[tor-talk] Obtain real IP behind Tor transparent proxy; was: Operating system updates / software installation behind Tor Transparent Proxy

coderman coderman at gmail.com
Sat Mar 3 20:00:03 UTC 2012

On Sat, Mar 3, 2012 at 7:06 AM,  <proper at secure-mail.biz> wrote:
>... There are three ways to torify.
> Torified through http/socks-proxy settings and "about:config", certainly not. (DNS leaks depend on "about:config, which malware wouuld not honor.)

this is prone to failure as you mention and easily compromised by
anything not honoring proxy settings. (which can be as trivial as a
crafted file path on windows)

> Torified through usewithtor? usewithtor ifconfig anyone? I don't know. It's probable a redirector, not a jail.

same as above. anything "Torified" via per application or per user
settings are vulnerable to these side steps, to a lesser or greater
degree depending on operating system, configured services, etc.

> Torified through TransPort and DnsPort... You can look into our setup. IP-forwarding is disabled, iptables default forward and input is drop, when Tor is disabled, not network connections
> are possible. Iptables redirects to TransPort and DnsPort. No leaks possible *.

this is not true. you also need to prevent any local subnet
communication is this mode to be fully protected. there are multiple
ways to bounce/reflect an attack off the local network to directly
obtain real public IP or leak origin to attacker.

this is why the old Tor VM docs explicitly stated "A robust
transparent Tor proxy implementation requires careful configuration of
the routing and filtering of traffic on both the host and guest OS
instances. Unfortunately Windows does not support /31 style
point-to-point links so a two host address /30 subnet is used."

> if SocksPort and DnsPort, which TorBOX heavily relies on, can be exploited, then it's also game over.

depends on how you setup networking to funnel traffic to these
transparent redirect ports.

More information about the tor-talk mailing list