TUTORIAL: Connecting to Freenode via Tor Like A Boss

Greetings this is Sidepocket, one of the Co-Founders of DEFCON 201.

As you may or many not have known, we have a IRC channel on Freenode. Freenode is the largest free and open source software-focused IRC network and you can find us there on it at #DEFCON201.

This year, I had finally configured my IRC clients to run through Tor routing, one on a Windows machine and one on Linux Mint and both were huge pain in the buts. For a newcomer, the instructions are confusing and spread out via multiple website that are unrelated to each other and nothing explain what you are actually doing and why.

In this Tutorial, I have compiled a comprehensive list of instructions on how to configure your IRC client to work over Tor on Freenode with clear instructions and explanations all in one place.

Because to use a modified military slogan: “There is the wrong way, then right way and then the DEFCON 201 way.”

Here we go!

PART ONE: SET UP
A photo of a person new to doing this trying to read previous tutorials on how to connect to Freenode via Tor Onion and having to jump through 20 unrelated websites with poor explanation and documentation.

First off, you need to have three main things for this.

  1. A IRC Client. There are many out there but the one that is mine is HexChat. All images and options will explained under this IRC Client so please refer to your client’s manual/tutorial/readme for simliar instructions. I will also assume you have basic understanding on how IRC works, if not, here is a great tutorial website about it: https://en.wikipedia.org/wiki/Wikipedia:IRC/Tutorial
  2. Tor Browser. Technically any application that connects to the Tor Onion network will do but the easiest for me is to have this running in the background. Plus, you get the benifit of a browser that runs traffic through onion routing and to be able to access .onion websites! You can download it here: https://www.torproject.org/
  3. A form of terminal to type in commands. Yes there will be Linux command lines in this tutorial but I will break them down and explain their function. Each Linux operating system has it’s own command line window on their desktop so please launch that. If you are using macOS, launch Mac OS Command Line. If you are running Windows do not fret, there is this great application called Cygwin that allows you to simulate these commands and translates them into PowerShell windows functions that you can download here: https://www.cygwin.com/
STEP TWO: CREATE AN SASL EXTERNAL SECURITY TOKEN

So normally with IRC through Tor, you could simply do STEP FOUR of this tutorial and they will work just fine (like the 2600 IRC Onion). However, Freenode is it’s own animal in that it REQUIRES the uses of an SASL EXTERNAL in order to for you to properly connect to it. This is where most people trying to connect to the Freenode Onion develops headaches and frustrations to Microsoft Bob levels. So let’s walk you through it.

SASL stands for Simple Authentication and Security Layer. It decouples and separates authentication mechanisms from application protocols by acting as a data security layer (offering data integrity and data confidentiality) allowing any authentication mechanism supported by SASL to be used in any application protocol that uses it.

The type of SASL that the Freenode Onion uses is called SASL EXTERNAL, where you have a file key on your computer and a log of it on your Freenode IRC account. So when you log in, SASL compares the encrypted token with the one you have on file and gives you access to the IRC network and auto-logs into your account.

To generate this key, you will have to enter a couple of Linux commands in your Terminal.

Begin by opening a new Terminal session and then after the $ type this in:

mkdir ~/.config/hexchat/certs

Reading left to right this will create a new directory (mkdir) called “certs” in the existing .config/hexchat directory of where Hexchat is installed.

The next commands you will enter that will generate this key is:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout ~/.config/hexchat/certs/freenode.pem -out ~/.config/hexchat/certs/freenode.pem

This will create the open SASL token (openssl req), the SSL node type (-x509 -nodes), the time expiration (-days 365), a prompt for creating a new key (newkey), key type and encryption character length (rsa:4096), and where to store the key and file name (-keyout ~/.config/hexchat/certs/freenode.pem -out ~/.config/hexchat/certs/freenode.pem).

The -sha256 between -x509 and -nodes commands will make sure the token is using a SHA-2 (Secure Hash Algorithm 2) hash, which is a set of cryptographic hash functions. Basically it’s a series mathematical operations run on digital data; by comparing the computed “hash” (the output from execution of the algorithm) to a known and expected hash value, a person can determine the data’s integrity. The one that will be created is a 256 bit hash, which should be good enough for most people in my opinion but you can change it to to higher or lower supported bits like 384 and 512.

Also note that with the -days, this will make the key last for one year, you can increase or decrease the expiration via the number, such as -days 1000. Also, you can name the .pem file any name you want, I just chose Freenode so you know that key is for that IRC and not others as a human memory reminder.

Now, when you enter this in the Terminal. It will take a few seconds to a minute to generate. Before it is finished, it will ask you a few questions to enter in.

— Your country’s abbreviation up to two characters (enter US for United States of America and UK for United Kingdom).

— The abbreviation of the territory you live in. (Enter NY for New York State, ect.)

— The name of the subsection of where you live (town, city, ect.)

— The name of the organization you are part of (Psst, this is where you promote us by putting in DEFCON 201!)

— Organizational Unit (…make up something!)

— Common Name (we recommend putting in your IRC handle on Freenode).

— Email Address (put whatever email address you feel most comfortable being in public).

Each one of these things when you type in your answer to get to the next line. When you see your access prompt followed by the $ symbol, you have successfully generated the key.

Now, sadly, there is ONE MORE step you need to do to get this set up correctly. You are now going to have to get your Terminal to output the fingerprint signature of your SASL EXTERNAL token cert. You do this by entering this command:

openssl x509 -in /home/sidepocket/.config/hexchat/certs/client.pem -outform der | sha1sum -b | cut -d \  -f1

The /NAME/ is what is the subdirectory name of your folder. Mine’s is Sidepocket. What is yours? John? 1337? God? Put that there, you can check by clicking on and looking at the name of that folder on your desktop in the upper left that looks like a HOUSE or in the Terminal the name that comes before the $ symbol.

NOTE This code if entered exactly will 100% work, but if you enter that command line in (or copy and pasted it somewhere else which is common) and get this error:

cut: the delimiter must be a single character

Don’t worry, I know what the problem is especially if you tried this on another tutorial site using -d ‘ ‘ part of the command.

You see that part of the code that says -d ‘ ‘? The thing is you need to escape the space when it’s used as a parameter. There should be a space after the -d so it reads:

cut -d ' '

Or my favorite as shown above, you can replace the ‘ ‘ and instead use this instead:

cut -d \  -f

Making sure there is a space between -d and \ AND there are two spaces between the \ and the -f.

When you enter that in the terminal, you will have this string of 40 random character spit out on the screen. It will look something like this:

6a40634763613a5a9a3e35005c15d52854166ab0F

Finally here is the easy part, you are simply going to copy that string and paste it in a text file for the next step.

STEP THREE: UPLOAD YOUR TOKEN TO YOUR FREENODE ACCOUNT

Phew! That was a long step two. Now, before we go right into all the Tor Onion goodness we have to do this step first. This is IMPORTANT because if you configure and add Tor to your IRC Client before hand, it will look at you like you are Microsoft Bob.

First, you are going to need log into your Freenode account. Use your client and connect to Freenode. Once connected enter this text right on the main page.

/msg NickServ IDENTIFY *password*

The *password* is what ever password you use to log into your Freenode account. If you do not have a Freenode account, here is a tutorial on how to set one up:

After you log in, you will enter this command right on the main page again:

/msg NickServ CERT ADD *fingerprint*

Remember that SASL Cert Fingerprint I had you print at the end of STEP TWO? Where I wrote *fingerprint* you are going to copy paste that 40 character string after the ADD command in IRC.

Your IRC should tell you that your Fingerprint SASL was updated to your profile. Log off of vanilla Freenode because we are about to chop some onions via Tor!

STEP FOUR: TOR IT UP!

Now we get to the good stuff!

First, you know that Tor Browser you downloaded and installed? Open it. It will take a few minutes for it to connect to the Tor Onion network (sloooooooow) but once you reach the splash page, check the upper left coner to to the URL (it’s next to my cursor in the screen shot). That little Onion icon should be solid and normal. This means you are now connected to Tor. Minimize the browser, you are now ready to connect to IRC via Tor.

Open your IRC Client and add the Freenode Onion address. You could replace your existing Freenode instance with the address BUT this will kill your normal access, as the Onion address only works through Tor. No Tor, no IRC access at that address. I personally created a new one called “Freenode Onion”.

Now go into settings for it, where you put the irc:// address and enter the Freenode Onion address:

freenodeok2gncmy.onion

Make sure that you have all SSL Options on including “Use SSL For All The Servers On This Network” and “Accept Invalid SSL Certificates”. It’s also good to turn on “Connect to this Selective Service Only” and “Use Global User Information” options. Finally and THE MOST IMPORTANT, under the LOG-IN METHOD option select “SASL EXTERNAL (cert)” option.

Save these settings.

Now under Settings in Hexchat you are going to open the Preference tab, going to Network on the right and click Network Setup.

You are now going to configure your network to speak to the Tor connection that you have open on the Tor Bowser. First list the Host as 127.0.0.1. Then, change the Port to 9150 and the Type to Socks5. NOTE if you switch back to non-Tor lines and they are having connections errors just switch back to Port 6667 and the Type to (Disable). Click OK to save.

Finally connect to the Freenode Onion by clicking on it in your network list and hitting Connect.

If you did above EVERYTHING as I written, it will log in like if you were logging into vanilla Freenode! You also don’t have to worry about /msg NickServ to log in, thanks to the SASL EXTERNAL you are already logged in!

All you need to do is the last, important step:

/join #DEFCON201

And now you are here and have joined us! (All TWO of us, please, invite your 1337 Haxor Friends!)

BONUS ROUND!

If you want to look elite (“not that accidental shit”) one awesome thing about the HexChat IRC Client is you can download and install pre-built visual themes! My favorite that I use is MatriY, which simulates a Matrix-looking terminal environment that reminds me of my childhood.

You can download it here: https://dl.hexchat.net/themes/MatriY.hct

You can also enter this into the command line inside your Terminal:

unzip ~/Downloads/monokai.hct -d ~/.config/hexchat

When you open HexChat again, your client will change to this visual look, signaling to others that you are ready to Hack the Planet with Morpheus and fSociety!

IN CONCLUSION…

That is all. I hope with this process you learned Tor, SASL, Encryption, and Linux Command Line a little better! I also am glad you now have all this information in an easy to follow, step by step guide all in one place with no gaps and jumping through fir hoops like I did.

If you have any questions, comments, criticisms or anything you want to talk about in this post you can comment below or email us at:

INFO {at} DEFCON201 (dot) ORG

— Sidepocket, Co-Founder of DEFCON 201

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.