What follows is a blow-by-blow instructional on configuring network clients to use a Tor proxy under UNIX. With two, simple proxy programs (connect and torsocks), network clients - such as ssh and irc - can be set-up for online anonymity. Also described will be commands for forwarding a local port to a remote port with ssh, so that a local network client can connect to the remote proxy.
However, the simplest means for protecting online anonymity and connecting to hidden websites is to download and install the Tor Browser Bundle (Firefox + Tor). With it, no external proxy app is required to pull-up websites.
Tor was designed to protect a user's anonymity, i.e. to conceal his IP address. When a Tor proxy is employed, a client's device is routed randomly through a maze of Tor gateways, operating world-wide.
Connecting to clearnet services (http, ssh, irc, etc.) via a Tor proxy will provide (greater) online anonymity - than by connecting to them directly.
On the hidden slice of the internet, frequently referred to as the "darknet" and "onionland", there're web and other services assigned the .onion pseudo TLD (Top Level Domain). These services can be accessed - by a Tor proxy. Client configurations for Tor proxies will be discussed - in some detail - below.
N.B. In this guide, we'll build and install the software in the $HOME of a non-privileged user.
Alternatively - to install Tor system-wide (as root), the package manager (or ports collection) of your operating system is recommended. Most Linux distros and *BSD systems supply pre-compiled, Tor binaries.
Download and unpack the sources for the standalone version of Tor, i.e. the Source Tarball. The latest, stable release is advised. torproject.org
$ cd ~/
$ wget https://www.torproject.org/dist/tor-0.2.X.X-rc.tar.gz
$ tar xzvf tor-0.2.X.X-rc.tar.gz
$ cd tor-0.2.X.X
Configure, compile and install Tor
With the configure option "--prefix="$HOME/tor"", tor will be installed under your local, UNIX account. Also, verify that $HOME/bin exists and that it's in your $PATH statement.
$ ./configure --prefix="$HOME/tor" --exec-prefix="$HOME"
$ make
$ make install
Execute tor
$ ~/bin/tor
note
To initialize Tor at boot, add the following as a cronjob with "crontab -e".
@reboot $HOME/bin/tor
connect is a tiny program which functions well as a Socks 4a or a Socks 5 proxy client. Grab the source for connect, compile and install it into $HOME/bin.
$ wget http://www.meadowy.org/~gotoh/ssh/connect.c
$ gcc -o connect connect.c
$ cp connect ~/bin
Configure ssh
Open up ~/.ssh/config in a text editor. Add the following:
#Host 10.*
#ProxyCommand none
Host *
ProxyCommand connect -4 -S 127.0.0.1:9050 %h %p
Since Tor lives on port 9050 of 127.0.0.1 (localhost), we'll have ssh connect to it first (instead of directly to the remote address); thereby, proxying to the remote address with a Tor IP. If your computer is located on a LAN (private address spacing), uncomment the first two lines (and edit if necessary the IP wildcard). Connections to local IPs should not go through the Tor proxy, and - for brutally obvious security reasons, no SSH daemon, located on a LAN, should accept logins from external, Tor IPs.
Test ssh by logging into "some_domain.com".
$ ssh user@some_domain.com
torsocks is a transparent socks5 proxy app - which permits client access to the Tor proxy running on localhost. Grab the sources for torsocks. The latest stable release is advised. Below, download, extract, configure, compile and install torsocks under a non-privileged user's account. (Again - to install torsocks system-wide, use the package manager or ports collection of your operating system.)
$ cd ~/
$ wget http://torsocks.googlecode.com/files/torsocks-1.X.tar.gz
$ tar xzvf torsocks-1.X.tar.gz
$ cd torsocks-1.X
$ ./configure --prefix="$HOME/torsocks" --exec-prefix="$HOME" --libdir="$HOME/tor/lib"
$ make && make install
Network clients and torsocks
With the following command, netcat will check the online status of a darknet website:
$ echo -e "HEAD / HTTP/1.0\n\n" |usewithtor nc -v -i 3 soupksx6vqh3ydda.onion 80
The following command will yank the raw html from an onion site, then write it to a file (for offline viewing):
$ echo -e "GET / HTTP/1.0\n\n" |usewithtor nc -v -i 3 soupksx6vqh3ydda.onion 80 > soupksx6vqh3ydda.onion.html
Anonymous port scanning
Arguably, nmap is the most widely employed port scanning device in history, but - in conjunction with Tor - unless the -sT switch is soley used, it spews GOBS of irritating libtorsocks errors - by connecting to UDP ports. This makes the anonymous scanning experience down-right annoying. Plus - by default, nmap performs host discovery with ICMP packets - which could reveal an IP. (Since Tor can't handle ICMP packets, they could be routed to the clearnet.)
With netcat (installed on most UNIX operating systems), it scans hosts on both the clear and the dark net quickly, quietly and efficiently. By default, netcat does not connect to UDP ports.
$ usewithtor nc -v -z somehostxxxxxxxx.onion 1-100
-z = scan mode
1-100 = the port range to scan
somehostxxxxxxxx.onion = the host to scan
$ usewithtor nc -v -w 5 somehostxxxxxxxx.onion 1-100
-w = timeout for connects and final net reads
With the "-w" switch, you'll need to observe nc as it scans. If it hangs for 5 seconds then resumes, the port is open. So, it's best to use "-z" for scanning, unless there's a compelling reason for "-w" (e.g. to view the greeting message of a daemon). Finally - when scanning a clearnet site - as a precaution, use the IP rather than the hostname. tor-resolve, part of the Tor release, can perform that task - easily.
$ tor-resolve domain.ext
www.xxx.yyy.zzz
$ usewithtor irc
After ircII executes, type in "/server some_irc_server.onion". You may use a different, console (or GUI) based app (than ircII) as your choice for an irc client.
For irc clients which contain native, socks5 proxy support, xchat, Hexchat, weechat, etc., specify 127.0.0.1 and port 9050 as the proxy server in the network configuration panel or in a control file, then type the address and port of an onion irc server on the commandline: "/server some_irc_server.onion 6667" to connect (via the proxy) to the onion irc server.
Some clearnet irc servers ban (i.e. k-line) those who connect via Tor proxies without SASL authentication. irc.freenode.net and irc.efnet.org are examples. It would be wise to reserve "torified" IRC sessions for onion servers. Here's a list of darknet irc servers.
note
torsocks can be used with ssh, but - to me - connect is more convenient. Do NOT combine BOTH torsocks and connect to proxy an ssh connection at the same time, or the dreaded "libtorsockserror" error will be received: "connect: Connection is to a local address (127.0.0.1), may be a TCP DNS request to a local DNS server so have to reject to be safe."
If a Tor instance is not running on your local machine (often a good idea), a local to a remote port can be forwarded with SSH, then the local port connected to with a network app - which will use the Tor proxy on the remote host. Below - in the illustration, we'll be executing the Chrome browser - to demonstrate this (somewhat awkward to grasp) concept.
Suppose that the Tor-running host is located on your lan with the address (10.0.0.2), and "user" has a shell on that box. Forward the port with SSH:
$ ssh -N -L 9050:localhost:9050 user@10.0.0.2
Chrome (and most web-browsers) support proxies natively, i.e. no external proxy app is required for them. To have Chrome use the remote Tor proxy (by connecting to a local address and port), open up it up in a terminal window with the following command:
$ google-chrome --proxy-server="socks5://localhost:9050" --host-resolver-rules="MAP * 0.0.0.0, EXCLUDE localhost" --no-referrers --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36"
note
The third part of the above chrome command ("--host-resolver-rules") prevents DNS queries from leaking-out on the clearnet - which could compromise a user's anonymity. The second to last ("--no-referrers") halts the browser from sending an HTTP_REFERER, which logs pick up and which could provide a clue - as to the identity of a computer. The last part of the command ("--user-agent") spoofs the browser as a Windows box running Chrome v27.0.