Hacking the Tor Control Protocol

Peter Kacherginsky
8 min readOct 3, 2009

Every installation of Tor includes a server and communication protocol used to control all aspects of client’s operation.

First enable the control port, which is disabled by default. There are several ways we can enable it:

  • Edit torrc configuration file (normally located in /etc/tor/torrc on unix systems). Uncomment ControlPort line as follows:
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9051
  • Enable control port using --controlport flag:
tor --controlport 9051

Connecting to Control Port

Once control port is enabled, we can connect to it using any telnet client:

$ telnet localhost 9051

As soon as you connect you must authenticate using predifined password hash which is ""by default. You may change control port password by editing HashedControlPassword line in torrc configuration file. Use authenticate keyword to login.

authenticate "" 
250 OK

Tor Control Commands

Viewing and Setting configuration variables

Tor depends on several configuration variables which can be viewed and changed. Most of these variables are set in torrc file, but you can override them at run time.

getconf — get a value stored in a configuration variable.

getconf controlport 250 ControlPort=9051

setconf — set configuration variables. Most of them can be set in torrc file; however, there are several variables (e.g. __DisablePredictedCircuits) which can only be set through through control interface.

setconf controlport=9051 250 OK

resetconf — reset configuration variable to its default value.

resetconf controlport 250 OK getconf controlport 250 ControlPort=0

saveconf — save current configuration values to torrc file. Special values such as __DisablePredictedCircuits will not be saved. For a complete listing of configuration variables that you can view or set issue the following command:

getinfo config/names

Viewing Logs

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net