Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

UnAnonymizer

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


fdlist at digitaloffense

Jun 26, 2006, 6:07 PM

Post #1 of 13 (867 views)
Permalink
UnAnonymizer
A fun browser toy that depends on Java for complete results:
- http://metasploit.com/research/misc/decloak/

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


prb at lava

Jun 27, 2006, 1:12 AM

Post #2 of 13 (842 views)
Permalink
Re: UnAnonymizer [In reply to]
H D Moore wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/

Fun indeed:

Field Data Dependency
External Address: 24.199.198.152 None
Internal Host: unknown Java
Internal Address: unknown Java
DNS Server (API): unknown Java
DNS Server (HTTP): 24.199.198.158 None
External NAT: unknown Java

The "External Address" listed belongs to a TOR server hosted on
RoadRunner. The DNS server is also part of that system. I'm assuming the
"Internal Host" should have been mine? The "Internal Address" mine,
also? The "DNS Server (API)" my ISP's? Something isn't working.

Here's another page that tries something similar with Java:
http://gemal.dk/browserspy/ipjava.html

I get similar results to the above. Yes, Java is installed (version 1.5).

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


brate_sanders at yahoo

Jun 27, 2006, 1:49 AM

Post #3 of 13 (853 views)
Permalink
Re: UnAnonymizer [In reply to]
Is there a security issue hidden somewhere in there or is it just a bug report sent to the wrong mailing list address? :-)


----- Original Message ----
From: Peter Besenbruch <prb [at] lava>
Cc: full-disclosure [at] lists
Sent: Tuesday, 27 June, 2006 1:42:33 PM
Subject: Re: [Full-disclosure] UnAnonymizer

H D Moore wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/

Fun indeed:

Field Data Dependency
External Address: 24.199.198.152 None
Internal Host: unknown Java
Internal Address: unknown Java
DNS Server (API): unknown Java
DNS Server (HTTP): 24.199.198.158 None
External NAT: unknown Java

The "External Address" listed belongs to a TOR server hosted on
RoadRunner. The DNS server is also part of that system. I'm assuming the
"Internal Host" should have been mine? The "Internal Address" mine,
also? The "DNS Server (API)" my ISP's? Something isn't working.

Here's another page that tries something similar with Java:
http://gemal.dk/browserspy/ipjava.html

I get similar results to the above. Yes, Java is installed (version 1.5).

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


cardosolistas at contraditorium

Jun 27, 2006, 1:54 AM

Post #4 of 13 (849 views)
Permalink
Re: UnAnonymizer [In reply to]
If the app uses an unknow DNS server, I think it's enough of a risk to
worry about.



On Tue, 27 Jun 2006 08:49:13 +0000 (GMT)
Brate Sanders <brate_sanders [at] yahoo> wrote:

BS>
BS> Is there a security issue hidden somewhere in there or is it just a bug report sent to the wrong mailing list address? :-)
BS>
BS>
BS> ----- Original Message ----
BS> From: Peter Besenbruch <prb [at] lava>
BS> Cc: full-disclosure [at] lists
BS> Sent: Tuesday, 27 June, 2006 1:42:33 PM
BS> Subject: Re: [Full-disclosure] UnAnonymizer
BS>
BS> H D Moore wrote:
BS> > A fun browser toy that depends on Java for complete results:
BS> > - http://metasploit.com/research/misc/decloak/
BS>
BS> Fun indeed:
BS>
BS> Field Data Dependency
BS> External Address: 24.199.198.152 None
BS> Internal Host: unknown Java
BS> Internal Address: unknown Java
BS> DNS Server (API): unknown Java
BS> DNS Server (HTTP): 24.199.198.158 None
BS> External NAT: unknown Java
BS>
BS> The "External Address" listed belongs to a TOR server hosted on
BS> RoadRunner. The DNS server is also part of that system. I'm assuming the
BS> "Internal Host" should have been mine? The "Internal Address" mine,
BS> also? The "DNS Server (API)" my ISP's? Something isn't working.
BS>
BS> Here's another page that tries something similar with Java:
BS> http://gemal.dk/browserspy/ipjava.html
BS>
BS> I get similar results to the above. Yes, Java is installed (version 1.5).
BS>
BS> --
BS> Hawaiian Astronomical Society: http://www.hawastsoc.org
BS> HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
BS>
BS> _______________________________________________
BS> Full-Disclosure - We believe in it.
BS> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
BS> Hosted and sponsored by Secunia - http://secunia.com/
BS>
BS>
BS>
BS>
BS>

year(now) + 1 será o ano do linux!
Cardoso <cardoso [at] pobox> - SkypeIn: (11) 3711-2466 / (41) 3941-5299
vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


prb at lava

Jun 27, 2006, 2:29 AM

Post #5 of 13 (840 views)
Permalink
Re: UnAnonymizer [In reply to]
Cardoso wrote:
> If the app uses an unknow DNS server, I think it's enough of a risk to
> worry about.

I refer folks to the following page on TOR:

"Using privoxy is necessary because browsers leak your DNS requests when
they use a SOCKS proxy directly, which is bad for your anonymity."
http://tor.eff.org/docs/tor-doc-unix.html.en

That means, your DNS server becomes the DNS server used by the TOR exit
node. I have no idea how many DNS servers operate with poisoned caches,
and the like. If I wanted to do some financial transaction, I think
Cardoso is suggesting a direct connection, instead. In earlier
discussions, people argued that an SSL connection offered some
protection, or warning about pharming attacks.

> On Tue, 27 Jun 2006 08:49:13 +0000 (GMT)
> Brate Sanders <brate_sanders [at] yahoo> wrote:
>
> BS> BS> Is there a security issue hidden somewhere in there or is it
just a bug report sent to the wrong mailing list address? :-)
--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


pdp.gnucitizen at googlemail

Jun 27, 2006, 4:37 AM

Post #6 of 13 (855 views)
Permalink
Re: UnAnonymizer [In reply to]
indeed it is fun, unfortunately not very neat :) IMHO... although I
quite like the idea, don't get me wrong. What would be nice is to
implement the same but with Flash. Flash is for sure enabled on most
browsers.

Also, it might be possible to unhide a tor user by starting an
application which will make a http request to your server regardless
where your browser proxy setting are pointing to. For example sending
back

Content-type: <some mime>

Content-type: application/pdf should start pdf reader on most
browsers. PDF documents are usually dynamic, so you can embed some
object into the pdf document that will point back to your webserver,
which as a result may unhide the current tor user. This might work on
platforms where the environment is not that much integrated
(Linux/Unix). On windows, however, setting the right proxy in internet
explorer should make most applications aware of it. :)

On 6/27/06, H D Moore <fdlist [at] digitaloffense> wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
pdp (architect)
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


fdlist at digitaloffense

Jun 27, 2006, 8:54 AM

Post #7 of 13 (837 views)
Permalink
Re: UnAnonymizer [In reply to]
If your real internal and external NAT addresses did not appear when using
a proxy, either the Java applet did not load or a race condition failed.
From browsing the database backend, it looks like just over 1,000 people
were successfully identified (internal + nat gw + external + dns). The
database is wiped every 24 hours.

The 'trick' is to obtain this information regardless of proxy settings
and in the case of SOCKS4, be able to identify your real DNS servers.
This is accomplished using a custom DNS service along with a Java applet
that abuses the DatagramSocket/GetByName APIs to bypass any configured
proxy. The source code of the applet is online as well:
- http://metasploit.com/research/misc/decloak/HelloWorld.java

There are a handful of other ways to obtain a user's real IP address - you
can embed a link to a SMB service over a UNC path, start up another
application via file attachments (PDF, with embedded JS, etc), or abuse
any other network-aware app that is launched by the browser.

The goal of the "decloak" code is to provide a javascript-friendly way to
obtain this information that doesn't notify the user that something
strange is happening. A great use of this code would be to track down the
real source of a malicious request being routed through a TOR exit node.

Take this a step further by adding smart filtering and injection code to
the TOR client itself and you have a solution for detecting and reporting
"bad" traffic that happens to exit through your node (attempted server
exploitation, pornography not involving adults, etc). My current
implementation uses an embedded ruby intepreter and a set of ruby modules
to perform the protocol detection and filtering.

Thanks for testing!

-HD

On Monday 26 June 2006 20:07, H D Moore wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/
>
> -HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


michael.holstein at csuohio

Jun 27, 2006, 9:02 AM

Post #8 of 13 (856 views)
Permalink
Re: UnAnonymizer [In reply to]
> The 'trick' is to obtain this information regardless of proxy settings
> and in the case of SOCKS4, be able to identify your real DNS servers.
> This is accomplished using a custom DNS service along with a Java applet
> that abuses the DatagramSocket/GetByName APIs to bypass any configured
> proxy. The source code of the applet is online as well:
> - http://metasploit.com/research/misc/decloak/HelloWorld.java

Smart TOR users are using Firefox + NoScript + Flashblock to begin with
.. and you'd really have to be stupid/trusting to allow Javascript (and
even dumber still to allow Java Applets) when you're trying to be anonymous.

> There are a handful of other ways to obtain a user's real IP address - you
> can embed a link to a SMB service over a UNC path, start up another
> application via file attachments (PDF, with embedded JS, etc), or abuse
> any other network-aware app that is launched by the browser.

Using a WRT54g+Linux+Tor (or running the TOR router on a seperate
machine) prevents this entirely since *all* traffic is routed into TOR
and anything that's not falls into the bitbucket.

Those that wish to be anonymous .. always will be :)

/mike.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


prb at lava

Jun 27, 2006, 11:17 AM

Post #9 of 13 (848 views)
Permalink
Re: UnAnonymizer [In reply to]
H D Moore wrote:
> If your real internal and external NAT addresses did not appear when using
> a proxy, either the Java applet did not load or a race condition failed.
> From browsing the database backend, it looks like just over 1,000 people
> were successfully identified (internal + nat gw + external + dns). The
> database is wiped every 24 hours.

I doubt it's a race condition, as the failure is consistent. As for the
failure of something to load, that's possible, although Java applets run
just fine, when I enable them, as I did with the Metasploit site.

As you can no doubt tell, I used a *nix based system for the test, where
there are a variety of ways to install both the browser and Java. In my
case, I went to Sun and Mozilla directly. I placed a link from Java's
plug-in to Firefox's plugin directory. That was about the extent of my
installation.

> Thanks for testing!

No, thank you. It was interesting.

> On Monday 26 June 2006 20:07, H D Moore wrote:
>> A fun browser toy that depends on Java for complete results:
>> - http://metasploit.com/research/misc/decloak/
>>
>> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


prb at lava

Jun 27, 2006, 11:44 AM

Post #10 of 13 (841 views)
Permalink
Re: UnAnonymizer [In reply to]
Michael Holstein wrote:
>> The 'trick' is to obtain this information regardless of proxy settings
>> and in the case of SOCKS4, be able to identify your real DNS servers.
>> This is accomplished using a custom DNS service along with a Java
>> applet that abuses the DatagramSocket/GetByName APIs to bypass any
>> configured proxy. The source code of the applet is online as well:
>> - http://metasploit.com/research/misc/decloak/HelloWorld.java
>
> Smart TOR users are using Firefox + NoScript + Flashblock to begin with
> .. and you'd really have to be stupid/trusting to allow Javascript (and
> even dumber still to allow Java Applets) when you're trying to be
> anonymous.

As I normally do. Let's also mention that settings in Adblock and
entries in the hosts file could mess up the experiment. For those not
familiar with the Noscript extension, it can be set to block Flash as
well. Flash itself can also be configured for tighter privacy, though if
I were serious about anonymity, I wouldn't trust it.

> Using a WRT54g+Linux+Tor (or running the TOR router on a seperate
> machine) prevents this entirely since *all* traffic is routed into TOR
> and anything that's not falls into the bitbucket.

Here is a person that wants a SLOOOOW connection. ;)

> Those that wish to be anonymous .. always will be :)

Let's not forget that those wanting anonymity make mistakes like the
rest of us. That's the kind of thing that Moore is trying to capitalize
on. Some simply don't like the tracking associated with having a fixed
IP, therefore the stakes behind a revealed IP are fairly low. The stakes
go up when someone engages in bad behavior, or when his/her Web browsing
habits arouse government interest.

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


tonnerre.lombard at sygroup

Jun 27, 2006, 11:05 PM

Post #11 of 13 (843 views)
Permalink
Re: UnAnonymizer [In reply to]
Salut,

On Tue, 2006-06-27 at 12:37 +0100, pdp (architect) wrote:
> Also, it might be possible to unhide a tor user by starting an
> application which will make a http request to your server regardless
> where your browser proxy setting are pointing to.

On a sane Tor setup, this will simply time out though.

Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Loesungen mit System
Tel:+41 61 333 80 33 Roeschenzerstrasse 9
Fax:+41 61 383 14 67 4153 Reinach BL
Web:www.sygroup.ch tonnerre.lombard [at] sygroup
Attachments: signature.asc (0.80 KB)


pdp.gnucitizen at googlemail

Jun 27, 2006, 11:15 PM

Post #12 of 13 (855 views)
Permalink
Re: UnAnonymizer [In reply to]
sure, you are right!!! but there is always a chance to screw up :) and
when somebody do that, we must have the right tools to detect it

On 6/28/06, Tonnerre Lombard <tonnerre.lombard [at] sygroup> wrote:
> Salut,
>
> On Tue, 2006-06-27 at 12:37 +0100, pdp (architect) wrote:
> > Also, it might be possible to unhide a tor user by starting an
> > application which will make a http request to your server regardless
> > where your browser proxy setting are pointing to.
>
> On a sane Tor setup, this will simply time out though.
>
> Tonnerre
> --
> SyGroup GmbH
> Tonnerre Lombard
>
> Loesungen mit System
> Tel:+41 61 333 80 33 Roeschenzerstrasse 9
> Fax:+41 61 383 14 67 4153 Reinach BL
> Web:www.sygroup.ch tonnerre.lombard [at] sygroup
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (NetBSD)
>
> iQIVAwUARKIcF+1mMGan/TnWAQLlhxAAti7t0WMfVCd1q8rh2snN+/9a54No78ZX
> c3ZSpuH1UyBSS3FeEc27lhyH/iwGnRvW3Z2ELLXp4ICE9Dgv2hIRJdt/PZ/Svv5U
> bHWuQK4pFzKIbxbK5KvoSdf0z/iqwY7oevJiTe3WjKmPI2ghZQLsyZDTu8ViKj1W
> 4gkEYKYDKO0QbciedmdcKiKecBli0WiWO3G8IcesDgMHIY2D4nFAxP13t1uN98Et
> nJ5OJk6L+AX3dLr1tM6wzEVna8uhq/6XjtSl9k7TYTft9MNFSQqEV2U0RUzrTR1f
> q48lKuRY2LObpgahm6GMNlBSRzGEOH0MOxRkSsHo6CKy1oeSsxgE7qX96GEYHoaM
> pHxN8Pi702g1pPQoO2HpARPlFGrLOycAeoMSfmN5PmgR7tF3z4t8nER+ZwK2o/kp
> n9keRWh2M0OQLRZ1qug8YQ6YW5Ku3W1mhIkOXf2gg+/9hdMSMS31UQBJjFioV7gc
> uooDj+xlDD8JrJs0wFAAE4jx3+HY2gp2xTyrxEcokRr2QXAyoBJeux/HKQYUrENy
> t2jDqEtCrxLwLxUrsmhw/Ujz9eI/A/nkIw51Pa+gv3Ph2k/341qYjd0N1BVgygcW
> NuXazREEUwzLzG6a0IOhTdO969OOqkdDEaB3g8H20Pi4gmS3iR3x2J1nbOyv5C5x
> Ulv03vH8l+E=
> =Ohsh
> -----END PGP SIGNATURE-----
>
>
>


--
pdp (architect)
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


RaMatkal at hotmail

Jun 29, 2006, 1:05 AM

Post #13 of 13 (833 views)
Permalink
Re: UnAnonymizer [In reply to]
decloak works successfully but i get a JAVA general Exception and crashes my
browser....

XPSP2, IE, latest security patches....


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.