Categories: Kali Linux

Tallow – Transparent Tor for Windows

Tallow is a small program that redirects all outbound traffic from a Windows machine via the Tor anonymity network. Any traffic that cannot be handled by Tor, e.g. UDP, is blocked. It also intercepts and handles DNS requests preventing potential leaks.

Tallow has several applications, including:

  1. “Tor-ifying” applications there were never designed to use Tor
  2. Filter circumvention — if you wish to bypass a local filter and are not so concerned about anonymity
  3. Better-than-nothing-Tor — Some Tor may be better than no Tor.

Note that, by itself, Tallow is not designed to be a complete strong anonymity solution. See the warnings below.

Also Read Mail Password Sniffer – Tool To Recover Mail Passwords Passing Through The Network

Tallow Technical

It uses the following configuration to connect to the Internet:

+-----------+        +-----------+        +----------+
|    PC     |------->|    TOR    |------->|  SERVER  |
|  a.b.c.d  |<-------|  a.b.c.d  |<-------|  x.y.z.w |
+-----------+        +-----------+        +----------+

Here (a.b.c.d) represents the local address, and (x.y.z.w) represents a remote server.

It uses WinDivert to intercept all traffic to/from your PC. Tallow handles two main traffic types: DNS traffic and TCP streams.

DNS queries are intercepted and handled by Tallow itself. Instead of finding the real IP address of a domain, Tallow generates a pseudo-random “fake” domain (in the range 44.0.0.0/24) and uses this address in the query response. The fake-IP is also associated with the domain and recorded in a table for later reference. The alternative would be to look up the real IP via the Tor (which supports DNS). However, since Tallow uses SOCKS4a the real IP is not necessary. Handling DNS requests locally is significantly faster.

TCP connections are also intercepted. Tallow “reflects” outbound TCP connects into inbound SOCKS4a connects to the Tor program. If the connection is to a fake-IP, it looks up the corresponding domain and uses this for the SOCKS4a connection. Otherwise the connection is blocked (by default) or a SOCKS4 direct connection via Tor is used. Connecting TCP to SOCKS4(a) is possible with a bit of magic (see redirect.c).

All other traffic is simply blocked. This includes all inbound (non-Tor) traffic and outbound traffic that is not TCP nor DNS. In addition, it blocks all domains listed in the hosts.deny file. This includes domains such as Windows update, Windows phone home, and some common ad servers, to help prevent Tor bandwidth wastage. It is possible to edit and customize your hosts.deny file as you see fit.

Note that it does not intercept TCP ports 9001 and 9030 that are used by Tor. As a side-effect, Tallow will not work on any other program that uses these ports.

Warnings

Currently Tallow makes no attempt to anonymize the content of traffic sent through the Tor network. This information may be used to de-anonymize you. It should not be relied on for strong anonymity unless you know what you are doing.

R K

Recent Posts

Flyphish : Mastering Cloud-Based Phishing Simulations For Security Assessments

Flyphish is an Ansible playbook allowing cyber security consultants to deploy a phishing server in…

16 hours ago

DeLink : Decrypting D-Link Firmware Across Devices With A Rust-Based Library

A crypto library to decrypt various encrypted D-Link firmware images. Confirmed to work on the…

16 hours ago

LLM Lies : Hallucinations Are Not Bugs, But Features As Adversarial Examples

LLMs (e.g., GPT-3.5, LLaMA, and PaLM) suffer from hallucination—fabricating non-existent facts to cheat users without…

16 hours ago

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

6 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

6 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

1 week ago