« A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that's the case I know which node that was sniffing the traffic.[...]

The results are not so surprising, but what is most surprising about this is that 2 nodes with the "guard"-flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor.


Methodology
The way I did this was by buying a domain with a tempting name(such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and sat up a simple login.

I did not use any databases for this, only a simple PHP-script which allowed any password ending in "sbtc" and therefore I just created random passwords using binascii.b2a_hex and the suffix "sbtc".(e.g d25799f05fsbtc)

The python-script works by downloadning a list of all exit nodes using the Stem API, then create a unique password for each fingerprint and use that password for logging into the domain. All this is of course saved to a file so I later can go back and see what fingerprint used for password.

The PHP-login also saved all the logins with used username, password, user agent, IP and time. The Python-script uses Tor Browser Bundle's user agent.

The frontpage was copied from a legit bitcoin provider but heavily modified. There was also a public message announcement in the index saying that we're moving all the bitcoins to our wallets so you can't login yet because there was a login form on the frontpage also.

The Python-script also tries to make it look legit by first visiting the indexpage and sleep for 1-4 seconds and then navigating to the admin-page and login with the unique password and username "admin" and also a captcha.

[...]

Statistics
137,319 Exit nodes tested under 32 days.*

99,271 Successfully tested exit nodes.**

137,981 Total page visits.***

16 Instances of multiuse of a unique password.

12 Logins with wrong password.

27.4 GiB uploaded and 21.5 GiB sent through Tor.

(*)This number does not show the total amount of uniquely tested exit nodes, just how many fingerprints that was tested. But every node was tested around 95 times(there's around ~1400 exit nodes).

(**)The number is lower than the total amount because some nodes had timeout, did not allow posting through port 80 and/or was offline.

(***)Does not include robots, spiders and/or crawlers. Even if the website disallowed indexing some spiders found the website. This number is only calculated from Tor IP's so it's possible that a crawler used Tor for its connection, if that's the case its included. The number should be lower. »


Lire aussi https://chloe.re/2015/04/27/badonions-honeypot-the-honeypot/ :
« What about honeyConnector or exitmap?

honeyConnector works in the same way as BADONIONS but it only supports IMAP and FTP for now. It's a great tool nonetheless, but the installation is extremely difficult and complex.

exitmap is designed to detect active MITM so it's not the same thing as BADONIONS. »

Via http://korben.info/badonions-comment-traquer-les-noeuds-de-sortie-tor-qui-nous-espionnent.html
(Permalink)

A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that's the case I know which node that was sniffing the traffic. You can read more about the project here https://chloe.re/2015/04/27/badonions-honeypot-the-honeypot/
(Permalink)