tor: use random credentials for circuit isolation

proxywatchd.py

@@ -667,6 +667,19 @@ def try_div(a, b):
     return 0
 
 
+def tor_proxy_url(torhost):
+    """Generate Tor SOCKS5 proxy URL with random credentials for circuit isolation.
+
+    Tor treats different username:password as separate streams, using different
+    circuits. This ensures each connection gets a fresh circuit.
+    """
+    # 8 random alphanumeric chars for user and pass
+    chars = string.ascii_lowercase + string.digits
+    user = ''.join(random.choice(chars) for _ in range(8))
+    passwd = ''.join(random.choice(chars) for _ in range(8))
+    return 'socks5://%s:%s@%s' % (user, passwd, torhost)
+
+
 class MITMCertStats(object):
     """Track MITM certificate statistics."""
 
@@ -834,7 +847,7 @@ def get_mitm_certificate(proxy_ip, proxy_port, proto, torhost, target_host, targ
     """
     try:
         proxies = [
-            rocksock.RocksockProxyFromURL('socks5://%s' % torhost),
+            rocksock.RocksockProxyFromURL(tor_proxy_url(torhost)),
             rocksock.RocksockProxyFromURL('%s://%s:%s' % (proto, proxy_ip, proxy_port)),
         ]
 
@@ -1375,7 +1388,7 @@ class TargetTestJob():
 
             duration = time.time()
             proxies = [
-                rocksock.RocksockProxyFromURL('socks5://%s' % torhost),
+                rocksock.RocksockProxyFromURL(tor_proxy_url(torhost)),
                 rocksock.RocksockProxyFromURL('%s://%s:%s' % (proto, ps.ip, ps.port)),
             ]
 
@@ -1473,7 +1486,7 @@ class TargetTestJob():
                     try:
                         http_port = 80
                         http_proxies = [
-                            rocksock.RocksockProxyFromURL('socks5://%s' % torhost),
+                            rocksock.RocksockProxyFromURL(tor_proxy_url(torhost)),
                             rocksock.RocksockProxyFromURL('%s://%s:%s' % (proto, ps.ip, ps.port)),
                         ]
                         http_sock = rocksock.Rocksock(host=connect_host, port=http_port, ssl=0,