new leaktest available : Ghost v1.0

Hi there,

I release in a kind of "beta test" my new leaktest "Ghost".
In fact, my website ( http://firewallleaktester.webhop.net ) had a major update which is waiting your feedback first about "Ghost" leaktest before i put it online.
When all will be ok with "Ghost", i will add it to my site in same time of all others update (including new leaktests results).

Ghost beta test version available here :
http://perso.wanadoo.fr/jugesoftware/Ghost.exe
MD5 : D5F8069EEDC4AA75EE0F001D517DE972

I would want your input about it, if you think something need to be improved or explained, as well as of course results you can see with your firewall.

How it works ?
In a very simple way.
First step, It just call directly Internet Explorer, in the same way that the "test 2" from Wallbreaker or Tooleaky does, and which is seen by firewalls i evaluated.
Second Step, the "secret" , is that since firewall reacts to events, if you are quicker and can "disapears" you can put them in trouble to locate the source.
This is why "Ghost" rerun itself, modifying by the way his PID.

Ghost just reach one page, but by doing multiple time this trick, i was able to transmit data through firewalls whereas they were able to block it if done normally.

So i would want to know what do you think about it, and if it works on any OS (was tested on win98/Millenium/Win2000/XP) and if you think it's ready to add it to the site and release it officialy (not as beta test version).

Thanks you

EDIT : to test it, you have to give full access to IE and see what happens.

 

It hasn't leaked on Win2k with Sygate 5.5 or Outpost 2. If you put IE in trusted applications it will leak in both. Component control made no difference.

 

you have too

For understand why, you just have to know that when IE is fully trusted, direct access are nevertheless blocked (ex : "Tooleaky" leaktest).

So apparently Sygate Pro 5.5 and Outpost Pro v2 fails "Ghost", that was i found too, but let's wait more results.

thanks you for your testing.

 

I tried it with ZAP 4.5, with Internet Explorer given access to the internet and network. ZAP sees internet explorer trying to use internet explorer to connect to the network, and the page doesn't load. It does not see the application Ghost, though.

 

Hmm, strange, on my comp ZA PRo 4.5 see ghost.exe trying to launch
iexplore.exe, that made me thinking that ZA passes it.

I didn't well understand your sentence, even with IE having full access ZA block without seeing Ghost so without reason ?

 

No it did not see Ghost - maybe our settings are different in some way.

 

can you recall me your OS please ?
And btw your CPU speed.

thanks you

(i attached what i see on my comp)

 

Never mind, when I saved the file on my hard drive, ZAP sees Ghost and stops it. Our results are the same, then.

 

So if i understood right, ZA saw it the first time and then you blocked it definitly, and now ZA just block IE to open without saying it is coming from Ghost ?

Sorry i have difficulties to understand it's pretty late where i live

 

When I just opened the file from your link, ZAP stops the page from loading, but it doesn't see Ghost.

When I save the file on my hard drive and run it, ZAP stops the page from loading AND sees Ghost.

 

ok so ZA passes Ghost, thanks you

 

It is good to standardize testing, especially when detecting certain features, but how many actually run IE as trusted? Now that itself is a risk

 

You're welcome. Have you tested this with Norton Personal Firewall? If you haven't, I have that on the downstairs computer, and can later give you results. Do you want results with automatic configuration of Internet Explorer?

 

Of course i would be intesrested too.
As for any firewall i am evaluating i have already results on my side but they need to be checked by other people just in case

I think that the result with automatic configuration or full access for IE will lead to the same result for NPF _2004_

 

@mraka

of course in normal circumstances you should restrict your applications

 

to sume up :

no stability issue or any other pb on Win 98 / Millenium / Win 2000 / Win XP.

from here :
passed by : ZA Pro 4.5
failed by : Sygate Pro 5.5, Outpost Pro 2.0

from my tests :
passed by : ZA Pro 4.5, NPF 2004
failed by : Sygate Pro 5.5, Outpost Pro 2, Look'n'Stop 2.05b1, Kerio 4.0.8

Is anyone else can check results ?
(mvdu for example about NPF)

About how "Ghost" works, i will just add that in addition of the two steps i gave, when you click on "try" it creates an internal thread giving him the highest priority possible in windows (critical priority), and push code into it, to ensure to be the fastest possible.
"Ghost" leaktest is in fact more a "timing attack" than a complex trick.


If you think that all results are good, that there is no pb, and you have or haven't any comments, please tell me.

If no one see any pb with Ghost, i could update my site with Ghost and all the stuff currently waiting, i'm just waiting for you, i can't update it by adding a leaktest that makes computer to crash for example

Thanks you

 

Just tested with NPF, and got the same result - it passes Ghost.

 

that was i found too, NPF and ZA passes it and other failes it.

EDIT : Ghost in fact tests where firewall system "hooks" are put,
if they are put too late in the application calling processus, they will missed Ghost.

 

With "out of the box" settings, NPF passes it but not ZA, right ?

 

ok, website updated, i quote the "news" page here :

Of course if you encounter any issue with Ghost, feel free to post it here.

I hope you will like all the new stuff, and that some people will find help on it.

regards,

gkweb.

 

Under my test, the latest version of Kerio, 4.0.10, passes Ghost. Internet Explorer has access to the internet and network.

 

email me for i can keep record and redo test, thx

EDIT : only enable the "network security" under kerio and disable all other, including "system security" which is application monitoring.

 

Look & Stop didn't stop it with default settings

con

 

I don't think that should be disabled. Because it just watches for modifications like ZAP does with component control.

 

i just redo test with 4.0.10 and it fails it.

The reason for what it should be disable is that intrusion detection and web filtering feature has nothing to do with leaktests.
In addition, if you want i even can create an executable for you, with "system security" enabled Kerio just check when an access is done, not an internet access, it has been discussed with you in another thread.

From the Kerio help :

about "system security" of course.

EDIT : And so, if it's only component related like you said, how can it detect Ghost whereas it doens't modify/inject any components ?