Silk Road forums

Discussion => Security => Topic started by: LexusMiles on September 10, 2011, 11:34 am

Title: How-To: Hardend Tor (like VPN)
Post by: LexusMiles on September 10, 2011, 11:34 am
Target Audience:

Windows XP, Vista, 7 users. You want to run all your apps through Tor without configuring a proxy for each one. Some apps don't have a 'proxy' option, but to want to put them through Tor too. You Don't trust all your apps not not leak your IP outside of the proxy. You suspect that IP may leak via a script, or unpatched bug in any app (firefox and thunderbird especially). You want your (selected) apps to all route through Tor, just like a VPN. -- This guide is for you.

Requirements:

Sandboxie [ www.sandboxie.com/index.php?DownloadSandboxie ]
Proxifier - standard edition [ http://www.proxifier.com/download.htm ]
Tor Vidalia Bundle [ www.torproject.org/download/download.html.en ]
All your other apps (Firefox, Opera, Thunderbird, any app that can connect to internet)

Method (installation):

(i) Install Tor
(ii) Install Sandboxie. The I recommend to get the paid version. Free version is fine for this though. A quick note: its fast, non-bloat-ware with no ads and no bugs. 2MB in size.
(iii) Create a new Sandbox and name it Proxify
(iv) Install Proxifier Standard Edition into the Sandbox
(v) Setup proxifier to route all apps via 9050 (or whatever is your Tor proxy port)
(vi) This is the final step: Run any program you like in the 'proxify' sandbox. Every app you run in the sandbox will will now be through Tor.
(vii) Oh one more step.. create a link on your desktop to the Sandboxed proxifier.


Method (regular use):

Eg: For example, after you start PC in the morning, first use of the day:
(i)Execute Vidalia
(ii)Execute Proxyfier
(iii)Execute any and as many apps Sandboxed as you liked. Its as simple as "Right click any icon"-->"Run Sandboxed".

So this means, no more going to the proxy options for any app. If you want an app to use Tor, just simply run it via the 'proxify' sandbox. You have as many running at once as you like.

Now, "why sandbox?" I hear you say. Two reasons:

(i) Proxifier is a 31 day trial. Delete the sandbox after 31 days and create it again. Whalla! 31 more days of proxify.
(ii) We don't want *all* the apps on our system to be proxified. So this way, only apps executed into the sandbox are Torified.

Why do any of this? As earlier stated -- NO dns leaks, and NO ip leaks will occur with this method. All apps are tightly sealed within the Tor/Sandbox realm (even youtube and flash/scripts). I think above all, this is the far reaching and true reason. Locked tight ship, with no leaks or gaps.
Title: Re: How-To: Hardend Tor (like VPN)
Post by: trainwrecker on September 10, 2011, 02:28 pm
it takes a few more steps,
like configuring proxifier to actually use dns over proxy
( by default it does NOT ).
-
I like the idear but i preffer a "real virtual maschine",
it is a bit more tho to setup the hole vm thingy..
-
you should be able to find a key for proxyfier in the interwebs
within a few secs, if not u doing it wrong  ::) ::)
think i posten one on the forum already in one of my previous posts.

tw
Title: Re: How-To: Hardend Tor (like VPN)
Post by: miserableprick on September 10, 2011, 06:28 pm
Tails Live-Linux CD FTW :)
Title: Re: How-To: Hardend Tor (like VPN)
Post by: LexusMiles on September 10, 2011, 09:29 pm
i preffer a "real virtual maschine"

Kinda a good starting point -- but a VM alone provides no significant convenience or security. You're still counting on individual apps to follow their own proxy rules, which I think if you investigate, you can find they don't. Often apps will send http connections directly via your regular ISP internet IP, bybassing the proxy. Firefox and Thunderbird are 2 examples of this. The solution I described stops the possibility of this. Also, a VM is a resource heavy solution. Booting up VM, and for all the effort in settings it up, would have been possible to setup a full truecrpted OS.

[edit] Ok I get you after reading it again. You mean to simply do away with the Sandbox and instead, use proxifier inside of a VM. Yes this is possibly the best solution available. Its got the slight drawback of startup time + heavy mem usage, but for most PC's these days, those problems are insignificant. Esp if you put XP as the VM. I'd say two thumbs up to this solution.


Tails Live-Linux CD FTW :)

Yes this is a nice solution if you are a Linux fan -- and who isn't a fan -- but it comes with its own inherent flaws too. A better adaptation of tails is to install in on the HDD in a truecrypt container + VM. Now that's a tight solution, and avoids all the caveats of the live CD (slow, non-persistent).

The more methods we can share the better. Each has its own strengths and weaknesses. Critiques/ideas/solutions are most welcome.
Title: Re: How-To: Hardend Tor (like VPN)
Post by: trainwrecker on September 11, 2011, 11:39 am
@ The more methods we can share the better. Each has its own strengths and weaknesses. Critiques/ideas/solutions are most welcome.

Indeed correct sir,
everyone likes stuff a bit diffrent,
the more options there is to choose from the better.

 pulled my quickguide from my other post, i think reposting it in here does make sense..

Run everything over TOR via Vm :

1)Setup a Virtual Maschine
2)set it to have an exclusive network with the host maschine <- important shit, no bridging networks
3)configure polipo.conf ( in the vidalia install folder somewhere ) to accept the vm's Ip
(allowedClients parameter)
4)install firefox on vm and set "your host maschine" as proxy to test if config of polipo is working
5)install soemthing liek Sockscap or Proxifier that tunnels ALL your traffic thru a socks4/5 proxy on the VM
( Proxifier is not freeware but keys can be found on the web *coth BYZNF-Y3ZLZ-LQBYQ-QE8EY-LPM5Q)
configure proxiefier with your hostIP as proxy
6)install whatever you want on the vm and it will be tunneld thru tor.

if done correctly, this way dns can not be leaked,
without proxifier all Applications on the vm can run thru tor
if they support proxxies. if not it simply wont get a dns/conenction.

with proxifier running everythign will be tunneld thru tor.
Which ofc also means it is possible to install the vidalia
bundle on the vm and have tor conenct to tornetwork thru tor  :o 8).
this is quite nice approch to run hidden services quite secure.

This method comes with some work to setup but is defenetly worth it.
Ofc it is also possible to run Livecd's on those vms for enhanced security,
but after all some ppl are lazy and do like having bookmarks.
Also it is possible to nicely split stuff on a single vm's,
like having an exclusive for vm just for running some hidden services,
additonal VM to run all the bitcoin shit, another one for all SR related/pgp stuff,
etc etc.
Even in case LE manages to breach into a vm they still dont know jackshit
 if they have root and full acces to the vm via a trojan.
Diffrent Story OFC for the host system,
i would highly suggest not using the host system for anything
besides running the vm'S/truecrypt/tor, and ofc
apply the highest possible security standarts for the host
viresscan/a proper firewall/security updates/Server Operating system, etc.

Ressources on the host pc is another thing.
A "win xp" vm shoudl have about 500mb dedicated mem.
CPU wise it ofc depends heavily what you run on the vm.
For normal "office" like work, the additional cpu load is minimal.
Also ofc each vm needs soem GB's of harddiskspace.

a dual core 2.5 Ghz with 8GB ram,
can run some 10 vm'S at same time without issues,
as long as the vms dont run cpu intens stuff.

Tweaking:
I found that polipo does need some tweking in the config
to run extensive ammounts of vm'S,
specially these parameter:
maxConnectionAge, maxConnectionRequests, serverMaxSlots, serverSlots.

play around with these setting a bit and see which config suits
your settings best.

Title: Re: How-To: Hardend Tor (like VPN)
Post by: LexusMiles on September 11, 2011, 12:35 pm
Yes reposting here is absolutely necessary. I searched the recent 10 pages of topics before coming to the party. Thought I was first but no. Good to have your write-up on page 1 again in any case.

What was that important part of your solution about not bridging? I'm curious, for all the processes taking place inside of the VM, is it possible that the network adapter outside of the VM (host adapter) can send rogue dns or ip packets? That nested loop of Tor is totally new to me (Tor within tor). Out of respect for the network I doubt I'l try it, but highlights the prospect that there really are infinite methods and ways of doing this here Internet.

Last question... when using a pirate key for proxifier, do you trust that the creator of proxify doesn't have a built in backdoor or some kind of silent alarm that draws his attention? The reason I ask is.. the writer of that app is *really* clever.  I could never figure how he kept track of the 30 days in the portable version -- admittedly cracking isn't my forte.
Title: Re: How-To: Hardend Tor (like VPN)
Post by: trainwrecker on September 12, 2011, 11:19 am
@ What was that important part of your solution about not bridging?

If you have a "bridged" network for the vm, the host will bridge the vm's traffic
into the hosts REAL network. By Selecting a "host only" network for the vm, the host wont/cant leak
traffic to a real network unless you have a specific tool to do exactly that (proxy, internetconenctionsharing, etc).
The "host only" network enshures the vm's can only find each other and the host per network.

@is it possible that the network adapter outside of the VM (host adapter) can send rogue dns or ip packets?

Depends heavely on what software you have installed on the Host.
By default i would say NO. Then again dont trust anything that  you havent double checked.
ALWAYS have a proper Firewall installed and disallow most traffic besides TOR for the
outgoing Network adapter on the host. Set Firewalls to "disallow by default" and make shure
you have the firewall rules set correctly so the vm's can connect to polipos ports and only
the applications you want are allowed to connect to the real interwebs.

@do you trust that the creator of proxify doesn't have a built in backdoor or some kind of silent alarm that draws his attention

Dont trust Anything .-)
A feature like you descibed would ruin proxifiers reputation if anyone every found it,
i doubt a software developer for such a specific software would do soemthing stupid
liek killing all his relilability in the interwebs by adding a backdoor .-)
Then again, it does not hurt to double check.
As long as your not using tor over tor on the vm, the traffic from the VM over proxifier
is not encrypted in the "virtual network", so its not that hard to Sniff the traffic
when you have control over the host system.
Install wireshark on the host system dump all traffic from the Virtual network
into a file, and double check if you feeling unsecure about Proxifier.

ninjaedit: forgott ot add, even if proxifieer has a feature which alarms its developer of illegal copies,
all he could find out is information wise, your vm's ip settings, ur vm's network names, your host network name and your host ip( ip as in the IP for the virtuall network which conencts host and vm).
it is still pretty save as proxifier has no direct connection to the interwebs.

tw