Service probe for Tor ORPort

[David Fifield <david () bamsoftware com>]

Here's a version probe for the Tor protocol. Tor is tunneled inside of
TLS, so the probe relies on service detection's automatic tunnel
detection. This signature is for the ORPort, the port that accepts
client connections and connections from other relays. Here's how it
looks:

PORT     STATE SERVICE        VERSION
9001/tcp open  ssl/tor-orport Tor 0.2.4.11 or later (supported protocol versions: 3, 4)

Tor can run on any port, but it most commonly appears on ports 9001,
443, and 9002. You can derive the ports from this JSON document:
https://onionoo.torproject.org/details?type=relay&fields=or_addresses
Parse it with this Python program:
        import json
        counts = {}
        with open("details.json") as f:
            details = json.load(f)
            for relay in details["relays"]:
                for addr in relay["or_addresses"]:
                    port = int(addr.rsplit(":", 1)[1])
                    counts.setdefault(port, 0)
                    counts[port] += 1
        for port, count in sorted(counts.items(), key=lambda x: x[1], reverse=True):
            print "%5d %5d" % (port, count)
The output gives the most commonly seen ports:
         9001  4553
          443  3379
         9002   109
         8080    90
           80    84
Therefore I set "sslports 443,9001,9002".

David Fifield


##############################NEXT PROBE##############################
# VERSIONS cell indicating support for protocol versions 3, 4, 5, and 6.
# https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt (see sections 3 and 4.1)
# Structure is:
#   CircID       2 bytes
#   Command (7)  1 byte
#   Length       2 bytes
#   array of 2-byte version numbers
# We can't detect protocol versions 1 and 2, because those require you to
# do the SSL handshake in a particular way (version 1 requires you to use
# specific ciphersuites and send a client certificate ("the v1 handshake")
# and version 2 requires a renegotiation after the initial handshake ("the
# v2 handshake")).
# Versions 5 and 6 don't exist as of 2015, but send them in the hope of
# catching future changes.
Probe TCP tor-versions q|\x00\x00\x07\x00\x08\x00\x03\x00\x04\x00\x05\x00\x06|
rarity 8
sslports 443,9001,9002


# Since 0.2.4.11-alpha - 2013-03-11.
# https://gitweb.torproject.org/tor.git/tree/ChangeLog: "Support a new version
# of the link protocol that allows 4-byte circuit IDs."
# https://trac.torproject.org/projects/tor/ticket/7351
# https://gitweb.torproject.org/torspec.git/tree/proposals/214-longer-circids.txt
match tor-orport m|^\x00\x00\x07\x00\x04\x00\x03\x00\x04| p/Tor/ v/0.2.4.11 or later/ i/supported protocol versions: 3, 
4/

# 0.2.3.6-alpha - 2011-10-26
# https://gitweb.torproject.org/tor.git/tree/ChangeLog: "This release also
# features support for a new v3 connection handshake protocol..."
# 
# Also matches this independent JavaScript implementation: https://github.com/Ayms/node-Tor
match tor-orport m|^\x00\x00\x07\x00\x02\x00\x03| p/Tor/ v/0.2.3.7 - 0.2.4.11/ i/supported protocol versions: 3/

# An independent implementation that "only returns the highest
# understood version matching what the server supports, instead of a
# list of all supported versions."
# https://lists.torproject.org/pipermail/tor-dev/2015-January/008135.html
match tor-orport m|^\x00\x00\x07\x00\x02\x00\x04| p/Tor/ i/supported protocol versions: 4/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/