Adding a Hidden Tor SSH service to a Microrouter

By Mason Taylor

This is a follow up to the previous article: “Weaponizing a micro router for penetration testing.”

This is how we deploy the GL.INET GL-USB150 in penetration tests to maintain a backdoor into a network.

I’m sure there are many other useful roles this can fill, such as home monitoring. I can’t wait to see what everyone else comes up with.

By setting this microrouter to be accessible via the Tor Network you can access it remotely, usually even if the router is deployed behind a firewall or cable modem.

As before:
Open the new dirt cheap GL-USB150 and plug it into your computer.
Wait 60 seconds for it to boot.
Go to http://192.168.8.1
Follow the instructions. Keep in mind that you want to set it to connect to the WiFi access point you will be using in the field. I use my phone’s tethering hotspot or the WiFi in my client’s building.

Let’s set up the ability to log in to this device via SSH without typing a password. To do that enter these commands into your Linux computer:

scp ~/.ssh/id_rsa.pub root@192.168.8.1:/etc/dropbear/authorized_keys
ssh root@192.168.8.1
You should be greeted with a new OpenWrt ash shell with this prompt

root@GL-USB150:~#

Allow ssh from anywhere quick and dirty style: (feel free to tell me a better way to do this in the comments below.)
service firewall disable
service firewall stop

Make sure we’re online.
ping google.com
If you get an error, then your not online. If your not online go to http://192.168.8.1 and make it join a WiFI network.
opkg update
opkg install tor

Next let’s get the tor config file set up:

echo "Log notice syslog
RunAsDaemon 1
DataDirectory /etc/tor/data/
HiddenServiceDir /etc/tor/other_hidden_service/
HiddenServicePort 22 127.0.0.1:22
User tor" > /etc/tor/torrc

Let’s setup the tor data directory.

mkdir /etc/tor/other_hidden_service/
mkdir /etc/tor/data/
chown -R tor /etc/tor
chmod 700 /etc/tor/other_hidden_service*
chown tor /etc/tor*
service tor enable
service tor start

Check to make sure our .onion hostname is stable:

cat /etc/tor/other_hidden_service/hostname

You should see something like this:

ad62y2ofdrre3rzq.onion

This is your new secret .onion address. Save this for later

reboot cat /etc/tor/other_hidden_service/hostname

It should be the same. If it’s the same now we know that it should be the same when deployed. OpenWRT has an issue in which it can change every reboot. But keeping the files in /etc should fix this.

Now to make our Linux desktop able to login remotely through tor via ssh. First Install tor and torify with this command:

sudo apt -y install tor

I haven’t figured out why, but it takes our microrouter at least 10 minutes for this service to be reachable through tor.

If it’s been plugged in for awhile give this command a shot:

torify ssh root@ad62y2ofdrre3rzq.onion

Note: Replace “ad62y2ofdrre3rzq.onion” with your .onion address. To find this enter this: cat /etc/tor/other_hidden_service/hostname

Now think of the possibilities of being able to deploy this $22 Linux device (from Amazon) anywhere that it can reach the Internet via WiFi and then being able to reach it, even through firewalls, cable modems and NAT routers. What could you do with this?