• Flying Through TOR with Jetplane

    by  • September 30, 2012 • Uncategorized

    When researching targeted malware and its infrastructure, I often find myself writing trackers to poll or look for changes, so I get updated with little delay. For one particular instance I needed to hit a couple systems a few times a day and wanted to shield my tracker a bit by sending my requests through TOR. Among the basic information about the host, I was also grabbing statistics on the polling which included the requesting address. Two weeks passed and I got curious about all of the addresses in my database and who they belonged to, so I dumped them and searched. 

    I ended up with a bunch of addresses on different networks covering the following countries: 

    CA,DE,US,GB,SE,LV,FI,CZ,FR,RU,MX,UA,SI,RO,BE,AT,

    JP,MD,NL,HK,CH,IS,PL,LU,HR,LT,DK,GR,EE,LI

    I felt that this list was fairly diverse and was curious to know how quickly it would take to get from one country to the next. I was also interested to know if it were possible to bounce around TOR until I landed at the company network I wanted to emulate. I didn’t search too hard for any prior work and instead just jumped into the code. 

    Here is a link to the library I labeled “jetplane”. Essentially what this library does is take in a destination (country or network owner name), a timeout value and then bounces around TOR tracking each stop until it gets there. Each destination traveled is considered a trip and each location passed through on the way is a stop. All data is stored in MongoDB along with some other statistics. This data looks something like the following:

    Screen_shot_2012-09-30_at_6

    As you can see from the JSON output, most of the information needed to produce decent statistics is available. Also in the Github repository is a application called “cmdctr.py” which basically rips through the MongoDB installation and extracts the data out to collect some basic flight information. I have posted the output from this script with about 20 flights at the bottom of the post.

    I continue to let this script run on a daily basis with the intention of eventually combing back through the data for anything of interest. Just based on the basic statistics alone, I think it is pretty cool to see the countries that are most active and likely to be assigned when asking for a TOR address. If you have any ideas, want my current database or have any questions, comment or email me. 

    de 0 – DE

    de 0 – DE

    de 1 – RU,DE

    de 5 – US,CA,FR,US,US,DE

    de 3 – FR,RO,GB,DE

    de 11 – US,US,RO,FR,US,SE,CA,CA,US,FR,US,DE

    de 5 – US,US,US,US,US,DE

    de 2 – US,SI,DE

    de 0 – DE

    de 3 – US,LU,US,DE

    de 0 – DE

    de 2 – CZ,NL,DE

    de 3 – RU,US,RU,DE

    de 1 – FR,DE

    de 9 – LU,LU,US,SE,LU,US,LU,US,US,DE

    de 7 – AT,BE,GB,US,US,LU,US,DE

    de 1 – US,DE

    de – success: 100.000000, stops: 3.117647, time: 59.235728

     

    se 16 – DE,RO,DE,GB,DE,FR,RO,GB,US,GB,FR,DE,RO,NL,RU,GB,SE

    se 15 – DE,DE,US,US,DE,US,RU,US,US,CH,DE,DE,CA,CH,RO,SE

    se 3 – NL,US,DE,SE

    se 4 – RO,CA,CA,RU,SE

    se 18 – US,MN,FR,US,US,US,US,US,DE,DE,DE,AT,US,US,US,US,MN,UA,SE

    se 15 – CZ,CZ,DE,US,DK,NL,DE,CA,CA,US,DE,NL,CZ,DE,DE,SE

    se 3 – CA,DE,CH,SE

    se 6 – DE,RO,FR,DE,RO,LU,SE

    se 16 – DE,NL,GB,NL,DE,RO,NL,CA,DE,DE,LU,RO,CA,DE,DE,US,SE

    se 2 – DE,DE,SE

    se 18 – US,DE,RU,US,DE,US,US,DE,US,US,RU,DE,US,US,DE,US,US,US,SE

    se 14 – DE,DE,GB,FR,DE,DE,DE,RU,US,DE,DE,DE,DE,RU,SE

    se 1 – DE,SE

    se 9 – DE,FR,US,DK,US,NL,US,DK,US,SE

    se 2 – US,US,SE

    se – success: 88.235294, stops: 9.466667, time: 154.008335

     

    at 22 – SE,DE,RO,SE,DE,SE,DE,US,SE,DE,SE,SE,DE,DE,DE,DE,SE,DE,SE,DE,DE,SE,AT

    at 2 – DE,NL,AT

    at 3 – DE,FR,DE,AT

    at – success: 20.000000, stops: 9.000000, time: 134.230802

     

    us 3 – SE,DE,DE,US

    us 4 – AT,SE,RO,DE,US

    us 3 – CH,CH,CA,US

    us 0 – US

    us 1 – SE,US

    us 0 – US

    us 3 – DE,DE,SE,US

    us 5 – LU,DE,RO,LU,LU,US

    us 0 – US

    us 2 – DE,NL,US

    us 13 – DE,DE,SE,SE,DE,DE,SE,SE,NL,SE,FR,GB,DE,US

    us 2 – DE,EE,US

    us 6 – FR,DE,DE,UA,FR,GB,US

    us 0 – US

    us 0 – US

    us – success: 88.235294, stops: 2.800000, time: 57.186159

     

    ro 23 – DE,US,DE,US,DE,DE,US,DE,DE,GB,DE,DE,FR,US,US,US,RU,UA,DE,DE,US,US,DK,RO

    ro 23 – NL,GB,GB,DE,NL,SE,NL,NL,DE,DE,DE,US,DE,DE,SE,SE,FR,US,SE,NL,US,GB,DE,RO

    ro 4 – SE,SE,US,DE,RO

    ro 13 – US,EE,US,SE,FR,DE,SE,RU,GB,FR,EE,EE,DE,RO

    ro 13 – DE,NL,DE,DE,DE,DE,DE,NL,DE,DE,FR,DE,DE,RO

    ro 4 – DE,DE,SE,DE,RO

    ro 3 – DE,DE,DE,RO

    ro – success: 43.750000, stops: 11.857143, time: 197.199039

     

    nl 10 – DE,DE,FR,DE,DE,RO,FR,DE,US,US,NL

    nl 11 – DE,RU,DE,RO,GB,RO,DE,DE,DE,CZ,DE,NL

    nl 13 – US,CZ,RO,US,DE,DE,US,FR,DE,DE,US,GB,US,NL

    nl 3 – FR,DE,US,NL

    nl 13 – US,DE,US,US,RU,US,US,SE,US,UA,US,DE,DE,NL

    nl 3 – SE,DE,US,NL

    nl 10 – US,DE,FR,DE,CZ,DE,US,DE,DE,DE,NL

    nl 0 – NL

    nl 9 – GB,DE,US,US,CZ,US,US,DE,FR,NL

    nl 24 – DK,SE,RO,US,SE,CA,DE,RO,US,RO,RO,US,CA,US,US,US,SE,US,CA,US,SE,FR,DE,CH,NL

    nl 4 – LI,AT,FR,US,NL

    nl 14 – US,US,DE,US,CA,FR,US,DE,US,DE,SE,SE,DE,DE,NL

    nl 5 – US,DE,DE,GB,US,NL

    nl 14 – US,DE,SE,US,FR,GB,US,DE,DE,DE,DE,DE,DE,GB,NL

    nl 1 – DE,NL

    nl – success: 88.235294, stops: 8.933333, time: 145.327075

     

    fr 18 – KR,SE,DE,DE,DE,DE,RO,DE,US,AT,SE,DK,UA,RU,DE,DE,US,DE,FR

    fr 3 – CA,DE,GB,FR

    fr 21 – DE,DE,NL,GB,RO,LU,DE,DE,DE,DE,SE,SE,DE,US,SE,SE,GB,NL,CA,US,DE,FR

    fr 2 – DE,DE,FR

    fr 17 – NL,SE,NL,SE,DE,US,SE,DE,US,US,US,US,DE,SE,US,RO,US,FR

    fr 13 – DE,US,DE,NL,DE,GB,NL,SE,SE,CA,DE,CA,NL,FR

    fr 17 – US,DE,KR,US,US,DE,US,DE,US,SE,RO,RO,DE,FI,SE,US,DE,FR

    fr 2 – DE,DE,FR

    fr 3 – SE,DE,DE,FR

    fr 14 – CZ,DE,US,US,RU,US,DE,US,RU,CA,DE,NL,DE,RU,FR

    fr 24 – DK,DE,NL,NL,DE,NL,US,US,US,DE,NL,RO,NL,US,NL,CH,CH,NL,DE,NL,US,US,US,US,FR

    fr – success: 64.705882, stops: 12.181818, time: 193.213443

     

    ca 0 – CA

    ca 21 – US,US,US,RU,US,US,DE,MN,US,US,US,US,DE,MN,US,US,MN,DE,DE,DE,NL,CA

    ca 21 – DE,US,DE,LI,US,DE,US,US,DE,US,SE,DE,UA,UA,DE,DE,DE,US,DE,DE,DE,CA

    ca 7 – US,DE,US,DE,US,NL,US,CA

    ca – success: 23.529412, stops: 12.250000, time: 191.535174

     

    ua 6 – US,US,NL,DE,DE,SE,UA

    ua 12 – US,FR,DE,SE,US,NL,DE,NL,SE,FR,DE,US,UA

    ua – success: 11.764706, stops: 9.000000, time: 145.116218

     

    si 10 – US,US,DE,RU,US,DE,DE,AT,DE,DE,SI

    si – success: 5.882353, stops: 10.000000, time: 175.221834

     

    md 11 – GB,NL,DE,DE,NL,NL,DE,DE,FR,DE,DE,MD

    md 8 – FR,US,FR,US,FR,US,FR,NL,MD

    md – success: 11.764706, stops: 9.500000, time: 149.794358

     

    ch 17 – NL,DE,CA,FR,DE,DE,DE,DE,DE,DE,DE,GB,DE,US,AT,DE,NL,CH

    ch 0 – CH

    ch – success: 11.764706, stops: 8.500000, time: 126.267395

     

    lu 0 – LU

    lu 20 – DE,NL,FR,NL,NL,NL,NL,DE,DE,DE,US,DE,NL,US,DE,DE,DE,DE,GB,GB,LU

    lu 0 – LU

    lu 12 – US,US,US,FR,DE,FR,DE,US,SE,DE,GB,US,LU

    lu – success: 25.000000, stops: 8.000000, time: 124.019574

     

    ee 10 – GB,US,DE,US,DE,US,DE,DE,US,SE,EE

    ee 16 – DE,SE,DE,US,NL,NL,DE,NL,NL,US,RO,US,US,US,NL,DE,EE

    ee – success: 12.500000, stops: 13.000000, time: 194.493500

     

    li 18 – US,US,MN,MN,DE,US,MN,MN,US,US,US,US,SE,DE,US,SE,UA,MN,LI

    li – success: 6.250000, stops: 18.000000, time: 271.550428

     

    gb 0 – GB

    gb 14 – US,CH,US,DE,US,RO,DE,DE,DE,CH,DE,FR,DE,CH,GB

    gb 21 – CZ,DE,DE,CZ,NL,DE,US,CZ,RO,DE,DE,CA,RO,FR,CZ,US,DE,SE,CH,US,DE,GB

    gb 19 – US,DE,DE,US,SK,LU,DE,DE,SE,NL,DE,DE,US,DE,RU,DE,RO,NL,DE,GB

    gb 11 – DE,DE,DE,DE,SE,RO,DE,DE,RU,FR,CZ,GB

    gb 14 – US,US,US,DE,US,US,DE,US,US,SE,US,SE,US,SE,GB

    gb – success: 35.294118, stops: 13.166667, time: 204.873480

     

    cz 12 – DE,FR,DE,FR,FR,DE,DE,GB,FR,DE,DE,DE,CZ

    cz 8 – DE,DE,CA,US,DE,US,FR,US,CZ

    cz 9 – CA,DE,FR,NL,SE,US,NL,US,DE,CZ

    cz – success: 18.750000, stops: 9.666667, time: 171.373563

     

    ru 18 – CA,DE,DE,DE,DE,US,DE,US,US,US,DE,US,SE,US,DE,NL,SE,US,RU

    ru 21 – NL,DE,US,DE,US,NL,NL,US,RO,DE,DE,RO,SE,SE,US,US,US,NL,SE,SE,DE,RU

    ru 3 – DE,DE,DE,RU

    ru 15 – DE,DE,DE,US,NL,US,SE,DE,DE,DE,DE,NL,US,US,DE,RU

    ru 9 – FR,US,US,US,FR,US,SE,US,US,RU

    ru 8 – RO,GR,SE,NL,US,DE,DE,US,RU

    ru – success: 40.000000, stops: 12.333333, time: 194.348084

     

    dk 9 – DE,US,US,DE,DE,GB,US,DE,DE,DK

    dk – success: 6.250000, stops: 9.000000, time: 154.403083

     

     

    About