not used for anything preinstalled by default.
## Only as a catch all for user installed applications,
## which is documented.
##
## Not listening on port 53 but rather on a port higher than 1024 to avoid
## issues with reloading Tor. (Tor drops privileges and is then unable to
## create listeners below 1024.)
##
## Not sure about IsolateDestAddr.
## IsolateDestPort has probably very little effect, since most DNS servers listen on port 53.
DnsPort 10.152.152.10:5300 IsolateDestPort

###########################
## Workstation SocksPorts #
###########################

## (comment mirrored from /usr/bin/whonix_firewall)
## Socks Ports for per application circuits.
## SOCKS_PORT_TOR_DEFAULT="9050"
## SOCKS_PORT_TB="9100"
## SOCKS_PORT_IRC="9101"
## SOCKS_PORT_TORBIRDY="9102"
## SOCKS_PORT_IM="9103"
## SOCKS_PORT_APT_GET="9104"
## SOCKS_PORT_GPG="9105"
## SOCKS_PORT_SSH="9106"
## SOCKS_PORT_GIT="9107"
## SOCKS_PORT_SDWDATE="9108"
## SOCKS_PORT_WGET="9109"
## SOCKS_PORT_WHONIXCHECK="9110"
## SOCKS_PORT_BITCOIN="9111"
## SOCKS_PORT_PRIVOXY="9112"
## SOCKS_PORT_POLIPO="9113"
## SOCKS_PORT_WHONIX_NEWS="9114"
## SOCKS_PORT_TBB_DOWNLOAD="9115"
## SOCKS_PORT_TBB_GPG="9116"
## SOCKS_PORT_CURL="9117"
## SOCKS_PORT_RSS="9118"
## SOCKS_PORT_TORCHAT="9119"
## SOCKS_PORT_MIXMASTERUPDATE="9120"
## SOCKS_PORT_MIXMASTER="9121"
## SOCKS_PORT_KDE="9122"
## SOCKS_PORT_GNOME="9123"
## SOCKS_PORT_APTITUDE="9124"
## SOCKS_PORT_YUM="9125"
## SOCKS_PORT_TBB_DEFAULT="9150"

## Tor Default Port
## Only for applications, which expect Tor to be running on port 9050.
SocksPort 10.152.152.10:9050

## Web: Tor Browser
## Not using IsolateDestAddr IsolateDestPort, because too much
## performance loss, too much load on Tor network and not secure.
## Ticket https://trac.torproject.org/projects/tor/ticket/3455
## is the right way to solve this issue. Waiting for upstream.
SocksPort 10.152.152.10:9100
#SocksPort 10.152.152.10:9100 IsolateDestAddr IsolateDestPort

## IRC: XChat
## People are normally not connected to too many IRC servers,
## so they can use one circuit per server.
SocksPort 10.152.152.10:9101 IsolateDestAddr IsolateDestPort

## Mail: Thunderbird with TorBirdy
## Not preinstalled.
## Not used by too many people. Most users do not connect to
## too many servers.
SocksPort 10.152.152.10:9102 IsolateDestAddr IsolateDestPort

## Instant Messenger
## People are normally not connected to too many IM servers,
## so they can use one circuit per server.
SocksPort 10.152.152.10:9103 IsolateDestAddr IsolateDestPort

## Operating system updates: apt-get
## Not using IsolateDestAddr IsolateDestPort, because too much
## performance loss, too much load on Tor network and no gain
## in security.
SocksPort 10.152.152.10:9104

## gpg
## Not used by too many people. Most users do not connect to
## too many servers.
SocksPort 10.152.152.10:9105 IsolateDestAddr IsolateDestPort

## ssh
## Not used by too many people. Most users do not connect to
## too many servers.
SocksPort 10.152.152.10:9106 IsolateDestAddr IsolateDestPort

## git
## Not preinstalled.
## Not used by too many people. Most users do not connect to
## too many servers.
SocksPort 10.152.152.10:9107 IsolateDestAddr IsolateDestPort

## Network Time Synchronization
## There are only three different connections.
SocksPort 10.152.152.10:9108 IsolateDestAddr IsolateDestPort

## command line downloader: wget
## Only manually and by very few applications used. Should not
## hurt performance or Tor network. Very few connections are
## expected.
SocksPort 10.152.152.10:9109 IsolateDestAddr IsolateDestPort

## whonixcheck
## Only connects to https://check.torproject.org and checks IP
## and Tor Browser version.
## Only one server and only one port.
## Would be fine without IsolateDestAddr IsolateDestPort,
## but add it anyway to have less exceptions.
SocksPort 10.152.152.10:9110 IsolateDestAddr IsolateDestPort

## BitCoin
## Not using IsolateDestAddr IsolateDestPort.
## Makes too many connections to different servers. Should not
## hurt if they get through the same circuit.
SocksPort 10.152.152.10:9111

## http to socks converter: privoxy
## Not in use for anything preinstalled.
## Not using IsolateDestAddr IsolateDestPort for the same reasons
## as mentioned under Web: Tor Browser.
## Only used for Thunderbird with TorBirdy, which is not
## preinstalled.
SocksPort 10.152.152.10:9112

## http to socks converter: polipo
## Not in use for anything preinstalled.
## Not using IsolateDestAddr IsolateDestPort for the same reasons
## as mentioned under Web: Tor Browser.
SocksPort 10.152.152.10:9113

## Whonix news download
## Only connects to the Whonix homepage and downloads a small file with
## latest important Whonix news.
## Only one server and only one port.
## Would be fine without IsolateDestAddr IsolateDestPort,
## but add it anyway to have less exceptions.
SocksPort 10.152.152.10:9114 IsolateDestAddr IsolateDestPort

## Tor Browser bundle download
## Rarely used.
## Only one server and only one port.
## Would be fine without IsolateDestAddr IsolateDestPort,
## but add it anyway to have less exceptions.
SocksPort 10.152.152.10:9115 IsolateDestAddr IsolateDestPort

## Tor Browser gpg public key download
## Rarely used.
## Only one server and only one port.
## Would be fine without IsolateDestAddr IsolateDestPort,
## but add it anyway to have less exceptions.
SocksPort 10.152.152.10:9116 IsolateDestAddr IsolateDestPort

## Curl
## Only manually and by very few applications used. Should not
## hurt performance or Tor network. Very few connections are
## expected.
SocksPort 10.152.152.10:9117 IsolateDestAddr IsolateDestPort

## RSS
## By default only for the Whonix Blog and for the torproject.org blog.
## Few users expected to add their own feeds.
SocksPort 10.152.152.10:9118 IsolateDestAddr IsolateDestPort

## TorChat
## Not using IsolateDestAddr or IsolateDestPort, because upstream
## TorChat also does not do it. Since it only connects to
## hidden services it would perhaps not make a difference anyway.
SocksPort 10.152.152.10:9119

## mixmaster-update
## Few users expected to use it.
## Since it only connects to one or very few servers using
## IsolateDestAddr IsolateDestPort.
SocksPort 10.152.152.10:9120 IsolateDestAddr IsolateDestPort

## mixmaster
## This port is currently not in use. See Whonix mixmaster integration.
## https://www.whonix.org/wiki/Dev/Mixmaster
## Few users expected to use it.
## Since it only connects to one or very few servers using
## IsolateDestAddr IsolateDestPort.
SocksPort 10.152.152.10:9121 IsolateDestAddr IsolateDestPort

## KDE application wide proxy.
## Not using IsolateDestAddr or IsolateDestPort, because also browsers
## could use this port.
SocksPort 10.152.152.10:9122

## GNOME application wide proxy.
## This port is currently not in use.
## Not using IsolateDestAddr or IsolateDestPort, because also browsers
## could use this port.
SocksPort 10.152.152.10:9123

## Operating system updates: aptitude
## Not using IsolateDestAddr IsolateDestPort, because too much
## performance loss, too much load on Tor network and no gain
## in security.
SocksPort 10.152.152.10:9124

## Operating system updates: yum
## Not using IsolateDestAddr IsolateDestPort, because too much
## performance loss, too much load on Tor network and no gain
## in security.
SocksPort 10.152.152.10:9125

## Tor Browser Bundle Default Port
## This port gets used if someone uses the default Tor Browser Bundle.
## (rinetd runs on Workstation and forwards connections from
##  127.0.0.1:9150 to 10.152.152.10:9150 [as part of the
## anon-ws-disable-stacked-tor package].)
## Not using IsolateDestAddr IsolateDestPort, because too much
## performance loss, too much load on Tor network and not secure.
## Ticket https://trac.torproject.org/projects/tor/ticket/3455
## is the right way to solve this issue. Waiting for upstream.
SocksPort 10.152.152.10:9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth

## Tor Messenger's default port
## This port gets used if someone uses the default Tor Messenger.
## (rinetd runs on Workstation and forwards connections from
##  127.0.0.1:9152 to 10.152.152.10:9152 [as part of the
## anon-ws-disable-stacked-tor package].)
SocksPort 10.152.152.10:9152 IsolateDestAddr IsolateDestPort

##+# #OptionalFeatureNr.4# More Socks Ports.
## Custom Ports #1:
## without IsolateDestAddr
## without IsolateDestPort
SocksPort 10.152.152.10:9153
SocksPort 10.152.152.10:9154
SocksPort 10.152.152.10:9155
SocksPort 10.152.152.10:9156
SocksPort 10.152.152.10:9157
SocksPort 10.152.152.10:9158
SocksPort 10.152.152.10:9159

##+# #OptionalFeatureNr.4# More Socks Ports.
## Custom Ports #2:
## with IsolateDestAddr
## without IsolateDestPort
SocksPort 10.152.152.10:9160 IsolateDestAddr
SocksPort 10.152.152.10:9161 IsolateDestAddr
SocksPort 10.152.152.10:9162 IsolateDestAddr
SocksPort 10.152.152.10:9163 IsolateDestAddr
SocksPort 10.152.152.10:9164 IsolateDestAddr
SocksPort 10.152.152.10:9165 IsolateDestAddr
SocksPort 10.152.152.10:9166 IsolateDestAddr
SocksPort 10.152.152.10:9167 IsolateDestAddr
SocksPort 10.152.152.10:9168 IsolateDestAddr
SocksPort 10.152.152.10:9169 IsolateDestAddr

##+# #OptionalFeatureNr.4# More Socks Ports.
## Custom Ports #3:
## without IsolateDestAddr
## with IsolateDestPort
SocksPort 10.152.152.10:9170 IsolateDestPort
SocksPort 10.152.152.10:9171 IsolateDestPort
SocksPort 10.152.152.10:9172 IsolateDestPort
SocksPort 10.152.152.10:9173 IsolateDestPort
SocksPort 10.152.152.10:9174 IsolateDestPort
SocksPort 10.152.152.10:9175 IsolateDestPort
SocksPort 10.152.152.10:9176 IsolateDestPort
SocksPort 10.152.152.10:9177 IsolateDestPort
SocksPort 10.152.152.10:9178 IsolateDestPort
SocksPort 10.152.152.10:9179 IsolateDestPort

##+# #OptionalFeatureNr.4# More Socks Ports.
## Custom Ports #4:
## with IsolateDestAddr
## with IsolateDestPort
SocksPort 10.152.152.10:9180 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9181 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9182 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9183 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9184 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9185 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9186 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9187 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9188 IsolateDestAddr IsolateDestPort
SocksPort 10.152.152.10:9189 IsolateDestAddr IsolateDestPort

###########################
## Gateway Trans/Dns-Port #
###########################

## TransPort and DnsPort are not enabled in gateway firewall by default.
##
## (comment mirrored from /usr/bin/whonix_firewall)
## Transparent Proxy Ports for Whonix-Gateway
## TRANS_PORT_GATEWAY="9041"
## DNS_PORT_GATEWAY="5400"
TransPort 127.0.0.1:9041
DnsPort 127.0.0.1:5400

#######################
## Gateway SocksPorts #
#######################

## Developer comment:
##
## We actually do not need all of them,
## but they do not hurt anyway and
## it keeps the setup more generic,
## with less exceptions.
##
## Comments why we (not) use IsolateDestAddr and/or IsolateDestPort
## are the same as in section Workstation SocksPorts.

SocksPort 127.0.0.1:9050
SocksPort 127.0.0.1:9100
SocksPort 127.0.0.1:9101 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9102 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9103 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9104
SocksPort 127.0.0.1:9105 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9106 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9107 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9108 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9109 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9110 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9111
SocksPort 127.0.0.1:9112
SocksPort 127.0.0.1:9113
SocksPort 127.0.0.1:9114 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9115 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9116 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9117 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9118 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9119
SocksPort 127.0.0.1:9120 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9121 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9122
SocksPort 127.0.0.1:9123
SocksPort 127.0.0.1:9124
SocksPort 127.0.0.1:9125
SocksPort 127.0.0.1:9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth

#####################################################
## End of /usr/share/tor/tor-service-defaults-torrc #
#####################################################

 

Next, the script gets the last lines of important TOR log files, for example:

$$$$ /var/log/tor/log

Jul 14 14:52:14.432 [notice] Opening Socks listener on 127.0.0.1:9150
Jul 14 14:52:14.433 [notice] Opening DNS listener on 10.152.152.10:5300
Jul 14 14:52:14.433 [notice] Opening DNS listener on 127.0.0.1:5400
Jul 14 14:52:14.433 [notice] Opening Transparent pf/netfilter listener on 10.152.152.10:9040
Jul 14 14:52:14.433 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9041
Jul 14 14:52:14.433 [notice] Opening Control listener on 127.0.0.1:9051
Jul 14 14:52:14.433 [notice] Opening Control listener on /var/run/tor/control
Jul 14 14:52:14.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jul 14 14:52:15.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jul 14 14:52:16.000 [notice] Bootstrapped 0%: Starting
Jul 14 14:52:19.000 [notice] Bootstrapped 5%: Connecting to directory server
Jul 14 14:52:19.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jul 14 14:52:19.000 [notice] Signaled readiness to systemd
Jul 14 14:52:22.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jul 14 14:52:25.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:52:26.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:52:26.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jul 14 14:52:36.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jul 14 14:52:36.000 [notice] Bootstrapped 100%: Done
Jul 14 14:52:36.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:52:36.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:52:33.000 [warn] Socks version 71 not recognized. (Tor is not an http proxy.)
Jul 14 14:52:33.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:52:33.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:54:34.000 [warn] Socks version 71 not recognized. (Tor is not an http proxy.)
Jul 14 14:54:34.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:54:34.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 14:55:07.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:01:05.000 [warn] Socks version 71 not recognized. (Tor is not an http proxy.)
Jul 14 15:01:05.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:01:05.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:01:29.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:03:42.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:04:38.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:05:01.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:05:40.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:08:24.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:11:57.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:15:19.000 [notice] New control connection opened from 127.0.0.1.
Jul 14 15:17:13.000 [notice] New control connection opened from 127.0.0.1.

We can use the /var/log/tor/log file to study TOR’s behavior or for troubleshooting.

Other log files are also included in the report:

  • /var/log/syslog
  • /var/log/sdwdate.log
  • /var/log/control-port-filter-python.log

 

Next, the script tries to execute some known command-line utilities to check for their availability and version. For example, arm :

$$$$ is arm available ?

Usage arm [OPTION]
Terminal status monitor for Tor relays.

  -g, --gui                       launch the Gtk+ interface
  -p, --prompt                    only start the control interpretor
  -i, --interface [ADDRESS:]PORT  change control interface from 127.0.0.1:9051
  -s, --socket SOCKET_PATH        attach using unix domain socket if present,
                                    SOCKET_PATH defaults to: /var/run/tor/control
  -c, --config CONFIG_PATH        loaded configuration options, CONFIG_PATH
                                    defaults to: /root/.arm/armrc
  -d, --debug                     writes all arm logs to /root/.arm/log
  -b, --blind                     disable connection lookups
  -e, --event EVENT_FLAGS         event types in message log  (default: N3)
        d DEBUG      a ADDRMAP           k DESCCHANGED   s STREAM
        i INFO       f AUTHDIR_NEWDESCS  g GUARD         r STREAM_BW
        n NOTICE     h BUILDTIMEOUT_SET  l NEWCONSENSUS  t STATUS_CLIENT
        w WARN       b BW                m NEWDESC       u STATUS_GENERAL
        e ERR        c CIRC              p NS            v STATUS_SERVER
                     j CLIENTS_SEEN      q ORCONN
          DINWE tor runlevel+            A All Events
          12345 arm runlevel+            X No Events
          67890 torctl runlevel+         U Unknown Events
  -v, --version                   provides version information
  -h, --help                      presents this help

Example:
arm -b -i 1643          hide connection data, attaching to control port 1643
arm -e we -c /tmp/cfg   use this configuration file with 'WARN'/'ERR' events

arm version 1.4.5.0 (released April 28, 2012)

 

Arm is a useful monitoring tool for TOR:

ARM 1.jpg

Other interesting tools checked by the script include:

  • tor-ctrl
    • tor-ctrl -v -c “GETINFO version”
    • command-line front-end for the TOR Control protocol
  • tor-prompt
    • tor-prompt -h
    • old (obsolete) command-line front-end for the TOR Control protocol
  • torsocks
    • used to “torify” an application
    • example
      • torify wget http://www.google.com
      • forces wget to use the TOR SOCKS proxy instead of direct TCP/IP connections
  • tor-resolve

 

Next, the report includes system network configuration data and relevant running services, including the local IP and the external IP as seen by the destination web server.

$$$$ is networking [service] running ?

 [ + ]  networking


$$$$ Network configuration

eth0      Link encap:Ethernet  HWaddr 08:00:27:b7:49:35  
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4295 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3260 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:983100 (960.0 KiB)  TX bytes:1613725 (1.5 MiB)
          Interrupt:19 Base address:0xd000 

eth1      Link encap:Ethernet  HWaddr 08:00:27:b4:c2:dd  
          inet addr:10.152.152.10  Bcast:10.152.191.255  Mask:255.255.192.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:16 Base address:0xd040 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1982 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1982 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:262618 (256.4 KiB)  TX bytes:262618 (256.4 KiB)



$$$$$$$$ iptables

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             state INVALID
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
DROP       tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
DROP       all  -f  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
DROP       icmp --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5300
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9040
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9052
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9124
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9104
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9111
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9117
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9107
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9123
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9105
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bacula-sd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bacula-dir
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9122
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9121
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9120
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9113
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9112
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9118
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9108
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9106
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9100
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9150
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9115
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9116
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bacula-fd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9119
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9050
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9109
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9110
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9114
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9125
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 9152:9189
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-admin-prohibited

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             ctstate INVALID reject-with icmp-admin-prohibited
REJECT     all  --  anywhere             anywhere             state INVALID reject-with icmp-admin-prohibited
REJECT     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK reject-with icmp-admin-prohibited
REJECT     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN reject-with icmp-admin-prohibited
REJECT     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST reject-with icmp-admin-prohibited
REJECT     all  -f  anywhere             anywhere             reject-with icmp-admin-prohibited
REJECT     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG reject-with icmp-admin-prohibited
REJECT     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE reject-with icmp-admin-prohibited
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             destination IP range 127.0.0.0-127.0.0.24
ACCEPT     all  --  anywhere             anywhere             destination IP range 192.168.0.0-192.168.0.24
ACCEPT     all  --  anywhere             anywhere             destination IP range 192.168.1.0-192.168.1.24
ACCEPT     all  --  anywhere             anywhere             destination IP range 10.152.152.0-10.152.152.24
ACCEPT     all  --  anywhere             anywhere             destination IP range 10.0.2.2-10.0.2.24
ACCEPT     all  --  anywhere             anywhere             owner UID match clearnet
ACCEPT     all  --  anywhere             anywhere             owner UID match tunnel
ACCEPT     all  --  anywhere             anywhere             owner UID match debian-tor
REJECT     all  --  anywhere             anywhere             reject-with icmp-admin-prohibited


$$$$$$$$ active connections IPv4

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 localhost:9119          *:*                     LISTEN      root       13791       1385/tor        
tcp        0      0 10.152.152.10:9183      *:*                     LISTEN      root       13764       1385/tor        
tcp        0      0 10.152.152.10:9119      *:*                     LISTEN      root       13725       1385/tor        
tcp        0      0 localhost:9120          *:*                     LISTEN      root       13792       1385/tor        
tcp        0      0 10.152.152.10:9184      *:*                     LISTEN      root       13765       1385/tor        
tcp        0      0 10.152.152.10:9152      *:*                     LISTEN      root       13733       1385/tor        
tcp        0      0 10.152.152.10:9120      *:*                     LISTEN      root       13726       1385/tor        
tcp        0      0 localhost:9121          *:*                     LISTEN      root       13793       1385/tor        
tcp        0      0 10.152.152.10:9185      *:*                     LISTEN      root       13766       1385/tor        
tcp        0      0 10.152.152.10:9153      *:*                     LISTEN      root       13734       1385/tor        
tcp        0      0 10.152.152.10:9121      *:*                     LISTEN      root       13727       1385/tor        
tcp        0      0 localhost:9122          *:*                     LISTEN      root       13794       1385/tor        
tcp        0      0 10.152.152.10:9186      *:*                     LISTEN      root       13767       1385/tor        
tcp        0      0 10.152.152.10:9154      *:*                     LISTEN      root       13735       1385/tor        
tcp        0      0 10.152.152.10:9122      *:*                     LISTEN      root       13728       1385/tor        
tcp        0      0 localhost:9123          *:*                     LISTEN      root       13795       1385/tor        
tcp        0      0 10.152.152.10:9187      *:*                     LISTEN      root       13768       1385/tor        
tcp        0      0 10.152.152.10:9155      *:*                     LISTEN      root       13736       1385/tor        
tcp        0      0 10.152.152.10:9123      *:*                     LISTEN      root       13729       1385/tor        
tcp        0      0 localhost:9124          *:*                     LISTEN      root       13796       1385/tor        
tcp        0      0 10.152.152.10:9188      *:*                     LISTEN      root       13769       1385/tor        
tcp        0      0 10.152.152.10:9156      *:*                     LISTEN      root       13737       1385/tor        
tcp        0      0 10.152.152.10:9124      *:*                     LISTEN      root       13730       1385/tor        
tcp        0      0 localhost:9125          *:*                     LISTEN      root       13797       1385/tor        
tcp        0      0 10.152.152.10:9189      *:*                     LISTEN      root       13770       1385/tor        
tcp        0      0 10.152.152.10:9157      *:*                     LISTEN      root       13738       1385/tor        
tcp        0      0 10.152.152.10:9125      *:*                     LISTEN      root       13731       1385/tor        
tcp        0      0 localhost:4101          *:*                     LISTEN      root       8842        169/brltty      
tcp        0      0 10.152.152.10:9158      *:*                     LISTEN      root       13739       1385/tor        
tcp        0      0 10.152.152.10:9159      *:*                     LISTEN      root       13740       1385/tor        
tcp        0      0 10.152.152.10:9160      *:*                     LISTEN      root       13741       1385/tor        
tcp        0      0 10.152.152.10:9161      *:*                     LISTEN      root       13742       1385/tor        
tcp        0      0 10.152.152.10:9162      *:*                     LISTEN      root       13743       1385/tor        
tcp        0      0 *:netbios-ssn           *:*                     LISTEN      root       14486       1622/smbd       
tcp        0      0 10.152.152.10:9163      *:*                     LISTEN      root       13744       1385/tor        
tcp        0      0 localhost:9100          *:*                     LISTEN      root       13772       1385/tor        
tcp        0      0 10.152.152.10:9164      *:*                     LISTEN      root       13745       1385/tor        
tcp        0      0 10.152.152.10:9100      *:*                     LISTEN      root       13706       1385/tor        
tcp        0      0 localhost:bacula-dir    *:*                     LISTEN      root       13773       1385/tor        
tcp        0      0 10.152.152.10:9165      *:*                     LISTEN      root       13746       1385/tor        
tcp        0      0 10.152.152.1:bacula-dir *:*                     LISTEN      root       13707       1385/tor        
tcp        0      0 localhost:bacula-fd     *:*                     LISTEN      root       13774       1385/tor        
tcp        0      0 10.152.152.10:9166      *:*                     LISTEN      root       13747       1385/tor        
tcp        0      0 10.152.152.10:bacula-fd *:*                     LISTEN      root       13708       1385/tor        
tcp        0      0 localhost:bacula-sd     *:*                     LISTEN      root       13775       1385/tor        
tcp        0      0 10.152.152.10:9167      *:*                     LISTEN      root       13748       1385/tor        
tcp        0      0 10.152.152.10:bacula-sd *:*                     LISTEN      root       13709       1385/tor        
tcp        0      0 10.152.152.10:9040      *:*                     LISTEN      root       13801       1385/tor        
tcp        0      0 localhost:9104          *:*                     LISTEN      root       13776       1385/tor        
tcp        0      0 10.152.152.10:9168      *:*                     LISTEN      root       13749       1385/tor        
tcp        0      0 10.152.152.10:9104      *:*                     LISTEN      root       13710       1385/tor        
tcp        0      0 localhost:9041          *:*                     LISTEN      root       13802       1385/tor        
tcp        0      0 localhost:9105          *:*                     LISTEN      root       13777       1385/tor        
tcp        0      0 10.152.152.10:9169      *:*                     LISTEN      root       13750       1385/tor        
tcp        0      0 10.152.152.10:9105      *:*                     LISTEN      root       13711       1385/tor        
tcp        0      0 localhost:9106          *:*                     LISTEN      root       13778       1385/tor        
tcp        0      0 10.152.152.10:9170      *:*                     LISTEN      root       13751       1385/tor        
tcp        0      0 10.152.152.10:9106      *:*                     LISTEN      root       13712       1385/tor        
tcp        0      0 localhost:9107          *:*                     LISTEN      root       13779       1385/tor        
tcp        0      0 10.152.152.10:9171      *:*                     LISTEN      root       13752       1385/tor        
tcp        0      0 10.152.152.10:9107      *:*                     LISTEN      root       13713       1385/tor        
tcp        0      0 localhost:9108          *:*                     LISTEN      root       13780       1385/tor        
tcp        0      0 10.152.152.10:9172      *:*                     LISTEN      root       13753       1385/tor        
tcp        0      0 10.152.152.10:9108      *:*                     LISTEN      root       13714       1385/tor        
tcp        0      0 localhost:9109          *:*                     LISTEN      root       13781       1385/tor        
tcp        0      0 10.152.152.10:9173      *:*                     LISTEN      root       13754       1385/tor        
tcp        0      0 10.152.152.10:9109      *:*                     LISTEN      root       13715       1385/tor        
tcp        0      0 localhost:9110          *:*                     LISTEN      root       13782       1385/tor        
tcp        0      0 10.152.152.10:9174      *:*                     LISTEN      root       13755       1385/tor        
tcp        0      0 10.152.152.10:9110      *:*                     LISTEN      root       13716       1385/tor        
tcp        0      0 localhost:9111          *:*                     LISTEN      root       13783       1385/tor        
tcp        0      0 10.152.152.10:9175      *:*                     LISTEN      root       13756       1385/tor        
tcp        0      0 10.152.152.10:9111      *:*                     LISTEN      root       13717       1385/tor        
tcp        0      0 localhost:9112          *:*                     LISTEN      root       13784       1385/tor        
tcp        0      0 10.152.152.10:9176      *:*                     LISTEN      root       13757       1385/tor        
tcp        0      0 10.152.152.10:9112      *:*                     LISTEN      root       13718       1385/tor        
tcp        0      0 localhost:9113          *:*                     LISTEN      root       13785       1385/tor        
tcp        0      0 10.152.152.10:9177      *:*                     LISTEN      root       13758       1385/tor        
tcp        0      0 10.152.152.10:9113      *:*                     LISTEN      root       13719       1385/tor        
tcp        0      0 localhost:9114          *:*                     LISTEN      root       13786       1385/tor        
tcp        0      0 localhost:9050          *:*                     LISTEN      root       13771       1385/tor        
tcp        0      0 10.152.152.10:9178      *:*                     LISTEN      root       13759       1385/tor        
tcp        0      0 10.152.152.10:9114      *:*                     LISTEN      root       13720       1385/tor        
tcp        0      0 10.152.152.10:9050      *:*                     LISTEN      root       13705       1385/tor        
tcp        0      0 localhost:9051          *:*                     LISTEN      root       13803       1385/tor        
tcp        0      0 localhost:9115          *:*                     LISTEN      root       13787       1385/tor        
tcp        0      0 10.152.152.10:9179      *:*                     LISTEN      root       13760       1385/tor        
tcp        0      0 10.152.152.10:9115      *:*                     LISTEN      root       13721       1385/tor        
tcp        0      0 10.152.152.10:9052      *:*                     LISTEN      debian-tor 14241       1407/python     
tcp        0      0 localhost:9116          *:*                     LISTEN      root       13788       1385/tor        
tcp        0      0 10.152.152.10:9180      *:*                     LISTEN      root       13761       1385/tor        
tcp        0      0 10.152.152.10:9116      *:*                     LISTEN      root       13722       1385/tor        
tcp        0      0 *:microsoft-ds          *:*                     LISTEN      root       14485       1622/smbd       
tcp        0      0 localhost:9117          *:*                     LISTEN      root       13789       1385/tor        
tcp        0      0 10.152.152.10:9181      *:*                     LISTEN      root       13762       1385/tor        
tcp        0      0 10.152.152.10:9117      *:*                     LISTEN      root       13723       1385/tor        
tcp        0      0 localhost:9150          *:*                     LISTEN      root       13798       1385/tor        
tcp        0      0 localhost:9118          *:*                     LISTEN      root       13790       1385/tor        
tcp        0      0 10.152.152.10:9182      *:*                     LISTEN      root       13763       1385/tor        
tcp        0      0 10.152.152.10:9150      *:*                     LISTEN      root       13732       1385/tor        
tcp        0      0 10.152.152.10:9118      *:*                     LISTEN      root       13724       1385/tor        
tcp        0      0 10.0.2.15:36871         10.0.2.2:microsoft-ds   ESTABLISHED root       17549       -               
tcp        0      0 localhost:9051          localhost:50813         TIME_WAIT   root       0           -               
tcp        0      0 10.0.2.15:50687         139.162.130.190:https   ESTABLISHED debian-tor 14206       1385/tor        
udp        0      0 localhost:5400          *:*                                 root       13800       1385/tor        
udp        0      0 *:bootpc                *:*                                 root       11337       956/dhclient    
udp        0      0 *:22123                 *:*                                 root       11313       956/dhclient    
udp        0      0 10.0.2.255:netbios-ns   *:*                                 root       14321       1578/nmbd       
udp        0      0 10.0.2.15:netbios-ns    *:*                                 root       14320       1578/nmbd       
udp        0      0 10.152.191.2:netbios-ns *:*                                 root       14317       1578/nmbd       
udp        0      0 10.152.152.1:netbios-ns *:*                                 root       14316       1578/nmbd       
udp        0      0 *:netbios-ns            *:*                                 root       14313       1578/nmbd       
udp        0      0 10.0.2.255:netbios-dgm  *:*                                 root       14323       1578/nmbd       
udp        0      0 10.0.2.15:netbios-dgm   *:*                                 root       14322       1578/nmbd       
udp        0      0 10.152.191.:netbios-dgm *:*                                 root       14319       1578/nmbd       
udp        0      0 10.152.152.:netbios-dgm *:*                                 root       14318       1578/nmbd       
udp        0      0 *:netbios-dgm           *:*                                 root       14314       1578/nmbd       
udp        0      0 10.152.152.10:5300      *:*                                 root       13799       1385/tor        


$$$$$$$$ My Exit Relay IP

IP=93.115.95.204

93.115.95.204 lh28409.voxility.net



$$$$$$$$ uname

Linux host 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) i686 GNU/Linux


$$$$$$$$ hostname

host


$$$$$$$$ dnsdomainname

localdomain


$$$$ (Ending at Thu Jul 14 15:25:56 UTC 2016)

 

As can see, this report gives us a lot of useful information to understand TOR’s local behavior, correlating the TOR configuration and the actual open and connected ports.

Be free to use it !

 

References