Detect Tor Exit doing sniffing by passively detecting unique DNS query (via HTML & PCAP parsing/viewing) #37
Comments
Thinking about it, it would be also possible to extend this concept to detect who does sniffing with tcpdump by saving traffic to a pcap, then reading it at a later stage without using "-n" parameters, triggering DNS reverse query on the IP address contained in the PCAP. By generating traffic destinated to a netblock, on which we are authoritative for reverse PTR DNS zone, we could get those dns query. A quick testing show tcpdump making DNS reverse query when reading a pcap without -n parameter: sniff some traffic to sux.pcaproot@demo:~# tcpdump -nvvv -s0 -w sux.pcap start logging dns query with another tcpdumproot@demo:~# tcpdump -nvvv -s0 port 53 & now read the pcap just savedroot@demo:~# tcpdump -r sux.pcap | head -4 We see that tcpdump make dns reverse query while reading the PCAP file, so that kind of DNS-based passive sniffing test could be extended also to detect this scenario. |
so, you are proposing to use lipcap to do that ? |
That's a good idea. One issue is that we won't be able to attribute sniffing to an exit. It could also be an upstream entity, but that's true for most exitmap modules. This idea will also require some glue code (e.g., to analyse the pcaps) to automate this experiment as much as possible; if we have to do stuff manually, nobody will run this continuously. I probably won't implement this myself in the near future, but I'm happy to review and merge code if anyone wants to tackle this. |
(Hopefully, one can reply to these via email and have them appear on Tangential to this, somewhat, I think even for "might be an upstream It's also a net win for "the Tor network" either way to BadExit such |
I think that a KISS principle for implementation is a must for early testing, that means "stateless" application that does a sequence of actions (triggering the tor-exit-testing, processing inbound dns query, sending an email alert at first to an internal email alias). It could maybe be "prototyped" with some shel scripting or maybe minor tor exit-map tweaking. INFRASTRUCTURE
SOFTWARE
That way it could be possible to make a relatively quick prototype, without writing python application code (that's my analysis because i'm a unix man, scripter, definitively not a skilled coder!) |
Usage of DNSPot (https://github.com/jekil/UDPot) would be a nice way to log inbound DNS query, instead of a full DNS Server with log parsing: |
This ticket is to detect Tor Exit doing sniffing by passively detecting HTML link/url/js/css parsers & viewer by unique DNS.
The idea is to generate HTML content over HTTP that contain in several tags (link, url, js, css, image inclusion, etc) URIs that point to a specific DNS entry, done for that specific Tor exit, that if loaded will enable to detect passively a sniffer.
The idea is that a sniffer, after it store the data, will have some piece of software processing it automatically and/or at a later stage a viewer component of a sniffer software that will enable the "sniffer operators" looking at the "sniffed data" to see an offline copy of the traffic.
If the software processing the sniffed data with HTML content or the viewer will try to load any external resources, not present in the traffic sniffed, it will trigger a DNS request.
A sub-domain with a wildcard such as *.testme.domain.org could be configured so that all requests will go that specific DNS where a DNS server with logging (or some custom Twisted DNS server code) is enabled.
When scanning Tor exit with fingerprint XXXX1234, all the URIs included in the HTML content being transmitted could be XXXX1234.testme.domain.org .
Whenever a dns resolution query would come to XXXX1234.testme.domain.org is surely because some piece of software sniffed traffic on Tor Exit XXXX1234 and then processed it.
The DNS hostname used, could also include a "timestamp" to know when it has been sniffed, and by looking and timestamp when the DNS query has been received it's possible to know when the HTML content has been processed and/or viewed.
HTML content could be transported also over other protocols, such as POP3/IMAP with RFC822/MIME format or FTP by downloading and/or uploading an HTML file somewhere.
The text was updated successfully, but these errors were encountered: