Getting Started

Stem is a powerful library written in Python to perform various operations against TOR Clients and Directory Authorities. The information gathered using Stem could be very useful to an attacker to gather information about the relays available in the TOR network. Tortazo is an open source project to gather information about ExitNodes in the TOR Network, perform bruteforce attacks against services like FTP or SSH and create a Botnet with the compromised ExitNodes over SSH. Tortazo includes a lot of features in the plugins form to perform pentesting activities against TOR relays and hidden services in the deep web. In this documentation, you’ll see in detail all the features included in Tortazo. The main objetive of this project is establish a bridge between the TOR deep web and the Python hackers. Let’s execute python scripts against TOR!

Instalation and Dependencies

To use Tortazo, you can use the latest stable release located in “bin” directory. However, if you want to use the development version located in the GIT repository you’ll need the following dependencies:

Other Dependencies

Among the Python libraries needed to use Tortazo, you’ll need some tools to use plugins or some execution modes in Tortazo.

Usage of Tortazo: Execution Modes

There are four execution modes in the current version of Tortazo, each of this allows gathering information from the TOR network and performing attacks against relays and hidden services. The execution modes are the following.

Gathering Information

This is the most basic execution mode, which will download the descriptors from the latest consensus generated by the TOR directory authorities and then allows applying some filters on the information downloaded. Finally, launches an scan with Nmap against the data filtered, identifying open ports and a lot of details about the target, you can use every option included in Nmap scanner, including the Scripting Engine (NSE). The results will be stored in the local database of Tortazo and if you runs Tortazo multiple times in this mode, more information get stored in database. The larger samples of data have more chances of getting positive results against any of the relays registered, so it’s recommended to run Tortazo in this mode multiple times. Read more about gather information in Tortazo Mode Gather Information.

Botnet Mode

This mode is used to execute commands over a set of SSH servers compromised using the “bruter” plugin. As you can see in Plugins in Tortazo. Getting started bruter plugin is used to execute dictionary attacks against multiple services in relays or hidden services. If the dictionary attack against a SSH server is successful, the plugin writes the details of the compromised server in the file “<TORTAZO_DIR>/”. In this mode, Tortazo will read that file to create the bots in the context of the botnet. You can run parallel commands against the entirely botnet or exclude bots to run the commands just over some machines. Read more about Botnet mode in Tortazo Botnet mode in Tortazo.

Database Mode

If you have enough information in your database, you can use it to perform direct attacks using some of the available plugins in Tortazo. In this mode, there are no connections to the TOR directory authorities to gather information about the relays that conforms the network, instead, Tortazo will use the information stored in database. Read more about Database mode in Tortazo Database mode in Tortazo

Plugins management

The plugins in Tortazo are the best way to integrate external routines written in Python directly in the framework, allowing to any Python developer write his own tools to perform audits against hidden services and TOR relays. There are various plugins already developed which integrates tools like Nessus, W3AF, Metasploit Framework, among others and custom plugins to perform pentesting activities. Read more about the development and usage of plugins in Tortazo Plugins in Tortazo. Getting started

Repository Mode

In this mode, Tortazo will try to generate ONION addresses and then tests if the generated addresses point to a hidden service in the deep web. Every onion address is composed by 16 characters and the valid chars are the full alphabet in lowercase and the digits between 2 and 7, as you can imagine, the amount of ONION addresses that could be generated is VERY, VERY HUGE and this is why the repository execution mode will not finish in few hours, could take days or even weeks generate and test every “possible” onion address. Actually, the execution of this mode, depends A LOT of the information that you have about of an address and the processing capacity of your machine. If you represents a government, maybe this kind of limitations related to processing capacity are less severe compared with the restrictions of any natural person. However, please read more about the development and usage of plugins in Tortazo Repository mode in Tortazo