#!/bin/bash ################################################################################ # TOR Traffic Verification Script # # Purpose: Verify that TeleBot is routing ALL traffic through TOR # Usage: sudo ./verify-tor-traffic.sh [duration_seconds] # Output: Report showing traffic analysis and TOR usage # # Security Level: CRITICAL # Author: Mr Tickles, Security Consultant # Date: 2025-10-01 ################################################################################ set -euo pipefail # Configuration DURATION=${1:-60} # Default 60 seconds OUTPUT_DIR="/tmp/telebot-tor-verification" TIMESTAMP=$(date +%Y%m%d_%H%M%S) REPORT_FILE="${OUTPUT_DIR}/tor-verification-${TIMESTAMP}.txt" PCAP_FILE="${OUTPUT_DIR}/traffic-${TIMESTAMP}.pcap" TOR_SOCKS_PORT=9050 SUSPICIOUS_IPS_FILE="${OUTPUT_DIR}/suspicious-ips-${TIMESTAMP}.txt" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Create output directory mkdir -p "$OUTPUT_DIR" ################################################################################ # Helper Functions ################################################################################ log_info() { echo -e "${BLUE}[INFO]${NC} $1" | tee -a "$REPORT_FILE" } log_success() { echo -e "${GREEN}[✓]${NC} $1" | tee -a "$REPORT_FILE" } log_warning() { echo -e "${YELLOW}[⚠]${NC} $1" | tee -a "$REPORT_FILE" } log_error() { echo -e "${RED}[✗]${NC} $1" | tee -a "$REPORT_FILE" } check_root() { if [[ $EUID -ne 0 ]]; then log_error "This script must be run as root (for tcpdump)" echo "Usage: sudo $0 [duration_seconds]" exit 1 fi } check_dependencies() { local missing_deps=() for cmd in tcpdump netstat ss lsof grep awk; do if ! command -v $cmd &> /dev/null; then missing_deps+=("$cmd") fi done if [ ${#missing_deps[@]} -gt 0 ]; then log_error "Missing dependencies: ${missing_deps[*]}" log_info "Install with: apt-get install ${missing_deps[*]}" exit 1 fi } ################################################################################ # TOR Service Checks ################################################################################ check_tor_service() { log_info "Checking TOR service status..." if systemctl is-active --quiet tor; then log_success "TOR service is running" else log_error "TOR service is NOT running" systemctl status tor || true return 1 fi # Check SOCKS port if netstat -tlnp | grep -q ":${TOR_SOCKS_PORT}"; then log_success "TOR SOCKS5 proxy listening on port ${TOR_SOCKS_PORT}" else log_error "TOR SOCKS5 proxy NOT listening on port ${TOR_SOCKS_PORT}" return 1 fi } check_tor_circuits() { log_info "Checking TOR circuits..." if journalctl -u tor --since "5 minutes ago" | grep -q "Bootstrapped 100%"; then log_success "TOR has established circuits" else log_warning "TOR may not have established circuits recently" fi } ################################################################################ # TeleBot Process Checks ################################################################################ check_telebot_process() { log_info "Checking TeleBot process..." if pgrep -f "TeleBot" > /dev/null; then local pid=$(pgrep -f "TeleBot" | head -1) log_success "TeleBot is running (PID: $pid)" # Check if TeleBot has connections to TOR if lsof -p "$pid" 2>/dev/null | grep -q ":${TOR_SOCKS_PORT}"; then log_success "TeleBot has active connections to TOR SOCKS5 proxy" else log_warning "TeleBot may not have active TOR connections yet" fi else log_error "TeleBot is NOT running" return 1 fi } ################################################################################ # Network Traffic Capture and Analysis ################################################################################ capture_traffic() { log_info "Capturing network traffic for ${DURATION} seconds..." log_info "Output: $PCAP_FILE" # Capture all non-local traffic timeout "$DURATION" tcpdump -i any -w "$PCAP_FILE" \ 'not (host 127.0.0.1 or host ::1) and not (port 22)' \ 2>&1 | head -10 || true log_success "Traffic capture complete" } analyze_traffic() { log_info "Analyzing captured traffic..." # Check for direct connections (not through TOR) local external_connections=$(tcpdump -n -r "$PCAP_FILE" 2>/dev/null | \ grep -v "127.0.0.1" | \ grep -E "(telegram|api|http)" | \ wc -l) if [ "$external_connections" -eq 0 ]; then log_success "NO external connections detected (all traffic through TOR)" else log_warning "Detected $external_connections external connection(s)" # Extract suspicious IPs tcpdump -n -r "$PCAP_FILE" 2>/dev/null | \ grep -E "(telegram|api)" | \ awk '{print $3, $5}' | \ sort -u > "$SUSPICIOUS_IPS_FILE" log_warning "Suspicious IPs saved to: $SUSPICIOUS_IPS_FILE" fi } analyze_dns_leaks() { log_info "Checking for DNS leaks..." # Check for DNS queries local dns_queries=$(tcpdump -n -r "$PCAP_FILE" 'port 53' 2>/dev/null | wc -l) if [ "$dns_queries" -eq 0 ]; then log_success "NO DNS leaks detected (DNS through TOR)" else log_error "Detected $dns_queries DNS queries - DNS LEAK!" log_error "DNS queries should go through TOR, not directly" fi } ################################################################################ # Active Connection Analysis ################################################################################ analyze_active_connections() { log_info "Analyzing active connections..." if pgrep -f "TeleBot" > /dev/null; then local pid=$(pgrep -f "TeleBot" | head -1) # Check connections to TOR local tor_connections=$(ss -tnp | grep "$pid" | grep ":${TOR_SOCKS_PORT}" | wc -l) log_info "Active TOR SOCKS5 connections: $tor_connections" # Check for direct external connections local external_conns=$(ss -tnp | grep "$pid" | \ grep -v "127.0.0.1" | \ grep -v "::1" | \ grep -v ":${TOR_SOCKS_PORT}" | \ wc -l) if [ "$external_conns" -eq 0 ]; then log_success "NO direct external connections (all through TOR)" else log_error "Detected $external_conns direct external connections!" log_error "These connections are NOT going through TOR:" ss -tnp | grep "$pid" | grep -v "127.0.0.1" | grep -v "::1" fi fi } ################################################################################ # Configuration Verification ################################################################################ verify_configuration() { log_info "Verifying TeleBot configuration..." # Look for appsettings.json local config_file=$(find /opt /home /mnt -name "appsettings.json" -path "*/TeleBot/*" 2>/dev/null | head -1) if [ -z "$config_file" ]; then log_warning "Could not find appsettings.json for verification" return fi log_info "Found config: $config_file" # Check EnableTor setting if grep -q '"EnableTor".*true' "$config_file"; then log_success "Configuration: EnableTor = true" else log_error "Configuration: EnableTor is NOT set to true!" fi # Check UseTor setting if grep -q '"UseTor".*true' "$config_file"; then log_success "Configuration: UseTor = true" else log_error "Configuration: UseTor is NOT set to true!" fi } ################################################################################ # Report Generation ################################################################################ generate_report() { log_info "Generating final report..." cat >> "$REPORT_FILE" << EOF ================================================================================ TOR TRAFFIC VERIFICATION REPORT ================================================================================ Timestamp: $(date) Duration: ${DURATION} seconds Report: $REPORT_FILE PCAP: $PCAP_FILE SUMMARY: EOF # Count results local total_checks=$(grep -c "\[✓\]" "$REPORT_FILE" 2>/dev/null || echo 0) local warnings=$(grep -c "\[⚠\]" "$REPORT_FILE" 2>/dev/null || echo 0) local errors=$(grep -c "\[✗\]" "$REPORT_FILE" 2>/dev/null || echo 0) cat >> "$REPORT_FILE" << EOF ✓ Successful checks: $total_checks ⚠ Warnings: $warnings ✗ Errors: $errors VERDICT: EOF if [ "$errors" -eq 0 ] && [ "$warnings" -eq 0 ]; then echo -e "${GREEN}✓ PASS${NC} - TeleBot is correctly routing ALL traffic through TOR" | tee -a "$REPORT_FILE" elif [ "$errors" -eq 0 ]; then echo -e "${YELLOW}⚠ PASS WITH WARNINGS${NC} - Review warnings above" | tee -a "$REPORT_FILE" else echo -e "${RED}✗ FAIL${NC} - TeleBot is NOT properly using TOR!" | tee -a "$REPORT_FILE" echo -e "${RED}CRITICAL SECURITY ISSUE - Location privacy compromised!${NC}" | tee -a "$REPORT_FILE" fi echo "" | tee -a "$REPORT_FILE" echo "Full report: $REPORT_FILE" | tee -a "$REPORT_FILE" } ################################################################################ # Main Execution ################################################################################ main() { echo "" echo "================================================================================" echo " TeleBot TOR Traffic Verification" echo "================================================================================" echo "" # Initialize report echo "TeleBot TOR Traffic Verification Report" > "$REPORT_FILE" echo "Started: $(date)" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # Run checks check_root check_dependencies check_tor_service || exit 1 check_tor_circuits check_telebot_process || exit 1 verify_configuration # Network analysis analyze_active_connections capture_traffic analyze_traffic analyze_dns_leaks # Generate final report generate_report echo "" echo "================================================================================" echo "Verification complete. Review the full report:" echo "$REPORT_FILE" echo "================================================================================" echo "" } # Run main function main "$@"