Stephen Reese

Detecting Tor network traffic with YaF and Python

This entry continues a series of posts on identifying Tor network traffic and usage. The entry will demonstrate how to parse the output of YaF records via mediator using a Python script in order to determine if the SSL certificate values match the pattern of Tor certificates. It is assumed you have downloaded, compiled and installed YaF, mediator, and libfixbuf. Please see prior posts on this topic or the respective documentation for installation help if needed.

We first generate the YaF records from the PCAP we acquired. You can grab the example PCAP from cloudshark.

$ yaf --in tor.pcap --out tor.yaf

Next, parse the YaF output using mediator to disk in a format that we can parse. Alternatively, we could output to MySQL verse flat text files.

$ yaf_file_mediator-1.1.0/yaf_file_mediator --input tor.yaf --output tor.txt
**** Total flow count is 29 ****
**** Stats Total Count is 1 ****

Using Python, we can parse the records for patterns that match Tor SSL certificates.

#!/usr/bin/python

import re
import sys

filename = sys.argv[1]
myfile = open(filename,'r')
sourceIP = 'Source IP:'
destIP = 'Destination IP:'
issuerID = 'Issuer ID:'
subjectID = 'Subject ID:'
for line in myfile.readlines():
    line = line.strip()
    if line.startswith(sourceIP):
        sourceIPline = line
    elif line.startswith(destIP):
        destIPline = line
    elif line and line.startswith(issuerID):
        issuerDomain = re.search(r'www.\w+.com', line)
    elif line and line.startswith(subjectID):
        subjectDomain = re.search(r'www.\w+.net', line)
        if issuerDomain and subjectDomain:
            print (sourceIPline)
            print (destIPline)
            print issuerDomain.group()
            print subjectDomain.group()
            print
myfile.close

The following is an example output from the example PCAP provided earlier in this post. The Python regular expression ignores other SSL certificate values as they traditionally do not match the pattern that Tor certificates use, the inclusion of a domain for the Issuer and Subject IDs. That said, false-positives could be introduced.

$ tor-ssl-parser.py tor.txt
Source IP: 10.0.0.126
Destination IP: 198.27.97.223
www.axslhtfqq.com
www.hkkch64skp7am.net

Source IP: 10.0.0.126
Destination IP: 96.127.153.58
www.rtqtkopfct767ai.com
www.facp2b2y5wjffbo5ioy.net

Source IP: 10.0.0.126
Destination IP: 192.151.147.5
www.5m6ywj2w7zs.com
www.iolbr3jbfs.net

Source IP: 10.0.0.126
Destination IP: 66.18.12.197
www.igdpzct5tauwgyqs.com
www.4tdznzbrfuv.net

Source IP: 10.0.0.126
Destination IP: 64.62.249.222
www.3pzqe4en5.com
www.glk3fwiz6.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.173
www.lvv4l6sx3qafei2s5u.com
www.vznlngjz7a2fpg.net

Source IP: 10.0.0.126
Destination IP: 212.83.155.250
www.mbrdx4tz2ob5wlvazlr.com
www.shxl35n3zt.net

Source IP: 10.0.0.126
Destination IP: 212.83.140.45
www.3pxivyds.com
www.nolspqtib3ix.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.50
www.s426lumoi7.com
www.ouzbot23a6lw3vvmszx.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.40
www.3eexfeaw.com
www.iedhzej4tie4egm.net

Source IP: 10.0.0.126
Destination IP: 212.83.158.5
www.2fwld67ac2.com
www.6suxdq3miwwewq4.net

Source IP: 10.0.0.126
Destination IP: 31.7.186.228
www.5orbut4ufhohm5rlj47.com
www.orutxjqwf.net

Source IP: 10.0.0.126
Destination IP: 216.66.85.146
www.6pp7bfbdywvcaicqmfq.com
www.g6oa3qdobmdgl5tprm.net

Source IP: 10.0.0.126
Destination IP: 178.254.35.132
www.hbwpqbx4zimtptui.com
www.77wneeix55t.net

Source IP: 10.0.0.126
Destination IP: 188.40.98.96
www.ozsx22b4nda.com
www.lr7s5k3n6ber.net

Source IP: 10.0.0.126
Destination IP: 80.100.45.156
www.npmxal2ohuefme26yf.com
www.c7kriuquvh.net

Source IP: 10.0.0.126
Destination IP: 91.143.91.174
www.zcgg5yiwzajal4.com
www.55a4kx5jrqxezvk.net

Source IP: 10.0.0.126
Destination IP: 85.17.122.80
www.plgx26wgyroot37x3ysj.com
www.xwx5gpj5t2msq3.net

Source IP: 10.0.0.126
Destination IP: 88.159.20.120
www.s5rc22gpzrwt4e.com
www.qzsg2ioaoplbs2gaha5.net

Source IP: 10.0.0.126
Destination IP: 37.59.150.178
www.vywbff5wkza6npkd5l.com
www.ugdrrog5ro5wdfddj.net

Source IP: 10.0.0.126
Destination IP: 91.219.237.229
www.twngp3xrqgo4p.com
www.znskvp5k5pns22y2.net

Source IP: 10.0.0.126
Destination IP: 95.211.225.167
www.75ba5lymxpbhw3a2kb.com
www.rnspic4yus5crf6w.net

Source IP: 10.0.0.126
Destination IP: 82.96.35.7
www.spx5a4e5eyhkdtpt2xj.com
www.6phyovjhggkfm.net

Source IP: 10.0.0.126
Destination IP: 83.140.59.2
www.o5qzqtbs.com
www.bnymkm3nk7jtz3.net

Source IP: 10.0.0.126
Destination IP: 82.96.35.8
www.7wdf4rkj5mew.com
www.sd5mkmsmo.net

Source IP: 10.0.0.126
Destination IP: 93.180.156.45
www.rxy4jiw4wk.com
www.g66mipkcyhjwumywk4h.net

Source IP: 10.0.0.126
Destination IP: 81.218.109.195
www.gempmzrnwnk.com
www.6lrz7wtwprz.net

Source IP: 10.0.0.126
Destination IP: 31.172.30.4
www.4jvdpoo5wcklhd3usu.com
www.f4uxyorx2h.net

Source IP: 10.0.0.126
Destination IP: 50.7.194.122
www.pxznjv3t75.com
www.wuqq77l634eogfm.net

Please leave a comment if you have any questions.

Comments

comments powered by Disqus