A security researcher spent a month to find bad TOR exit nodes by setting up a honey pot kind of website which has a fake login page – To find the nodes that sniffs the traffic and attempts to steal the password. This is very dangerous for those who completely depend on TOR Browser..

Tor protects its users by bouncing their communications around a distributed network of relays runs by volunteers all around the world to hack their Username and password..Chloe wrote in a blog,

“A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that’s the case I know which node that was sniffing the traffic.”

According to the researcher, he bought a domain with a tempting name (such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and set up a simple login with login page.

He used a simple login script that allowed any password ending wiht “sbtc”. He created a random password ending with “sbtc” (eg:d25799f05fsbtc) and used it via tor nodes.

The script also saves the login attempts and successful logins in a file with user agent, IP and time – This will help him to find the bad nodes.

“The results are not so surprising, but what is most surprising about this is that 2 nodes with the ‘guard’ flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor.” Researcher said in his blog.
He released the result of the test; He tested more than 130k Exit nodes within 32 days. He found that there were 12 failed-login attempts, 16 successful logins that had not come from the researcher.

Refs form : http://www.ehackingnews .com