As more people are becoming concerned about their online privacy, the use of tools to protect that privacy such as Tor and Privoxy is getting more common. One of the main features that these offer are “hiding” your IP address; privoxy by offering the option to send all your traffic through a proxy server, and Tor by even more advanced routing.
Metasploit has just published an updated version of their decloaking engine that shows how easy it is to bypass these tools. Most of them depend on configuring a proxy server in all your applications, forcing them to send all traffic through the anonymizing software. But security is only as strong as the weakest link; your webbrowser has the ability to start all kinds of external programs automatically. Decloak.net uses that fact to bypass popular anonymizing software. There are multiple steps involved:
- Doing a DNS query for the decloak site. This will in most cases reveal the nameserver you are using;
- Starting a Java applet that will force a DNS query, in most cases without using a proxy server even if you have one configured;
- Doing a UDP request from a Java applet, which will in most cases go directly to a machine that will see your real public IP;
- The Java applet will also see your internal, private IP address;
- Loading a Flash applet that opens a direct outbound connection;
- Sending a Word document that will fetch an external image;
- Starting Quicktime with a setting that will override any proxy settings present;
- Sending a URL that is normally handled by iTunes.
That’s a list of five applications that need to use the correct settings; if only one of them is not using the correct proxy settings, your real public IP address can be seen. An attacker would have no way of knowing which of these tests return the correct one, but if multiple tests reveal the same IP address, and that is different from the one that is seen on a normal HTTP connection, an attacker can be confident that he’s found the right one.
A properly configured Tor+Torbutton+Privoxy solution still stands up against Decloak, but just about everything else fails.