Finding a “hidden” IP address just got easier
As more people are becoming concerned about their online privacy, the use of tools to protect that privacy such as Tor and Privoxy is getting more common. One of the main features that these offer are “hiding” your IP address; privoxy by offering the option to send all your traffic through a proxy server, and Tor by even more advanced routing.
Metasploit has just published an updated version of their decloaking engine that shows how easy it is to bypass these tools. Most of them depend on configuring a proxy server in all your applications, forcing them to send all traffic through the anonymizing software. But security is only as strong as the weakest link; your webbrowser has the ability to start all kinds of external programs automatically. Decloak.net uses that fact to bypass popular anonymizing software. There are multiple steps involved:
- Doing a DNS query for the decloak site. This will in most cases reveal the nameserver you are using;
- Starting a Java applet that will force a DNS query, in most cases without using a proxy server even if you have one configured;
- Doing a UDP request from a Java applet, which will in most cases go directly to a machine that will see your real public IP;
- The Java applet will also see your internal, private IP address;
- Loading a Flash applet that opens a direct outbound connection;
- Sending a Word document that will fetch an external image;
- Starting Quicktime with a setting that will override any proxy settings present;
- Sending a URL that is normally handled by iTunes.
That’s a list of five applications that need to use the correct settings; if only one of them is not using the correct proxy settings, your real public IP address can be seen. An attacker would have no way of knowing which of these tests return the correct one, but if multiple tests reveal the same IP address, and that is different from the one that is seen on a normal HTTP connection, an attacker can be confident that he’s found the right one.
The Metasploit team assures everyone that a proper Tor setup should still be safe, but then again Tor has its own issues…
A properly configured Tor+Torbutton+Privoxy solution still stands up against Decloak, but just about everything else fails.
December 26th, 2008 at 5:10 pm
[…] and the Net has published a superb write-up of the newly updated Metasploit decloaking engine, utilized to determine the […]
December 28th, 2008 at 6:28 am
Actually, there’s only one application that needs to be configured properly: the browser.
1.) DNS queries are caught by Privoxy (an http proxy) by default in Firefox, and if you’re pointing Firefox at Tor (a SOCKS proxy) directly, you have to flip an about:config boolean to get it to use the proxy for DNS.
2.) Java applets depend on Javascript to launch. Javascript is client-side code and as such a sane Tor browsing configuration needs to not allow it. You can use the NoScript plugin to selectively block certain sites, if you need javascript in some places. NoScript is default deny, so scripts from the Decloak engine will still fail.
3.) The Java applet can’t send the packet if it doesn’t load, and it needs javascript to load. This is just #2 part 2. I don’t see how it’s a different application that needs to be configured — this still depends on the Java runtime’s proxy settings even if it loads.
4.) Even if this loads, it sees that I’m on 192.168.0.101. I’m sure that’s devastating to my anonymity, but it won’t matter, because the applet won’t load.
5.) Ooh, foiled again by the javascript. Flash won’t load.
6.) This assumes the browser automatically opens Word files. And that the user has Word installed.
7.) This assumes the browser has a quicktime plugin installed.
8.) This assumes the browser recognized itunes URL’s.
As you can see, every one of the stages can be circumvented via a secure browser configuration. That’s ONE program that you need to configure, not five. And if you absolutely can’t live without javascript and flash, that’s what the TransPort feature is for.
And really, linking to the email sniffing? That’s so noobish. Yes, if you’re an idiot and send plaintext through a proxy, it can be sniffed. Most of the time that plaintext is just HTML and it won’t matter that it’s plaintext; It isn’t like you request webpages by signing your real name.
This is a very poor piece of FUD.
December 28th, 2008 at 10:34 am
@Anonymous: You are completely correct; a properly configured Tor setup with a “safe” browser is completely safe; but about 99% of all users are “vulnerable” in some way.
Even though everybody who knows a bit about security knows not to use unencrypted mail connections, the attack I linked to managed to capture account information for employees of several embassy’s; people who are supposed to be very security-conscious.
April 19th, 2009 at 7:09 pm
Just wanna add something here. Need a fast and clean proxy? Try proxy.my
Unblock friendster, facebook, myspace and even youtube!
May 11th, 2009 at 11:48 pm
Crazy how many people still use and others profit with web proxies.
January 10th, 2010 at 1:36 pm
1.) Step-by-step instrunctions for securing your browser:
http://www.cert.org/tech_tips/securing_browser/
1st Line of Defense, along w/ Firewall
(If you have a broadband connection, make sure you are behind a NAT Router , w/ the default password changed to a secure one
A secure password should be at _least_ eight characters and include a mix of upper and lower case letters as well as numbers and special characters.
2.) Why are the spam posts above still there?