exitmap is a fast and extensible Python-based scanner for
Tor exit relays. Modules implement tasks that
are then run over (a subset of) all exit relays. If you have a background in
functional programming, think of exitmap as a map() interface for Tor exit
relays. In practice, exitmap is useful to monitor the reliability and
trustworthiness of exit relays; exitmap is used to check for false negatives
on the Tor Project's check service and to find
malicious exit relays. It is
quite easy to develop new modules for exitmap; just have a look at the file
HACKING in the doc/ directory, or check out one of the existing modules.
exitmap uses Stem to create circuits to all
given exit relays, and as soon as tor notifies exitmap of an established
circuit, a module is invoked for the newly established circuit. Modules can be
pure Python scripts or external programs. For external programs,
torsocks is necessary.
Finally, note that exitmap is not meant to be run by ordinary Tor users. The
Tor Project is already running the tool on a regular basis. More exitmap
users means more stress on the network. The only reason it is publicly
available is because its source code and design might be of interest to some.
exitmap uses the library Stem to communicate with Tor. On Debian jessie
and newer, you can install Stem by executing:
# apt-get install python-stem
Alternatively, you can install Stem using pip:
$ pip install -r requirements.txt
You can run exitmap with the checktest module by executing:
$ ./bin/exitmap checktest
If you want to use a static first hop, execute:
$ ./bin/exitmap --first-hop CCEF02AA454C0AB0FE1AC68304F6D8C4220C1912 checktest
To run the same test over German exit relays only, execute:
$ ./bin/exitmap --country DE --first-hop CCEF02AA454C0AB0FE1AC68304F6D8C4220C1912 checktest
If you want to pause for five seconds in between circuit creations in order to reduce the load on the Tor network and the scanning destination, execute:
$ ./bin/exitmap --build-delay 5 checktest
Note that
CCEF02AA454C0AB0FE1AC68304F6D8C4220C1912
is a relay run by Karlstad University. While you can feel free to use it,
please use your own relays in order to distribute the scanning load. If you do
not specify a first hop, exitmap will randomly select first hops, one for
each circuit.
To get an overview of exitmap's options, execute:
$ ./bin/exitmap --help
exitmap comes with the following modules.
testfds: Tests if an exit relay is able to fetch the content of a simple web page. If an exit relay is unable to do that, it might not have enough file descriptors available.checktest: Attempts to find false negatives in the Tor Project's check service.dns: Attempts to resolve several domains and compares the received A records to the expected records.patchingCheck: Checks for file tampering.
Our research paper also discusses an HTTPS, XMPP, IMAPS, SSH, and an sslstrip module. We decided not to publish these modules since they would likely help attackers more than security researchers. Having said that, we are willing to share these modules in private.
By default, exitmap tries to read the file .exitmaprc in your home directory.
The file can have the following format.
[Defaults]
first_hop = CCEF02AA454C0AB0FE1AC68304F6D8C4220C1912
verbosity = debug
build_delay = 1
Don't like exitmap? Then have a look at
tortunnel,
SoaT,
torscanner, or
DetecTor.
Contact: Philipp Winter phw@nymity.ch
OpenPGP fingerprint: B369 E7A2 18FE CEAD EB96 8C73 CF70 89E3 D7FD C0D0