Full Disclosure mailing list archives

Re: UnAnonymizer

From: H D Moore <fdlist () digitaloffense net>
Date: Tue, 27 Jun 2006 10:54:06 -0500

If your real internal and external NAT addresses did not appear when using 
a proxy, either the Java applet did not load or a race condition failed. 
From browsing the database backend, it looks like just over 1,000 people 
were successfully identified (internal + nat gw + external + dns). The 
database is wiped every 24 hours.

The 'trick' is to obtain this information regardless of proxy settings 
and in the case of SOCKS4, be able to identify your real DNS servers. 
This is accomplished using a custom DNS service along with a Java applet 
that abuses the DatagramSocket/GetByName APIs to bypass any configured 
proxy. The source code of the applet is online as well:
- http://metasploit.com/research/misc/decloak/HelloWorld.java

There are a handful of other ways to obtain a user's real IP address - you 
can embed a link to a SMB service over a UNC path, start up another 
application via file attachments (PDF, with embedded JS, etc), or abuse 
any other network-aware app that is launched by the browser.

The goal of the "decloak" code is to provide a javascript-friendly way to 
obtain this information that doesn't notify the user that something 
strange is happening. A great use of this code would be to track down the 
real source of a malicious request being routed through a TOR exit node. 

Take this a step further by adding smart filtering and injection code to 
the TOR client itself and you have a solution for detecting and reporting 
"bad" traffic that happens to exit through your node (attempted server 
exploitation, pornography not involving adults, etc). My current 
implementation uses an embedded ruby intepreter and a set of ruby modules 
to perform the protocol detection and filtering.

Thanks for testing!

-HD

On Monday 26 June 2006 20:07, H D Moore wrote:

A fun browser toy that depends on Java for complete results:
- http://metasploit.com/research/misc/decloak/

-HD


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

UnAnonymizer H D Moore (Jun 26)
- Re: UnAnonymizer Peter Besenbruch (Jun 27)
  - Re: UnAnonymizer Brate Sanders (Jun 27)
    - Re: UnAnonymizer Cardoso (Jun 27)
    - Re: UnAnonymizer Peter Besenbruch (Jun 27)
- Re: UnAnonymizer pdp (architect) (Jun 27)
  - Re: UnAnonymizer Tonnerre Lombard (Jun 27)
    - Re: UnAnonymizer pdp (architect) (Jun 28)
- Re: UnAnonymizer H D Moore (Jun 27)
  - Re: UnAnonymizer Michael Holstein (Jun 27)
    - Re: UnAnonymizer Peter Besenbruch (Jun 27)
  - Re: UnAnonymizer Peter Besenbruch (Jun 27)
  - Re: UnAnonymizer RaMatkal (Jun 29)