lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue Jun 27 16:54:06 2006
From: fdlist at digitaloffense.net (H D Moore)
Subject: UnAnonymizer

If your real internal and external NAT addresses did not appear when using 
a proxy, either the Java applet did not load or a race condition failed. 
>From browsing the database backend, it looks like just over 1,000 people 
were successfully identified (internal + nat gw + external + dns). The 
database is wiped every 24 hours.

The 'trick' is to obtain this information regardless of proxy settings 
and in the case of SOCKS4, be able to identify your real DNS servers. 
This is accomplished using a custom DNS service along with a Java applet 
that abuses the DatagramSocket/GetByName APIs to bypass any configured 
proxy. The source code of the applet is online as well:
- http://metasploit.com/research/misc/decloak/HelloWorld.java

There are a handful of other ways to obtain a user's real IP address - you 
can embed a link to a SMB service over a UNC path, start up another 
application via file attachments (PDF, with embedded JS, etc), or abuse 
any other network-aware app that is launched by the browser.

The goal of the "decloak" code is to provide a javascript-friendly way to 
obtain this information that doesn't notify the user that something 
strange is happening. A great use of this code would be to track down the 
real source of a malicious request being routed through a TOR exit node. 

Take this a step further by adding smart filtering and injection code to 
the TOR client itself and you have a solution for detecting and reporting 
"bad" traffic that happens to exit through your node (attempted server 
exploitation, pornography not involving adults, etc). My current 
implementation uses an embedded ruby intepreter and a set of ruby modules 
to perform the protocol detection and filtering.

Thanks for testing!

-HD

On Monday 26 June 2006 20:07, H D Moore wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/
>
> -HD

Powered by blists - more mailing lists