Didier Stevens

Saturday 20 January 2018

Quickpost: Data Exfiltration With Tor Browser And Domain Fronting

Filed under: Quickpost — Didier Stevens @ 23:46

Some notes, mainly for myself.

Installing the Tor Browser on Windows can be done without administrative rights.

Start the Tor Browser and configure it:

Meek is a Tor pluggable transport for domain fronting, I select Amazon for domain fronting:

Tor Browser supports proxies:

Then I can connect to the Tor network with TLS via an Amazon server:

And then go to a web site to exfiltrate data:

In the packet capture, I just see DNS requests for a0.awsstatic.com followed by a TLS connection:


Quickpost info


  1. […] Didier Stevens shows data exfil through Pastebin using the Tor browser and highlights that it is not indicated in a packet capture. Quickpost: Data Exfiltration With Tor Browser And Domain Fronting  […]

    Pingback by Week 3 – 2018 – This Week In 4n6 — Sunday 21 January 2018 @ 3:08

  2. […] can also use Tor browser in stead of Tor, but then I need to connect to port […]

    Pingback by Quickpost: Retrieving Malware Via Tor On Windows | Didier Stevens — Sunday 21 January 2018 @ 22:46

  3. Pretty neat!

    Comment by xax0 — Tuesday 23 January 2018 @ 22:14

  4. […] Quickpost: Data Exfiltration With Tor Browser And Domain Fronting […]

    Pingback by Overview of Content Published In January | Didier Stevens — Thursday 1 February 2018 @ 0:00

  5. […] Tor and domain fronting are also a great way to bypass filters where HTTPS inspection is not looking for a mismatch between outer and inner names https://blog.didierstevens.com/2018/01/20/quickpost-data-exfiltration-with-tor-browser-and-domain-fr… […]

    Pingback by Data exfiltration techniques | Pen Test Partners — Thursday 31 October 2019 @ 15:31

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.