1

How secure and anonymous is the --tor parameter in Sqlmap?

Does it really send every request over Tor and does it have any IP/DNS/STUN requests leak loopholes?

forest
  • 64,616
  • 20
  • 206
  • 257
UndercoverDog
  • 612
  • 2
  • 17
  • I think if you truly need anonymity it would make sense using Sqlmap for example on Tails (the amnestic OS) if the default configuration doesn't prevent you from using the program itself that is... – Sir Muffington Apr 07 '22 at 19:56
  • @SirMuffington Nearly any utility that uses TCP will work on Tails. – forest Apr 07 '22 at 21:22

1 Answers1

1

It appears to use Tor correctly, from what I can see in the source code. You have to be running a Tor daemon and correctly configure it. If you don't use SOCKS5 (or SOCKS4a), you're opening yourself up to DNS leaks. This is because regular SOCKS4 does not support DNS. Make sure your sqlmap configuration file contains torType = SOCKS5. With that said, using --tor should provide strong anonymity as long as the Tor daemon is configured correctly, and barring any OPSEC mistakes.

The --check-tor option verifies that Tor is actually in use by going to a website run by Tor Project which returns whether or not Tor is in use. The code is a bit sloppy as it just checks for the words "Congratulations" in the page, which is supposed to only be the case if Tor is in use. This could be improved, perhaps by trying to resolve the official Tor Project onion domain.

As for how it works, sqlmap is written in Python, so it just uses Python's networking code and sets it to use a proxy, with that proxy being exposed (presumably) on localhost by Tor itself. If you want to be extra safe, run it as a user with a firewall configured to block all traffic from that user, with access to the local SOCKS proxy port whitelisted. Some distros do this by default, like Tails.

forest
  • 64,616
  • 20
  • 206
  • 257
  • I read somewhere that like 40% of the exit nodes got hijacked by Russian Intelligence agencies and similar maliciously intent entities, I think it should also be recommended to pick a known safe exit node if that's possible. – Sir Muffington Apr 08 '22 at 20:07
  • @SirMuffington What you read is nonsense. The latest major Sybil attack involved less than 10% of relays and was removed fairly quickly, and it was the largest and most aggressive one to date. – forest Apr 08 '22 at 20:07
  • it seems I'm a victim of fake news then.. – Sir Muffington Apr 08 '22 at 20:08
  • @SirMuffington Or someone's wild speculation, perhaps. – forest Apr 08 '22 at 20:09
  • Why would you need to hijack the exit nodes when you can sit 2 or 3 hops away on a router and just sniff the traffic, the end result is the same. – dcom-launch Apr 11 '22 at 17:38
  • @dcom-launch In order to perform the most effective attacks such as crypto tagging attacks, you have to actually control the exit, not just sit on its upstream. – forest Apr 11 '22 at 18:22