This tutorial will show you how to set up TOR as a daemon and host hidden services. Hidden services are only available on the TOR darknet and allow you to host services without revealing your IP. Tor hidden services can be accessed via a special .onion domain. Although it hides your IP address, Tor isn't completely untracable. If using Tor for illegal activity, you CAN and WILL get tracked down and held accountable.

Table of contents

  1. Introduction to Tor
  2. Setting up and testing Tor
  3. Setting up a Hidden Service
  4. Redirect user traffic through Tor
  5. Conclusion

Introduction to TOR

Tor is a tool used to enhance privacy on the internet. Tor is based on onion routing. When using Tor for web browsing, your traffic passes through the Tor network terminating at an exit node. An exit node functions as a conventional web proxy. To others on the internet, your apparent origin is the IP address of the exit node. The addresses of these exit nodes are public knowledge, so many sites will notice that you're browsing from Tor and possibly restrict access. This can be solved using a Tor bridge but that's outside of the scope of this tutorial

How hidden services work

Tor hidden services are simply servers hosted by Tor users. When connecting to a hidden service, your traffic passes through onion routers that 'peel' off a layer of encryption revealing the next hop. This obfuscates the true source of the client, and the true destination of the server.Hidden services allow services on your machine to be made available to other Tor users through a special proxy. Your hidden service has a unique identity based on your public key identified by a unique .onion domain When clients connect to your hidden service over tor, they appear to your server application to be originating from 127.0.0.1

Setting up Tor and Trying It Out

The installation begins with clean install of Debian 9.First, I need to add the Tor repositories and GPG keys. This is done by following the instructions here. In my case, I used the following commands (as root)

$ echo deb 'http://deb.torproject.org/torproject.org jessie main' >>/etc/apt/sources.list;
$ gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89;
$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -;
$ apt-get update; apt-get install -y tor torsocks deb.torproject.org-keyring;

Following installation, place the following in /etc/tor/torrc

SocksPort 9050
DNSPort 9053
TransPort 9040
AutomapHostsOnResolve 1

To demonstrate TOR connectivity, curl will be used with a SOCKS5 proxy to connect to the TORcheck site. A message should appear saying "Congratulations. This browser is configured to use Tor"

$ grep -m1 Congratulations < <( curl -s https://check.torproject.org --socks5 127.0.0.1:9050) 

Next, let's test DNS

$ dig propub3r6espa33w.onion @127.0.0.1 -p 9053 +short
127.236.146.171

Setting Up a Hidden Service

We have an instance of Nginx listening on 127.0.0.2:8080, we will publish it as a hidden service on port 80.

First, we create a directory in /var/lib/tor for the hidden service.
In our case /var/lib/nginx.

HiddenServiceDir /var/lib/tor/nginx
HiddenServicePort 80 127.0.0.2:8080

$ curl -s --socks5 127.0.0.1:9050 $(cat /var/lib/tor/nginx/hostname) --head
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 01 Feb 2018 14:39:44 GMT
Content-Type: text/html
Content-Length: 1636
Last-Modified: Thu, 01 Feb 2018 14:34:02 GMT
Connection: keep-alive
ETag: "5a73255a-664"
Accept-Ranges: bytes

Websites running as TOR hidden services can also be accessed over the clearnet via the TOR2Web proxy. Simply substitute .onion with tor2web.io and connect via HTTPS. Warning: This does not provide anonymity for the client.

Redirect all traffic to TOR

Let's look at how to transparently redirect all traffic through TOR on a per-user basis. We create the user tor-test which we will use to test this.

We need two iptables rules. The first redirects any of the users DNS (udp/53) queries to localhost:5353. The second iptables redirects any of the user's outbound tcp traffic that isn't destined to localhost into the TOR transport (localhost:9040)

We can test these are working by comparing the output of running curl https:// check.torproject.org as the user root or tor-test

×
-
+
Force User's Traffic thru TOR

iptables -t nat -A OUTPUT -p udp --dport 53
-m owner --uid-owner test -j REDIRECT --to-ports 5353;
iptables -t nat -A OUTPUT ! --dst 127.0.0.0/8 -p tcp
-m owner --uid-owner test -m tcp --syn -j REDIRECT --to-ports 9040;


root@box:~# curl -s https://check.torproject.org | grep -m1 "Tor."
Sorry. You are not using Tor.

test@box:~$ curl -s https://check.torproject.org | grep -m1 "Tor."
Congratulations. This browser is configured to use Tor


Conclusion

In this tutorial we covered how to the following with the TOR client

  • Access TOR via SOCKS5 Proxy
  • Using the TOR DNS Resolver
  • Host our very first TOR hidden service
  • Transparently Proxy All TCP connections through TOR for a particular user

Hope this was helpful and thank you for reading.