Nemesis
Our Projects
Forums
Extra
Controls
|
Metasploit Decloaking Engine and TOR
For those who don't know what TOR is, visit project's homepage: https://www.torproject.org
| https://www.torproject.org/ wrote: | Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.
Hundreds of thousands of people around the world use Tor for a wide variety of reasons: journalists and bloggers, human rights workers, law enforcement officers, soldiers, corporations, citizens of repressive regimes, and just ordinary citizens. See the Who Uses Tor? page for examples of typical Tor users. See the overview page for a more detailed explanation of what Tor does, and why this diversity of users is important.
Tor doesn't magically encrypt all of your Internet activities, though. You should understand what Tor does and does not do for you. |
|
There are a lot of known attacks against TOR users to find their real IP, most of them rely on the fact that javascript, vbscript, plugins, etc. are not restricted by browser's settings so they can be used to bypass proxy restrictions or to reveal the local IP. Metasploit Decloaking Engine is a public service that can be called by websites to reveal the real IP of their users.
| http://decloak.net/ wrote: | Metasploit Decloaking Engine
This tool demonstrates a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed.
It is now possible to embed the decloaking engine into third-party web sites, using the services hosted at decloak.net. This is a great way to track down abusive users or verify the privacy settings of your site's visitors. |
|
Testing this service with a proxy set in browser and javascript and plugins enabled shows that it indeed can reveal your real IP. Disabling browser extensions and scripting reduces the functionality of most websites and/or makes them inaccessible. What can be done to reduce the risk of a website finding your real IP using one of these techniques if you use a proxy ?
Advanced TOR is a new project which will be added here in the next days. It is based on TOR and its purpose is to make TOR more accessible and more resource friendly for Windows users without the need for an external program or an extra configuration port open to control its behaviour. Also, for some applications that don't have support for using proxies it can "force" them to use TOR. With the original Vidalia+TOR+Privoxy bundle you have 3 opened ports (9050 - socks4/5, 9051 - control port, 8118 - HTTP proxy port). With Advanced TOR you have only 1 port open (default is 9050 - 127.0.0.1:9050 ) which can be used for Socks5 , Socks4 and HTTP / HTTP CONNECT proxy. It has a GUI so there is no need for an extra configuration port (it can still be opened if needed).
The "Force TOR" option can also be used with a browser that already uses TOR as proxy, to force scripts and extensions to use TOR. Testing Metasploit Decloaking Engine with TOR set as proxy and with "Force TOR" set for browser's process has the following result:
| Advanced TOR wrote: | [06:59:39] [notice] Tor v0.2.1.13-alpha. This is experimental software. Do not rely on it for strong anonymity. (Running on Windows XP Service Pack 2 [workstation] {terminal services, single user})
[06:59:42] [notice] We now have enough directory information to build circuits.
[06:59:42] [notice] Bootstrapped 80%: Connecting to the Tor network.
[06:59:42] [notice] Bootstrapped 85%: Finishing handshake with first hop.
[06:59:45] [notice] Bootstrapped 90%: Establishing a Tor circuit.
[06:59:50] [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[06:59:50] [notice] Bootstrapped 100%: Connected to TOR network..
[06:59:51] [proxy] Connection request for decloak.net:80 .
[06:59:53] [proxy] Connection request for decloak.net:80 .
[06:59:53] [proxy] Connection request for decloak.net:80 .
[06:59:53] [proxy] Connection request for decloak.net:80 .
[06:59:55] [proxy] Connection request for decloak.net:80 .
[07:00:00] [proxy] Connection request for decloak.net:80 .
[07:00:00] [proxy] Connection request for decloak.net:80 .
[07:00:04] [proxy] Connection request for decloak.net:80 .
[07:00:06] [proxy] Connection request for decloak.net:80 .
[07:00:06] [proxy] Connection request for decloak.net:80 .
[07:00:06] [proxy] Connection request for decloak.net:80 .
[07:00:07] [proxy] Connection request for decloak.net:80 .
[07:00:08] [proxy] Connection request for fdcce6def5973cfe6316c165782e2e9f.http.85.25.145.98.0.0.0.0.spy.decloak.net:80 .
[07:00:09] [proxy] Connection request for decloak.net:80 .
[07:00:09] [proxy] Connection request for decloak.net:80 .
[07:00:11] [proxy] Connection request for fdcce6def5973cfe6316c165782e2e9f.quicktime.85.25.145.98.0.0.0.0.spy.decloak.net:80 .
[07:00:14] [proxy] Connection request for decloak.net:80 .
[07:00:16] [proxy] Connection request for decloak.net:80 .
[07:00:17] [proxy] Attempt to bypass proxy settings with address 66.240.213.71:843 .
[07:00:17] [proxy] Connection request for 66.240.213.71:843 .
[07:00:19] [proxy] Connection request for decloak.net:80 .
[07:00:19] [proxy] Connection request for decloak.net:80 .
[07:00:19] [proxy] Connection request for decloak.net:80 .
[07:00:19] [proxy] Connection request for decloak.net:80 .
[07:00:20] [proxy] Attempt to bypass proxy settings with address 66.240.213.71:53530 .
[07:00:20] [proxy] Connection request for 66.240.213.71:53530 .
[07:00:21] [proxy] Connection request for decloak.net:80 .
[07:00:23] [proxy] Connection request for decloak.net:80 .
[07:00:24] [proxy] Connection request for decloak.net:80 .
[07:00:24] [proxy] Connection request for decloak.net:80 .
[07:00:24] [proxy] Connection request for decloak.net:80 .
[07:00:26] [proxy] Connection request for 728c11eaf8a985be011aa3739598b520.http.85.25.145.98.0.0.0.0.spy.decloak.net:80 .
[07:00:35] [proxy] Connection request for decloak.net:80 .
[07:00:35] [proxy] Connection request for decloak.net:80 .
[07:00:35] [proxy] Connection request for decloak.net:80 .
[07:00:35] [proxy] Connection request for decloak.net:80 .
[07:00:38] [proxy] Connection request for 728c11eaf8a985be011aa3739598b520.quicktime.85.25.145.98.0.0.0.0.spy.decloak.net:80 .
[07:00:48] [proxy] Attempt to bypass proxy settings with address 66.240.213.71:843 .
[07:00:48] [proxy] Connection request for 66.240.213.71:843 .
[07:00:49] [proxy] Attempt to bypass proxy settings with address 66.240.213.71:53530 .
[07:00:49] [proxy] Connection request for 66.240.213.71:53530 .
[07:00:52] [proxy] Attempt to bypass proxy settings with address 66.240.213.71:53530 .
[07:00:52] [proxy] Connection request for 66.240.213.71:53530 .
[07:01:05] [proxy] Connection request for decloak.net:80 .
[07:01:07] [proxy] Connection request for decloak.net:80 .
[07:01:07] [proxy] Connection request for decloak.net:80 .
[07:01:07] [proxy] Connection request for decloak.net:80 .
[07:01:07] [proxy] Connection request for decloak.net:80 .
[07:01:09] [proxy] Connection request for decloak.net:80 .
[07:01:28] [proxy] Connection request for decloak.net:80 .
[07:01:31] [proxy] Connection request for decloak.net:80 .
[07:01:32] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 .
[07:01:33] [proxy] Connection request for decloak.net:80 . |
|
The "Force TOR" option needs AdvTor.dll which sets hooks on Winsock functions gethostname - which always returns a fake hostname to prevent the program from finding local IP , connect and WSAConnect which will make the connections use TOR's proxy. Current version of AdvTor.dll works with Windows 2000 and XP, and doesn't work with programs that use WSAAsyncSelect. On request, more OS'es will be supported, and maybe its functions will be added to ddosflt to be able to force also services and svchost'ed services to use TOR.
The project is currently in beta, and it will be added on this website when enough options are added to GUI to make it usefull without editing configuration files (which are located in TOR's directory). For those who want to test what has been done so far, a beta version is available here: http://nemesis.te-home.net/Files/AdvTor/AdvTor.zip.
You need to be logged in to be able to post comments
|
|
