lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Jun 27 16:54:06 2006 From: fdlist at digitaloffense.net (H D Moore) Subject: UnAnonymizer If your real internal and external NAT addresses did not appear when using a proxy, either the Java applet did not load or a race condition failed. >From browsing the database backend, it looks like just over 1,000 people were successfully identified (internal + nat gw + external + dns). The database is wiped every 24 hours. The 'trick' is to obtain this information regardless of proxy settings and in the case of SOCKS4, be able to identify your real DNS servers. This is accomplished using a custom DNS service along with a Java applet that abuses the DatagramSocket/GetByName APIs to bypass any configured proxy. The source code of the applet is online as well: - http://metasploit.com/research/misc/decloak/HelloWorld.java There are a handful of other ways to obtain a user's real IP address - you can embed a link to a SMB service over a UNC path, start up another application via file attachments (PDF, with embedded JS, etc), or abuse any other network-aware app that is launched by the browser. The goal of the "decloak" code is to provide a javascript-friendly way to obtain this information that doesn't notify the user that something strange is happening. A great use of this code would be to track down the real source of a malicious request being routed through a TOR exit node. Take this a step further by adding smart filtering and injection code to the TOR client itself and you have a solution for detecting and reporting "bad" traffic that happens to exit through your node (attempted server exploitation, pornography not involving adults, etc). My current implementation uses an embedded ruby intepreter and a set of ruby modules to perform the protocol detection and filtering. Thanks for testing! -HD On Monday 26 June 2006 20:07, H D Moore wrote: > A fun browser toy that depends on Java for complete results: > - http://metasploit.com/research/misc/decloak/ > > -HD
Powered by blists - more mailing lists