search

nyxnor / tor-ctrl

Raw use of tor's controller
Other
5 stars 3 forks source link

torsocks stream target fails to show the hostname, only shows ip #22

Closed nyxnor closed 2 years ago

nyxnor commented 2 years ago

Steps to reproduce:

tor-ctrl-stream

From another instance:

torsocks curl https://check.torproject.org/api/ip
curl -x socks5h://127.0.0.1:9050

Go back and see outout and finish:

650 STREAM 12947 NEWRESOLVE 0 check.torproject.org:42 SOURCE_ADDR=127.0.0.1:45916 PURPOSE=DNS_REQUEST SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12947 SENTRESOLVE 10656 check.torproject.org:42 SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12947 REMAP 10656 116.202.120.181:42 SOURCE=EXIT SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12947 CLOSED 10656 116.202.120.181:42 REASON=DONE SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 NEW 0 116.202.120.181:443 SOURCE_ADDR=127.0.0.1:45918 PURPOSE=USER SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 SENTCONNECT 10657 116.202.120.181:443 SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 REMAP 10657 116.202.120.181:443 SOURCE=EXIT SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 SUCCEEDED 10657 116.202.120.181:443 SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5
650 STREAM 12948 CLOSED 10657 116.202.120.181:443 REASON=DONE SOCKS_USERNAME="torsocks-[REDACTED]" SOCKS_PASSWORD="[REDACTED]" CLIENT_PROTOCOL=SOCKS5

650 STREAM 12949 NEW 0 check.torproject.org:443 SOURCE_ADDR=127.0.0.1:45920 PURPOSE=USER CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 SENTCONNECT 10651 check.torproject.org:443 CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 REMAP 10651 116.202.120.181:443 SOURCE=EXIT CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 SUCCEEDED 10651 116.202.120.181:443 CLIENT_PROTOCOL=SOCKS5
650 STREAM 12949 CLOSED 10651 116.202.120.181:443 REASON=DONE CLIENT_PROTOCOL=SOCKS5

Stream: 12948, Target: 116.202.120.181:443 (116.202.120.181:443)
Circuit: 10657, Purpose: GENERAL

Stream: 12949, Target: 116.202.120.181:443 (check.torproject.org:443)
Circuit: 10651, Purpose: GENERAL

My understanding is that with torsocks, it first sends a SENTRESOLVE to resolve the hotname with tor, gets the ip and close the connection. Than it opens another connection directly to that ip.

As there is no SUCEEDED from the resolve stream, it just REMAP and CLOSED, the resolve hostname is never saved. Then it procedes to the next lines which does not contain the hostname, only the ip and is saving only the ip of course as the hostname was never cached by tor-ctrl-stream.

nyxnor commented 2 years ago

so torsocks creates two streams, in this case, 12947 and 12948 to establish (SUCCEED)` for the wanted connection, this means torsocks will have two tables, one for resolving the hostname that will be presented as:

Stream: 14142, Target: 116.202.120.181:42 (check.torproject.org:42)
Circuit: 10738, Purpose: GENERAL

and

Stream: 14143, Target: 116.202.120.181:443 (116.202.120.181:443)
Circuit: 10739, Purpose: GENERAL

two streams, and if the SocksPort flag has stream isolation with IsolateDestPort, then it will use another circuit, or maybe IsolateDestAddr is enough because it first try the hostname then second it try directly the ip address.

TODO: cache every REMAP after SETNCONNECT or SETNRESOLVE, only if the SENTCONNECT is a hostname, not an IP

nyxnor commented 2 years ago

problem is that a cached variable is not saving because of subshell usage

nyxnor commented 2 years ago

Adrelanos said:

I didn't know what that IP is. Can be found on search engines (check.torproject.org) but that isn't comfortable to find out about unwanted connections. Could you please add reverse DNS as an additional field?

Fixed now