Cenzic 232 Patent
Paid Advertising
web application security lab

De-anonymizing Tor and Detecting Proxies

Okay, whew, I finally got around to building out some demos of some of the things I’ve been talking about and thinking about. I’m not as crazy busy as Jeremiah but I am speaking at the APWG conference, an invite only Malware conference, a local Rotary meeting, the NJ OWASP conference, the SD ISSA conference and the big OWASP/WASC conference in San Jose. So yah, I’m swamped. Don’t expect much posting for a while. But in the mean-time here are two interesting proxy tidbits.

The first is something you may have seen in passing that Jeremiah and I mentioned at our Blackhat conference and our followup podcast. This code (it takes a several seconds to load) uses a piece of JavaScript to instantiate a Java socket call back to the origin site. In doing so it bypasses the proxy settings of the browser, allowing you to de-anonymize people using proxies. It works great for Tor or just about any HTTP proxy that I can think of. Cool stuff.

The next demo is a tiny slice of HTML that simply tries to detect if you are using a HTTP proxy (as an example an Apache proxy using mod_proxy). It works by forceful browsing and then attempting to use the CSS history hack (without JS) to detect if you were able to surf there. By sending the browser to a place that doesn’t exist (http://test/) and creating an error using the %-- trick, I can detect that you were able to visit somewhere that normally can’t exist. Fun!

As a last point, id pointed out to me that we could easily import fierce’s hosts file and quickly enumerate all the possibilities (and probably more) with the JS CSS history hack and possibly get lots of internal address space of anyone who happened to surf intranet sites prior to visiting the hacker’s site. It’s less reliable than port scanning, obviously, but it’s also way less noisy.

That is all.

34 Responses to “De-anonymizing Tor and Detecting Proxies”

  1. Giorgio Maone Says:

    Nice and inspiring post.

    I deferred my bedtime a bit to put up a cross-browser version: http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

    Rather than turning your JS+Java PoC into a Java Applet (too much easy), I used Flash.

    Good night :)

  2. yawnmoth Says:

    FWIW, I’ve posted about the Java technique here, before. About five months ago:

    http://ha.ckers.org/blog/20070406/iphide-vulnerable-to-utf-7-and-may-be-phishing/#comment-27452

    Giorgio Maone - although I haven’t tested it, yet, my suspicion is that your technique won’t work. The Java technique works because Java doesn’t know that you’re going to be sending an HTTP request with the Socket() object. If you used the URL() object it wouldn’t work. Java will use the browsers proxy settings.

    Similarly, it’s doubtful that the getURL() Flash technique would work since, presumably, that object can only be used with HTTP requests.

  3. Giorgio Maone Says:

    yawnmoth:
    why didn’t you test my demo, or at least read my code right, before voicing your suspicion?
    Well, even if you can’t read ActionScript or Perl, it was also explained in my post: XMLSocket is used to make a direct socket connection with a custom Perl server listening on port 9999, which echoes back the unmasked IP.
    getURL() usage is incidental to the technique, as it is used in this demo only to refresh the page with the new info — or, in a “real world scenario” to send back the IP to the HTTP layer allowing the out-of-band Perl server to be kept stateless and as tiny as possible.

  4. Achraf Says:

    it does seem to work with anonymizers
    i tried this
    http://anonymouse.org/cgi-bin/anon-www.cgi/http://ha.ckers.org/weird/tor.cgi

  5. mybeNi websecurity Says:

    Nice post, I love to see TOR going down ;)

  6. yawnmoth Says:

    Giorgio Maone - I stand corrected. I guess I looked at your code too quickly…

  7. Giorgio Maone Says:

    @yawnmoth:
    No problem, you’re welcome.
    I also added credits to your demo in my article, since yours is as cross-browser as mine.

  8. yawnmoth Says:

    Achraf - doesn’t work with me on CGI proxies. And why would it? Just because Java’s Socket object ignores the browsers HTTP proxy settings (which is reasonable, as I explained earlier) doesn’t mean Java can’t abide by the browsers “same domain” policies. The reason being that HTTP is an Application layer protocol while TCP (eg. what you use when you initially connect to the domain and before you’ve actually sent any data) is on the Transport layer.

    The Transport layer is constant, when using Java’s Socket object - it’s always going to be TCP. What you can change with Java’s Socket object is the Application layer protocol you’re using.

  9. yawnmoth Says:

    Thanks, Giorgio Maone :)

  10. janusvm Says:

    This is why JanusVM and other transparent proxy approaches work so well. It is easier to anonymize applications and there is no side channel leakage when some plugin or browser helper calls out directly instead of using browser proxy settings.

  11. R3d1st Says:

    I tried your de-anonymisation and it wouldn’t work with the FF-Addon PhProxy. There is just the Proxy Ip and a IP I didn’t know…

    Your current IP is: 72.36.237.90
    Your real IP is: 5.0.2.263
    … My IP would start like 84.57…

  12. Hallvord R. M. Steen Says:

    Hm.. The proxy detection trick doesn’t work with Opera - the URL is considered visited even if it doesn’t exist.

  13. SilentBob Says:

    How is this different from the similar POC code that HD Moore published 6 months ago?

    http://metasploit.com/research/misc/decloak/

  14. SilentBob Says:

    sorry, wrong date…..over a year ago.

  15. Zoiz Says:

    Giorgio Maone one works on SSH Tunneling. Thanks.

  16. yawnmoth Says:

    Looks like the same thing. RSnake mentioned it over a year ago, as well:

    http://ha.ckers.org/blog/20060628/community-cookie-logger/

    Makes me wonder if that tool has changed, over time, or if it’s worked the way it does (using the Flash and Java techniques) all this time…

    Incidentally, the phpBB modification off of which my stand-alone tool is based off of was released just over a year ago, as well:

    http://www.phpbb.com/community/viewtopic.php?t=437712

    HD Moore’s thing predates even that, however.

  17. Giorgio Maone Says:

    @SilentBob:
    Minimal differences, in facts. As I stated in my post, plugins used as out-of-band decloak devices are hardly news, and I throw my 5 mins XMLSocket PoC at it just because it was a so low-hanging fruit in the ActionScript API reference (yes, now I see there was something similar in HD Moore’s work as well) .
    Apparently some stuff gets “rediscovered” from time to time, maybe because it’s still more or less getting ignored in the mainstream: the point is stressing how much anonymity is hard, and how easy is falling for the dancing pigs.
    At any rate, those CSS based trick, even though less effective, do look original in this context.

  18. RSnake Says:

    R3d1st - that’s because of the terrible regex that I’m doing. It probably did work, but you have that string (that looks matches the regex) somewhere in your headers. I could have added some unique string to the front of the IP address when I outputted it to make it easier to find in regex, but alas - I was lazy.

    SilentBob - the second one is completely different, the first one is basically the same except it doesn’t use an applet. Although I didn’t discover this part (nor did I say I did) - it was just something I had talked about during the speeches so I figured I should make a proof of concept explaining it better by being more demonstrative. I hope that clears it up.

  19. felosi Says:

    It would be nice if there was someone who had updated tor lists to use like dshield or similar. Tor sucks to use and 99.9% of the use you see from a server or irc admin’s point of view is abuse.

    I seen not too long ago a ddos attack all from tor nodes, so someone had figured out how to incorporate tor usage into botnets

    Nice article, Im waiting for the day when this can be done auto via http filtering or by firewalls. I think its pretty much safe to say now that 99% of all established irc networks ban tor and most server admins try to keep them banned too.

    I know there will be abuse in anythging but the entire concept of tor allows rampant abuse with no consequences. As far as a home user wanting anonymity Ive alweays used findnot, they may not be the best but TOR is painfully slow to browse with and just basically sucks.

  20. vlan7 Says:

    Hi!
    Nice hack folks!
    Could you please email me your CGI code to my email to understand how you’ve done this hack?
    My email is vlan7(at)bigfoot.com
    Thanks!

  21. geschonneck.com Says:

    de-anonymizing Tor

    The guys from ha.ckers.org web application security lab recently published ways to bypass browser proxies and de-anonymizing tor. Well, nothing really brand new info, but it’s still interesting stuff.
    Read the full post.

  22. honey Says:

    what if you do not enable javascript/java

  23. RSnake Says:

    Hi, Honey - you are assuming this vulnerability cannot be replicated in Flash - which it most definitely can if Flash is allowed to make socket calls. Also ActiveX controls or other client side applications (PDF, Quicktime, etc…) all have the potential of having this sort of de-anonymization effect if they can make sockets that don’t follow the browser’s proxy settings (this is untested as far as I know).

  24. Foo Says:

    Since in most cases Javascript is needed to initiate the Java app in the first place, there’s: NoScript http://noscript.net/ for FF. For Flash and Java there are other “fixes.”

    But these little workarounds are not new knowledge. They’ve been on Tor’s wiki for a long time: https://www.torproject.org/download.html.en#Warning

    No one has ever claimed you can just plug-in Tor and be anonymous. Like everything done right, it takes a little more work than just that!

    For those who bash Tor, what’s your problem with it? Tor’s not a bad thing - in fact you should value anything that aids in protecting your privacy… Or maybe you’re someone who aims to breach other’s privacy?

  25. Long life to Tor! Says:

    This code doesn’t work with a firewall enabled to block browser direct access. I have XeroBank/Tor network here and even with Noscript disabled, it didn’t reveal my real IP bypassing my firewall rules!!!!

    Thanks for this magnificent tip, that will make everyone uses a firewall to prevent their true IP from being revealed.

  26. Stone Says:

    How about users who even doesn’t have java, javascript, flash and other crap enabled/installed. Also paranoid user can block all egress traffic (except from what is needed for Tor to function properly).

    Also great deal of Tor users could be detected with simple technique. Simply start tor, let it update it’s router cache (and do this periodically), and get a list of routers:

    awk ‘/^router / {print $3}’ ~/.tor/cached-routers* | sort -u

  27. Long Life to Tor! Says:

    Just for the record, the rules required for Tor, while you’re using a browser like XeroBank are the following. You have to apply them to Firefox.exe file, which is placed on XeroBank’s directory:

    Where the protocol is TCP
    where the direction is Outbound
    And where the remote port is HTTP, HTTPS
    Block It

    HTTP = port 80
    HTTPS = port 443

    If you do that, even if you’re using Noscript to allow everything to perform that test, your firewall will prevent the browser from leaking your true IP. I checked here and when my firewall was closed, my true IP was indeed disclosed. So, the bottom line is: if you need to prevent such direct connections, you have to set these rules on your firewall. Otherwise, your true IP will be leaked!

    There are more rules here:
    http://www.wilderssecurity.com/showpost.php?p=1020429&postcount=9

    I strongly recommend everyone to see what was explained on this board.

  28. Long Life to Tor and xB! Says:

    There’s a way to fix this problem (Java leaking your true IP). And you don’t even need a firewall to prevent that. You just have to modify Java Cpanel from Windows and make Java go through the same proxy settings XeroBank is using!

    Go to Java Control Panel on Windows, General - Network settings:

    Instead of “Use browser settings” you have to leave the option “Use proxy server” selected. Go to Advanced… and fill these forms:

    Advanced Network Settings

    HTTP: Port: 0
    Secure: Port: 0
    FTP: Port: 0

    Socks: localhost - Port: 9050

    Leave this option unmarked:
    “Use same proxy server for all protocols” (I think)

    I tried that and when I checked both pages, already allowed on Noscript whitelist, they didn’t reveal my true IP!!!!!!!

    http://ha.ckers.org/weird/tor.cgi

    http://www.frostjedi.com/terra/scrip…php?mode=utf16 (127.0.0.1 - localhost again)

    Listen to this!!!!!!!!!!

    The first hackers.org link shows my Tor IP twice!!!!!! I checked Outpost blocked entries/log history and there’s no sign of Firefox.exe!!!

    We don’t need a firewall to block this attempt! We need to configure Java itself to make connections using proxy settings! How the hell I didn’t see that before?

    Regarding Flash, I didn’t checked because it is not installed here by default on my XeroBank. But this is a minor verification, since Flash can be blocked entirely for most sites out there (we can’t say the same thing about Java, much more required, if we don’t allow Java, many sites can’t even work and we don’t have a choice in the end).

    And according to what was said to me, Javascript can’t leak anything.

  29. The Final Frontier Says:

    If you use XeroBank free browser, along with Tor network, these are the correct rules to prevent both Java and Flash from leaking your true IP. Also note that Java is different from Flash.

    Java has a control panel on Windows who might be modified in order for your to perform only proxy connections. Flash don’t. The minute I have modified Java cpanel, my Tor IP was reported twice, even while I was not using a firewall.

    Browser ruleset

    First rule - called “Special Rule”

    Where the protocol is TCP
    Where the direction is Outbound
    and Where the remote host is 127.0.0.1 (255.255.255.255)
    and where the remote port is 9050
    Allow It

    The second rule is called “Browser Block Direct Access”:

    Where the protocol is TCP
    Where the direction is Outbound
    Block It

    Please, look at the whole explanation on these links, otherwise you will be lost.

    Just remember, you don’t need to disable all plugins. You are entitled to run all of them. But you indeed have to configure your firewall to avoid these leakage attempts. If you do that, then, your privacy is safe.

    http://outpostfirewall.com/forum/showthread.php?p=162759
    http://www.wilderssecurity.com/showthread.php?t=190073

    http://www.wilderssecurity.com/showthread.php?p=994629
    http://www.wilderssecurity.com/showpost.php?p=384351&postcount=13
    http://www.wilderssecurity.com/showthread.php?t=176514

  30. Werkstattbedarf Says:

    Nice article, Im waiting for the day when this can be done auto via http filtering or by firewalls. I think its pretty much safe to say now that 99% of all established irc networks ban tor and most server admins try to keep them banned too.

  31. BSDgeek Says:

    I appreciate all the works & really nice finding.

    BUT.

    As far as the user is using script blocking, header modifiers & protocol spoofing. HE/SHE is most secure in many ways. It is really tough for any hacker or script kiddies to do any browser or host exploit.

    My formula is simple:
    USER + BROWSER (privoxy+tor+i2p+adblock+noscript+header_modifier) = SECURE BROWSING

    But i prefer Opera (http://www.opera.com), Its more flexible & configurable. and obviously MORE SECURE.

  32. ej crocker Says:

    i need proxies ppl to get on myspace

  33. Jwiggy Says:

    hi… i dont know how to enable java when tor enabled. im using firefox 3 browser… i need java to play game.. i already make options in browser to enable java… help needed. any help is greatly appreciate

  34. Marco Says:

    The CSS history hack doesn’t work with hidemyass.com, they give each frame an extra unique variable, which blows the hole thing.

    Works great with Kproxy though.

    Nice job.