A month with BADONIONS


A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that's the case I know which node that was sniffing the traffic. You can read more about the project here.

The results are not so surprising, but what is most surprising about this is that 2 nodes with the "guard"-flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor. Read more about why I think this is bad here.


The way I did this was by buying a domain with a tempting name(such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and sat up a simple login.

I did not use any databases for this, only a simple PHP-script which allowed any password ending in "sbtc" and therefore I just created random passwords using binascii.b2a_hex and the suffix "sbtc".(e.g d25799f05fsbtc)

This is how the login looks like(not a real captcha, but is randomized):

Once you login it looks like(yes, those links works, also dynamic numbers):

The python-script works by downloadning a list of all exit nodes using the Stem API, then create a unique password for each fingerprint and use that password for logging into the domain. All this is of course saved to a file so I later can go back and see what fingerprint used for password.

The PHP-login also saved all the logins with used username, password, user agent, IP and time. The Python-script uses Tor Browser Bundle's user agent.

The frontpage was copied from a legit bitcoin provider but heavily modified. There was also a public message announcement in the index saying that we're moving all the bitcoins to our wallets so you can't login yet because there was a login form on the frontpage also.

The Python-script also tries to make it look legit by first visiting the indexpage and sleep for 1-4 seconds and then navigating to the admin-page and login with the unique password and username "admin" and also a captcha. So it looks like this in the access log(IP removed):

UA=Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

[17/Jun/2015:21:38:01 -0400] "GET / HTTP/1.1" 200 1151 "-" "UA"
[...]Snip (GET on all the CSS, images and scripts on the frontpage)
[17/Jun/2015:21:38:08 -0400] "GET / HTTP/1.1" 200 593 "-" "UA"
[17/Jun/2015:21:38:15 -0400] "POST /adminlogin.php HTTP/1.1" 200 1151 "-" "UA"
[...]Snip (GET on all the CSS, images and scripts in the admin panel)
Here's an example of a sniffing node:
f88824b8b4sbtc- - Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 - 2015-06-04 - 06:44:25
f88824b8b4sbtc- - Mozilla/5.0 (Windows NT 6.3; rv:38.0) Gecko/20100101 Firefox/38.0 - 2015-06-04 - 07:59:21
All of this is of course done over HTTP so that the exit node can see the traffic. The POST-data was:

The bottom line is that it needs to look legit in a PCAP, and I think it did.


137,319 Exit nodes tested under 32 days.*

99,271 Successfully tested exit nodes.**

137,981 Total page visits.***

16 Instances of multiuse of a unique password.

12 Logins with wrong password.

27.4 GiB uploaded and 21.5 GiB sent through Tor.

(*)This number does not show the total amount of uniquely tested exit nodes, just how many fingerprints that was tested. But every node was tested around 95 times(there's around ~1400 exit nodes).

(**)The number is lower than the total amount because some nodes had timeout, did not allow posting through port 80 and/or was offline.

(***)Does not include robots, spiders and/or crawlers. Even if the website disallowed indexing some spiders found the website. This number is only calculated from Tor IP's so it's possible that a crawler used Tor for its connection, if that's the case its included. The number should be lower.


G=Guard was using password d25799f05fsbtc 2 times!(G) was using password 105fa77052sbtc 2 times! was using password 09ac7f6731sbtc 2 times! was using password 17643fec94sbtc 2 times! was using password 2bfea92deesbtc 2 times! was using password 32a244ff44sbtc 2 times! was using password a43dce8b07sbtc 2 times! was using password b25ba441adsbtc 2 times! was using password e082d1f137sbtc 2 times! was using password e70103ddc2sbtc 2 times! was using password ddb7f96f8csbtc 2 times! was using password f88824b8b4sbtc 2 times! was using password 485038d86esbtc 2 times!(G) was using password 1962b91610sbtc 2 times! was using password 7c2dd2d40dsbtc 2 times!

Total: 15 fingerprints

Future work

I both want and need to continue this research. There are some things that needs to be fixed:

  • An open framework for easily setting up your own phishing site.
  • A thirdparty service that offers bad exits based on my work.(in work)
  • More people involving in the work(people that can set 'Bad exit').
  • More methods(read more).
  • Easier contact with the Tor Project people.
  • More websites needs to use HTTPS with a stable configuration(HSTS, good ciphers etc..).

If you want to support my work please send me an email. Verify the message below on my Keybase.

Hash: SHA512

If you want to help, please do and publish your research. If you want to help me you're free to do so by donating money for phising domains and servers that run the webserver. 

Please contact me at: [email protected]
Public key:
BTC: 1AQ5R6pjdG92NBZeVR7mErm1TUra3Uh2Xh
Version: Keybase OpenPGP v2.0.8



In conclusion we can see that there's passive MITM going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing. Tools such as exitmap can only detect if the node is misconfigured or is manipulating traffic but with BADONIONS you can have the luck and find nodes that sniff traffic and actively uses it.

We can also see that nodes that have been running so long that they have earned the "Guard"-flag also sniffs traffic.

We can also see that not all uses the logins but rather just visiting the website, this indicates that they are sniffing but does not use the provided logins. So by using Tor you are drawing attention to your site.

Both Tor, independent security researchers and website owners need to work towards a safer Internet. In 32 days I've found 15 instances where a node is sniffing and using my credentials and over 650 uniqe pagevisits which means that others also sniffs. We need more people involving in this project and hopefully we'll see an improvement from here and on.

Special thanks