Hacking the Tor Control Protocol

Peter Kacherginsky
8 min readOct 3, 2009

Every installation of Tor includes a server and communication protocol used to control all aspects of client’s operation.

First enable the control port, which is disabled by default. There are several ways we can enable it:

  • Edit torrc configuration file (normally located in /etc/tor/torrc on unix systems). Uncomment ControlPort line as follows:
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9051
  • Enable control port using --controlport flag:
tor --controlport 9051

Connecting to Control Port

Once control port is enabled, we can connect to it using any telnet client:

$ telnet localhost 9051

As soon as you connect you must authenticate using predifined password hash which is ""by default. You may change control port password by editing HashedControlPassword line in torrc configuration file. Use authenticate keyword to login.

authenticate "" 
250 OK

Tor Control Commands

Viewing and Setting configuration variables

Tor depends on several configuration variables which can be viewed and changed. Most of these variables are set in torrc file, but you can override them at run time.



Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net