Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Active and Passive TOR Detection

Tenable's research group has recently released several updated plugins for both the Nessus scanner and Passive Vulnerability Scanner to detect Tor in operation and waiting for connections.

Tor is a self organizing peer-to-peer network application. It encrypts network communications and also randomly spreads it across other Tor nodes to prevent traffic analysis.

Tor can be used for anonymous network browsing. It has recently been reported as being used by the Storm worm to connect to other potential victims as well as obtain command and control instructions.

Hostile "Tor users" have been running a Tor network "end node" in order to monitor and sniff unencrypted exit traffic for sensitive information.

Detecting Tor

Nessus plugin #26026 (currently available to Direct Feed customers) can be used to scan a network for systems configured as a Tor server.

For the Passive Vulnerability Scanner, several plugins exist

  • 2542 - Tor Tunnel Detection (detects on start of Tor communication)
  • 2543 - Tor Tunnel Detection (detect ongoing Tor communication)
  • 4212 - Tor Tunnel 'End Point' Server Detection

When analyzing a network that contains Tor applications, you should ask yourself the following questions:

  • Does carrying this anonymous traffic expose my network to risk?
  • Does the presence of Tor indicate that the network has been compromised?
  • Has there been an increase in the amount of virus, IDS or other types of alerts from the systems running the Tor software?
  • Does the host running Tor consume noticeable network bandwidth?
  • Does Tor open up any unauthorized or un-auditable connections into our network?

Below is a screen shot of a node discovered to be running Tor as viewed under the Security Center. This particular host also has a version of Firefox which is fairly outdated.


This site also was running the Log Correlation Engine with a Tenable Network Monitor. When viewing the last 25 days of network connections from this node, several were made to ports in the 9000-9100 range which is common for Tor communication. Below is a bar chart port summary of all TCP and UDP network connections.


This discovered Tor node was a client. If it were a Tor end server, the Log Correlation Engine and Tenable Network Monitor agent could have been used to analyze all "outbound" network connections.

For More Information

Nessus active network scans do not discover clients with installed Tor software. Tor clients don't have open ports which can be identified with traditional network connection requests and fingerprints.

If this is a requirement, consider performing a credentialed network scan and enumerate the installed software. Keep in mind that if you want to find out this sort of information in real time, you should use a network IDS or monitor the network with the Passive Vulnerability Scanner.

For other thoughts on passive network monitoring, we've blogged before about several different methods such as watching for new ports being browsed on, detecting network proxies and monitoring traffic for known and unknown encryption.

Subscribe to the Tenable Blog