De-anonymizing Tor and Detecting Proxies

Check out this webpage that a destination website could implement as an easy way to bypass most anonymizing proxies (such as Tor) and figure out the true origin IP of a web surfer.

A good reason to be using NoScript with Firefox to avoid revealing your IP via this technique.

-- Tom

Hackszine Reference here.

 

That's amazing! Trully amazing!

Thanks to Paranoid tips, my firewall rules have actually prevent my real IP from being revealed by this technique! The moment I turn off my firewall, my true IP was revealed, with Noscript enabled!

The rule that prevented my true IP from being leaked was "Browser Block Direct access" from Firefox.exe. I am using XeroBank here.

Check this post for more details.

These are the rules you most follow to prevent this from happening.

 

Hi Jim,

A couple of questions on how you have NoScript setup, i.e.
1) Do you Temporarily allow top-level sites by default, or have it un-selected?
2) Do you use a whilelist of allowed websites to execute JavaScript?
3) Do you forbid Java as a plugin? Anything?
4) Do you forbid a ping for an Untrusted site?
5) Do you sanitize cross-site suspicious requests?
6) Do you Turn cross-site Post requests into data-less Get requests?

-- Tom

 

lotus,
to perform this kind of test on each site, you have to allow the domain on the Noscript whitelist, of course. Otherwise you won't be able to see if your true IP can be leaked or not.

In my case, Noscript allowed the domain hackers.org and I perform that test:

http://ha.ckers.org/weird/tor.cgi

At first, a message appears to be loading something, and on the navigation bar was showed the message Finished (that means, the site was not working at all). So, the loading was stopped from the beginning. The reason was because my firewall has worked against this IP leaking using the rule "Browser Block Direct Access". When I turn off Outpost firewall, my true IP was revealed.

You see, I am using Paranoid rules here also to prevent XB (Tor network) from being turned off without my knowledge.

All configurations from Noscript were set by Steve Topletz on XeroBank browser. If you do not use XB, that's the way he configured:

Before I proceed, I must point out that Flash plugin is not installed by default on XeroBank. And I choose to not install here. If I need to use Flash, I will go for IE or even my other Firefox (who have direct connection from my ISP).

My reason was the fear that this might be a huge treath to leak my IP than a simple JS code. And because you can block a site from using Flash (that means you do have a choice most of the time).

When it comes to Javascript, you never have a choice (either you activate, or you're unable to use most important resources at all). That applies to a large number of sites out there.

Jim.

 

I tried it in IE6 with my xerobank Pro account and it gave me xerobank's IP. I tried it runnig tor in firefox and it gave me a tor IP. I tried choosing the option to "temporarily allow scripts" and it just froze up on me .....twice.....and I had to restart firefix.

 

I just tried again 3 times. And each time that I tried to "temporarily allow scripts", firefox froze up and I had to go into task manager to close it. It also popped up a red box from Key Scrambler saying "encryption module error". That red box kept popping up.

 

I am using Windows XP SP1 and Firefox 2.0.0.8 (XeroBank) with Noscript allowing the domain ha.ckers.org on the whitelist to perform this test. My PC is quite fast, so it takes less than 10 seconds to show any results. Perhaps if you try allowing the domain before visiting the page, that might help.

If your firewall has the same rules that Paranoid explained to prevent direct connection, you will see this this screen:

If you have disabled your firewall:

I don't know what kind of connection I am using behind my router, but when I type IPconfig on the DOS Prompt, my IP is displayed as 10.1.1.2 and the gateway as 10.1.1.1. Sub-net mask as 255.0.0.0. It's divided between my computer and other one, both are sharing the same bandwith, however, they don't need to dial for new connections, you just have to start Windows and it's already on the internet.

 

Good post by Jim

Maybe is not about TOR Rules or Paranoid Rules? Maybe Outpost Firewall or Privoxy or Torbutton which preventing that De-anonymization script.

 

There's a way to fix this problem (Java leaking your true IP). And you don't even need a firewall to prevent that.

You just have to modify Java Cpanel from Windows and make Java go through the same proxy settings XeroBank is using!

Go to Java Control Panel on Windows, General - Network settings:

Instead of "Use browser settings" you have to leave the option "Use proxy server" selected. Go to Advanced... and fill these forms:

Advanced Network Settings

HTTP: Port: 0
Secure: Port: 0
FTP: Port: 0

Socks: localhost - Port: 9050

Leave this option unmarked:
"Use same proxy server for all protocols" (I think)

I tried that and when I checked both pages, already allowed on Noscript whitelist, they didn't reveal my true IP!!!!!!!

http://ha.ckers.org/weird/tor.cgi

http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf16 (127.0.0.1 - localhost again)

Listen to this!!!!!!!!!!

The first hackers.org link shows my Tor IP twice!!!!!! I checked Outpost blocked entries/log history and there's no sign of Firefox.exe!!!

We don't need a firewall to block this attempt! We need to configure Java itself to make connections using proxy settings! How the hell I didn't see that before?

Regarding Flash, I didn't checked because it is not installed here by default on my XeroBank. But this is a minor verification, since Flash can be blocked entirely for most sites out there (we can't say the same thing about Java, much more required, if we don't allow Java, many sites can't even work and we don't have a choice in the end).

All three tests are here:
http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

And according to Paranoid, Javascript can't leak anything (I quoted what he said, check my previous posts on that large XeroBank thread).

 

FRAAAAAAAAAAAACKKKKKKKKKKKKK!!!!!!!!!

I just did the Shockwave Flash test while using XeroBank browser and Tor network!!!!!!!

This is fracking amazing!!!!!!!

And while I was able to prevent the Java trick from working, the Flash trick it's also working, too!!!!

However, the Outpost firewall rules are again preventing Firefox.exe from sending your IP back to the origin site. Paranoid's rules preventing direct connection while running the browser.

Look!

http://evil.hackademix.net/proxy_bypass

Follow all those steps:

- Allow the domain evil.hackademix.net - Noscript whitelist, in order to run Flash contents.

- Turn off the firewall.

- Two IPs will be listed:

Public IP:
Your Tor IP. Example: 78.40.100.94

Real IP:
204.39.31.12 (from your Internet Service Provider)

And I only performed that test because the Flash plugin was already installed on XeroBank!

This is the first time Steve have installed this plugin by default! I tried to remove from here, and failed. So I did the test!!!!! This was not planned before! I discover by accident!

If you let the firewall activated with that set of rules, even by allowing the domain to run all kinds of scripts, your true IP will not be leaked. The page will not load and leak your true IP!

That page
http://evil.hackademix.net/proxy_bypass

Will not succeed to load and send back your ISP IP if your firewall is enabled!

My Outpost log says:

Blocked Connections:

Firefox.exe (from xB Browser)

Direction: OUT REFUSED
Protocol: TCP
Remote address: 82.103.140.144
Remote Port: 9999
Reason: Block All Activity

Well, this is getting interesting!

This reason "Block all activity" was my firewall policy to block everything not allowed manually by myself!

So, if I understand correct, a sealed xB Browser should prevent outbound connections to ports 80 (HTTP) and 443 (HTTPS) used by that Java trick and the remote port 9999, which seems to be the port always used by that Flash trick (and I mean it - it always use the same 9999 port).

If there's a way to block all those three remote ports, the free browser will be sealed for good and nothing will leak. Unless someone finds a way to connect them using a different port instead.

You see, the remote address 82.103.140.144 is from the domain hackademix.net itself!

Push the whois button from here and you will see the origin of each IP:
http://network-tools.com/default.asp

And I don't know where do I have to configure to force Flash to not make direct connections, using Firefox browser!

I was able to solve that problem with Java, but there is no sign of any Flash program anywhere!

Assuming Firefox.exe (from xB Browser) is only connecting through the remote port 9050, the browser should be recompiled to perform only connections by using this specific port (along with Tor.exe), and ignoring all requests to use different ports, by any kinds of plugins and other threats. Unless there's an idea of remaining a hybrid (anonymous and not anonymous).

At least the Flash plugin could be blocked and ignored for most of sites out there.

Edited:

Oh-oh. Lots of mistakes here.

To uninstall Flash, access that page:

http://plugindoc.mozdev.org/faqs/flash.html#win-uninstall

I have done here and reinstalled again. See this FAQ above for more details. Unfortunatelly, there's no mention of a way to modify Flash to perform only proxy connections.

I was telling that I didn't need it Flash, and after it was uninstalled, I was visiting a website here (in order to see what was going to be showed on TV next days, something I was planning to see even before this Flash test was done). The site is entirely done using Flash, so I didn't have any choice, but allow it (or use my non-anonymous browser to visit it).

And to correct myself, when it comes to Flash, I learned that there's no way to correct this leakage. Unless I am mistaken.

http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

I was reading what the guy has said before. Listen to this!!!!! I am quoting his words.

The guy was just explaining that he developed a code to connect into the port 9999, so if he is able to do something like that, he can modify the same code to make Firefox to connect into the same (and only) port required into the Tor network.

And if the Flash trick can do that, we are all doomed if we allow Flash to run, since the firewall will not block this remote port (9050), because is needed to use with Tor network.

This post was extracted from this page. In order to see the whole discussion, please click here (to avoid being lost).

 

I went into noscripts and temporarily allowed ha.ckers.org. I am on my father's computer right now, so there is no firewall, except windows. But every time I try the hackers sight, firefox just freezes and won't do anything. I eventually have to go into task manager to get out of it.

I did try it in IE though, and it didn't freeze up, but it cannot reveal my true IP with either xerbank or IPhantom. I tried with tor alone and it did, but not with the other two. None of these tests can reveal it with xerobank VPN or IPhantom.

 

HOLY C_ _P, BatMan!! I'm fairly computer literate, but all this would make most people's heads spin!

1st, several posters in this thread mentioned how after they made specific changes, then tested whether specific sites they visited could detect their true IP, HOW exactly were they checking if the site saw their true IP? By using some specific utility, built in Windows function, or what?

Is there one, or can someone come up w/ a "Reader's Digest" version for non-coders, step by step instructions on keeping Tor, other proxies or your browser from leaking true IP while using Tor or other proxies, in reference to all the issues mentioned in this thread?

Granted, many users only want / need to use a proxy on occassion, so either the steps / changes necessary to stop IP leaks would have to be quickly changable, or you'd have to have 2 installations of browser (Firefox).
Thanks.

 

Good news, I think I found the solution for this problem!

According to Paranoid2000, these are the rules to be applied to your firewall, in order to prevent that Flash trick from working (and all other plugins like Java).

The Outpost Firewall forum have a thread about this.

Click here for more details

Browser rules - Firefox.exe from XeroBank's directory

The first rule is called "Special Rule" and should be inserted before the other rule.

* Type localhost instead, and the firewall will change the word to the address 127.0.0.1.

The second rule is called "Browser Block Direct Access":

You see, the second rule is blocking all outbound connections going through all ports. You just have to not specify numbers! And then, the first rule is allowing connections through port 9050 (used by Tor network), but only if they are going through localhost/127.0.0.1.

That means, if that Flash trick tries to connect into the remote port 9050, will not succeed, since it's trying to send back your true IP to a different remote address other than localhost!

Just to finish this matter, I would like to have that Flash source code from that website:

http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

Modified to perform connections using the port 9050. And then, if it's still logged as a blocked connection, I will be 101% sure. For the time being, I am well pleased that I find some answers and ways to stop these threats, even by myself. I don't know if such thing would be possible if wasn't for Wilders Security.

 

Thanks Steve & all others for your work on this.
I'm printing this out & will read it, oh, a dozen times, before I understand it all.

Still didn't get an answer - what method are people using to see if a particular site is seeing their true IP or a Tor IP?

And I still wonder if everything is not configured "just right", if a site can see your rreal IP, then logically wouldn't your ISP also be able to even though using Tor?

 

That "particular site" and all others out there can't see our true IP (behind Tor) if we block all plugins from being executed in the first place.

The only way they can find out your true IP is by running any threatening scripts who are actually bypassing and ignoring the browser settings. It depends of using the correct code to do that. Most of internet tests out there can't find your true IP, because the webmasters don't know the correct codes, described here on this thread.

Of course the most fanatics and paranoids (and not smart) will say: "Never allow any sites to run scripts", but that's not the answer and final solution for this problem. If we do that, we can't use most of sites out there. It's better to stay on a bunker, instead of live like that.

Everyone should be entitled to run any scripts, but at the same time, take the correct measures to prevent them from harming the browser and leaking their true IP. And the only way we can do that is not by blocking them, but prevent them from working.

We need to configure our firewall to avoid these attempts. And if you take time to read this whole thread, you will see I finally did that, with that correct set of rules. Unless there's another way to leak the true IP that I am not aware of.

That being said, I am finally protected against any attempts to leak my true IP.

Considering that Firefox was not designed to make only proxy connections, my firewall is my only friend here.

Then, I will say this again:

- Use the correct set of rules on your firewall (see above what are the required rules).

- Never turn off your firewall while you're using XeroBank browser (free version), relying on Tor network. Unless you want to leak your true IP.

Regarding Tor and ISPs, please read all the following threads:

ISP question - regarding anonymous browser

How do ISPs keep track of where we visit?

Privacy and your ISP

Can my ISP read & log CONTENT coming back from Tor servers?

 

If you are using XB Browser or firefox with vidalia, provoxy and noscripts (with scripts blocked), then a website would not be able to trick you into seeing your true IP. But if you allow java, then there is a way. Jim posted a couple of links that a guy created just to show that it is possible. They are just a test and are not a special utility.....like you were asking.

Get a VPN like xerobank VPN and you can use all of the java and flash that you want.....at high speed, and never worry about anyone seeing your trie IP.

 

caspian, just to be fair, you have quoted Java, but the major threat here should be Flash.

Since Java is a separate program, it can be configured to never use the browser settings. Flash doesn't have any control panel.

You see, the minute I have configured Java to perform proxy connections, even by allowing Java on Xerobank/Firefox browser, that hackers test showed my Tor IP twice.

I can't do the same thing about Flash.

That Java test tries to connect your browser using the remote port 80 (default port for HTTP). Perhaps this is the default port used by the browser, or Java. I don't know.

All I know is that your firewall can prevent the file Firefox.exe from connecting using all remote ports, including 9050 (Firefox only uses this port when it comes to Tor network).

That firewall rule is allowing the use of only one remote port - 9050 - but instead of letting the leakage of your IP though remote address like hackers.org or WildersSecurity.org (replace the domains by IP numbers), it only allows the use of this port if the remote address is localhost/127.0.0.1.

 

I am just here to say that, after I installed the last Outpost Firewall Pro 4 version, 4.0.1025.7828 (700), the results are very good. So far, this firewall is listing more blocked connections than before. I tried OP 2008 but it was so bad and ugly that I removed it.

And when I tried OP 2008, it was asking me questions that should never ask. In the end, it was ignoring my previous settings even if they were so obvious.

OP 4 (the last version) is great.

My last blocked entries (as you can see, nothing is escaping from OP).

I am saying this because, even if Java and Flash were restricted, I guess maybe there was another way to make direct connections, who knows?

 

My no script saved me as it said I had Java script turned off.

However, when I tried after allowing the top domain ckers.org it kept freezing my firefox.

I did not try it with xb browser.

Sooo, if we allow the top domain does this allow the java exploit?

Im assuming that unless you have the "apply to trusted sites too" that it would effect you upon allowing the top domain.

I couldn't test this because it froze each time.

 

Ive also had issues with Tor and proxies allowing my IP to "leak" out, I turned to SSH tunnel it works better, and no IP issues.

 

Are you using the XeroBank VPN?

 

I do not know of i have missed something here or not but using Java to bypass proxy setting in combination with JavaScript or not and show your real ip address is nothing new and it is well known for a years.
Because of that any anonymity site advice user to disable JAVA or JavaScript for maximum security.
This 2 Java technique test to retrieve your real ip address are 6 years old:

http://www.proxyblind.org/javaip.shtml
http://www.proxyblind.org/javaipp.shtml


Testing on site http://ha.ckers.org/weird/tor.cgi
enden every time with
Your real IP is: Loading... (takes several seconds)

 

None of these links are able to reveal my true IP.

 

Some explanations from the member Paranoid2000 that fits this thread:

This is correct.

"Real IP" addresses can only be leaked if the software is actually aware of them - since many users are on broadband with NAT (Network Address Translation - used for sharing a connection between multiple PCs) routers, their computers will not have a "Real" IP address but a private one (typically in the 192.168.x.x range) instead.

Programs do not have to include a return IP address themselves since it is included in every packet sent and due to the use of private IP addresses (that then get modified on-the-fly by NAT routers), most won't be aware of the "real" IP address.

It doesn't in most cases - all that a VPN offers is an encrypted connection to a proxy. The encryption means that the connection itself should be safe from eavesdropping, hence the "virtual private" title. Some VPN software handle this by creating a "virtual network interface" in Windows (one way to ensure that all traffic goes through it) but there is no "forgetting an IP address" involved here - the computer will still have an internal IP and an external one.

Programs not designed with proxies cannot be used with proxies as a general rule - the one except is with SOCKS proxy software which is designed to accommodate any network communication (the program in question has to be "SOCKSified" first by being run via software like SocksCap/FreeCap in Windows).

ActiveX and Java applets can be used to bypass a proxy by attempting to connect directly to the site concerned. This can be blocked using a personal firewall (specifically one configured to allow your browser Internet access via the proxy only) as well as by filtering web pages, only allowing Java/ActiveX from sites that you really trusted (ActiveX can and really should be blocked completely).

I have not been able to find any way to do this with Javascript alone so this can be allowed if your only concern is with breaking anonymity - Javascript has plenty of other scope for abuse though, and is best blocked by default.

*****

About leaking true IPs, one thing that I discover recently was that it's possible to load a video using Windows Media Player (attention: I am not talking about Flash/Youtube videos) using xB browser, or a Real Media file (.rm). And in both cases, we can't make Windows Media Player use Tor settings like we do with Java/Javascript and Flash.

So, in both cases (normal video files and RM streams), we can't make them send and receive all informations anonymous, since these softwares (not the browser!) don't have any way to use proxy settings.

It's possible to load these streams using any browser, and when you do that, you are leaking your true IP. In case of Java/Javascript/Flash, the techniques described on this thread (specific firewall rules) are enough to block these attempts.

 

Re: De-anonymizing Tor anSome explanations from the member Parad Detecting Proxies

You should be able to anonymise WMP (or any other application) by "socksifying" it regardless of its lack of proxy support.

However video-streaming (whatever the format) is very bandwidth intensive compared to typical web access (I've blocked access to YouTube's streaming servers on my Tor node due to this) - anyone wishing to anonymise such traffic really should consider a commercial service.