H D Moore
fdlist at digitaloffense.net
Tue Jun 27 16:54:06 BST 2006
If your real internal and external NAT addresses did not appear when using
a proxy, either the Java applet did not load or a race condition failed.
From browsing the database backend, it looks like just over 1,000 people
were successfully identified (internal + nat gw + external + dns). The
database is wiped every 24 hours.
The 'trick' is to obtain this information regardless of proxy settings
and in the case of SOCKS4, be able to identify your real DNS servers.
This is accomplished using a custom DNS service along with a Java applet
that abuses the DatagramSocket/GetByName APIs to bypass any configured
proxy. The source code of the applet is online as well:
There are a handful of other ways to obtain a user's real IP address - you
can embed a link to a SMB service over a UNC path, start up another
application via file attachments (PDF, with embedded JS, etc), or abuse
any other network-aware app that is launched by the browser.
obtain this information that doesn't notify the user that something
strange is happening. A great use of this code would be to track down the
real source of a malicious request being routed through a TOR exit node.
Take this a step further by adding smart filtering and injection code to
the TOR client itself and you have a solution for detecting and reporting
"bad" traffic that happens to exit through your node (attempted server
exploitation, pornography not involving adults, etc). My current
implementation uses an embedded ruby intepreter and a set of ruby modules
to perform the protocol detection and filtering.
Thanks for testing!
On Monday 26 June 2006 20:07, H D Moore wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/
Full-Disclosure is hosted and sponsored by Secunia.