Cenzic 232 Patent
Paid Advertising
web application security lab

Noisy Decloaking Methods

Yesterday while I was helping Jeremiah with he forced basic auth cookie testing he asked a good question, which is how you can better de-anonymize users through alternative methods. Some of the initial thoughts he had wouldn’t work, but the first thing that popped into my head was FTP and Gopher. Using out of bound methods to make TCP or UDP connections to a monitoring site are easy ways to correlate users (compared with time).

Now, having had a day to think about it, there are a ton of ways to do this exact same thing. Here are just a few ways I was thinking of:

ftp:// FTP connections (port 21) - quietly connects to the port of the remote host. Many proxies don’t forward FTP, meaning it will connect directly from the client to the server, bypassing any FTP servers.

gopher:// Gopher connections (port 70) - quietly connects to the gopher port. Could be popped up in an iframe or anything similar.

telnet:// Telnet connections (port 23) noisily opens the assigned telnet client. If you haven’t already done this once, and authorized the application in Firefox it will warn you upfront about what is about to happen.

file:///\\ Windows networking microsoft-ds and netbios-ssn (ports 445 and 139) although this can kind of grind your browser to a halt until it fails, it really can help identify the computer. In IE it will also cause a popup alert if it doesn’t connect.

scp:// WinSCP protocol (port 22) if WinSCP is installed the remote web server can ask you to connect to it. It will open the external application in a very obvious way.

The next question people are going to ask is, how do you do this if you have dozens of people hitting it at relatively the same time. This part of the technique is borrowed from a page out of HD Moore’s decloak and some of Martin Johns’ stuff. If you create a unique hostname per request, you can correlate that information back to the timestamp. However, because you aren’t necessarily aware of the host (just the IP) this technique has to be modified slightly. Instead of hostname tricks you can use a number if IPs. Of course that means needing a lot of IP space. Setting up a packet sniffer in front of or on the host means you don’t even have to keep any of those ports open.

Of course other protocols may be in place with external applications that are installed (similar to the scp example). Knowing them can be tricky and noisy if they fail, depending on how the fail. The point being there are a lot of alternative paths to getting a machine to connect directly to the machine in question by bypassing the normal hypertext transfer protocol completely.

11 Responses to “Noisy Decloaking Methods”

  1. Awesome AnDrEw Says:

    Too bad the Gopher protocol was disabled in IE7 (and the View-Source one too, which I actually need).

  2. RSnake Says:

    Yup, that’s correct, Gopher doesn’t work in IE7 but it does work in Firefox 2.x. View-source wouldn’t be any different than http as far as detection is concerned though.

  3. Awesome AnDrEw Says:

    No, I know, but the fact that the View-Source protocol is gone in Internet Explorer 7 is quite bothersome. I used it quit often to make sure there weren’t any “traps” set up on third-party links before I got my new computer. Now I’m left with using a local VBScript utilizing AJAX to retrieve a page’s source, but it can only be done once per load or refresh (meaning I can’t have it update the content of the form like I used in the MySpace picture raper), or else I’m hit with a permissions error. On top of this I have to re-learn VB, because .Net has such a dramatic difference in both syntax and controls that I can’t figure out how to do the most trivial of tasks like setup Winsock.

  4. Stefan Esser Says:

    There is a very easy workaround for you. Don’t use IE7 :)

  5. kaes Says:

    how about using some blocking proxy, like Burpproxy?

  6. RSnake Says:

    Burp proxy will help you see the source before you view it, yes. This is confusing because there are two conversations here. That will have no effect on the techniques in the post (unless you deny the request outright) but will help with Awesome AnDrEw’s issue about not being able to view the source before he goes somewhere.

  7. Motorcycle Guy Says:

    Anyone with a little sense won’t be using just a proxy in the first place. Most people with sense will be using hacked windows boxes via rdp.

  8. c Says:

    I wonder what other custom protocols you could use? Lots of applications install their own custom protocol handler. Find a juicy one in Office, iTunes, WinAmp, etc, or something and you’ve got a reasonably good coverage rate.

  9. kaes Says:

    rsnake, yea sorry i kinda went off-topic.
    i understand the special protocol decloaking technique you describe here, nice idea, but i think it’s a littlebit on the fringes of usefullness. it does however, demonstrate that it’s currently pretty tough to completely hide your IP-address from a determined attacker (or defender, depends on which way you’re looking at it) when using Tor.
    kinda silly, actually, that you can’t set your browser to a “no frills” mode, that simply does nothing except display HTML, CSS and images (no javascript, java, special protocols, plugins, etc)

  10. Awesome AnDrEw Says:

    I have two questions now. First as “c” said, you could more than likely use other applications’ protocols to de-anonimize a user, which leads me to believe that potentially Microsoft Windows Media Player, and the “mms” (I believe that’s it) protocol could be used. I had a VBS example of using the media player’s protocol to over-write the application itself, and make it into a Trojan, but it was “noisy”. So the first question (since I’m not on my PC and can’t test it) is can this be silently embedded into a page with a silent audio file (so there’s no indication anything’s taking place) loaded off a remote site in order to log actual IPs to be compared to instances of visitor IPs in the same time frame?
    The second question is back to the fact Gopher is disabled in Internet Explorer 7. Running “HijackThis” I see a “Gopher Prefix:” entry with a blank value. Does this possibly mean Gopher can be re-enabled? I don’t necessarily need it, but it’d be funny to find out that Gopher wasn’t actually removed, but instead just disabled with a small registry entry.

  11. huib Says:

    Hi,

    I have been thinking about the exact same issue a few days ago,
    and i just thought that, by redirecting the user to a http:// php script, while sending the logged ip along, it would be quite easy to determine if the user used a proxy or not..

    I am not too sure whether you can use ftp or some other server to redirect,
    but if you can.. woooh..

    In my point of view, redirecting would make the entire process alot easier..
    Does anyone know something about redirects using one of the services listed above?

    ~huib