How can I know the IP address of Tor route?

Question

I am a college student who is conducting Tor research at a Japanese university.

How can I display the IP address of the route as shown in the picture?

I suspect I need to do some operations from the control port.

Answer 1

The way that works is a bit tricky. Tor will create different circuits when it starts up and SOCKS requests will use a circuit it finds suitable.

The Tor browser (powered by TorButton) has special domain isolation functionality where it proxies requests for a specific domain:port combination through an isolated circuit by using credentials with Tor's SOCKS proxy. This is how you can have two tabs open in the Tor Browser, and visit two different domains and have different IP addresses for each site (because each tab is using a completely different circuit).

To accomplish what you're trying to do, you'll need to mimic this behavior.

Here is a proof of concept to get you started.

• Start Tor
• Connect to Tor's control port
• Start listening for STREAM events SETEVENTS STREAM
• Issue a SOCKS request through Tor using proxy credentials (it will work best if the username is the domain:port combo for the site you are connecting to, and a random password you will use for each subsequent request to this domain)
• Monitor the stream events for the SENTCONNECT event matching your domain target and extract the circuit ID from the event.
• Send a GETINFO circuit-status command to the controller for the list of circuits, and the circuit path will be present with the circuit ID from the previous step.

This will get you the nodes you are relaying through, which you can then fetch info for to get the relay names and addresses for.

Expanding on the PoC above, here is example output you could expect to see.

Connect to controller and listen for events

AUTHENTICATE "password"
250 OK
SETEVENTS STREAM
250 OK

Issue a request with proxy credentials

curl --socks5-hostname localhost:9050 \
-U "torproject.org%3A:randomPasswordHere" \
https://torproject.org/donate`

The proxy username is torproject.org:443 which is the domain and port we are requesting. randomPasswordHere is the password.

Monitoring the STREAM events

When the above request goes through, some events will be sent by the controller.

Example:

650 STREAM 153 NEW 0 torproject.org:443 SOURCE_ADDR=127.0.0.1:45508 PURPOSE=USER
650 STREAM 153 SENTCONNECT 38 torproject.org:443
650 STREAM 153 REMAP 38 154.35.132.71:443 SOURCE=EXIT
650 STREAM 153 SUCCEEDED 38 154.35.132.71:443
650 STREAM 153 CLOSED 38 154.35.132.71:443 REASON=DONE

The event we are interested in is the SENTCONNECT event where the target is the domain port combination we requested.

The format for these events is:

"650" SP "STREAM" SP StreamID SP StreamStatus SP CircuitID SP Target
          [SP "REASON=" Reason [ SP "REMOTE_REASON=" Reason ]]
          [SP "SOURCE=" Source] [ SP "SOURCE_ADDR=" Address ":" Port ]
          [SP "PURPOSE=" Purpose]
          CRLF

Applying that knowledge to the above data, 153 is the stream ID, 38 is the circuit ID we are interested in, torproject.org:443 is the target we requested.

Get circuit-status data

Now knowing the circuit ID our request used, we can pull circuit information to find the path the request took from the network.

GETINFO circuit-status
250+circuit-status=
38 BUILT $9E1E4F5B5F94812D02C4D18CB4086CE71CA5C614~torpidsDEhetzner1,$F0D264435B31F70FEFB322794E93211A8419F890~ANGRYRONIN,$79E169B25E4C7CE99584F6ED06F379478F23E2B8~MilesPrower BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2018-06-14T17:26:38.216992 SOCKS_USERNAME="torproject.org:443" SOCKS_PASSWORD="randomPasswordHere"
.
250 OK

You will see other circuits here, but I omitted them for simplicity.

38 is the circuit ID we are interested in, so you can parse the circuit information to find that the relay torpidsDEhetzner1 is the guard, ANGRYRONIN is the middle, and MilesPrower is the exit. Double check that the SOCKS_USERNAME and SOCKS_PASSWORD fields are present and match those from the request to ensure you have the right circuit.

Getting relay info

You can then issue various commands to the controller to get info about the relays.

GETINFO ns/id/79E169B25E4C7CE99584F6ED06F379478F23E2B8
250+ns/id/79E169B25E4C7CE99584F6ED06F379478F23E2B8=
r MilesPrower eeFpsl5MfOmVhPbtBvN5R48j4rg axOufc4UeKsDqI/SrNiH31jyB1Y 2018-06-14 05:38:34 62.210.129.246 443 80
s Exit Fast Guard Running Stable V2Dir Valid
w Bandwidth=8170
.
250 OK

From there you can extract the IP address and information about the relays in the circuit.

Further reading:

• Tor control-spec.txt: Protocol implementation details for working with the Tor control port
• Tor Browser Design: Look for Tor circuit and HTTP connection linkability in section 4.5 (Cross-Origin Identifier Unlinkability)
• torbutton source: and it's domain-isolator and tor-circuit-display.js

Libraries like stem (Python) or TorUtils (PHP) (disclosure: I am the author of PHP TorUtils) can help with communicating with the Tor control protocol.

I hope this help!