Re: Metasploit Decloak Project v2
It works against me running linux, tor, and using firefox IF I elect to open the document directly via Openoffice. praedor On Sunday 14 December 2008 21:08:45 Freemor wrote: On Sun, 14 Dec 2008 18:57:18 -0600 Roc Admin onionrou...@gmail.com wrote: I just noticed that HDMoore re-released his decloak engine. http://metasploit.com/data/decloak He's improved some of the attacks from before like java, flash, and DNS in pretty interesting ways. There's also a test for Microsoft Office documents which I thought was interesting. From the page: When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user. It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. -ROC Tor Admin Well I must be doing something right... the only IP it showed for me was: External Address 204.13.236.244 all the rest showed as unknown. and the above is definitely not my IP Still good to have something to test my config against tho. -- Moral indignation is jealousy with a halo. --H.G. Wells signature.asc Description: This is a digitally signed message part.
Re: Metasploit Decloak Project v2
Interesting, it works with Open Office on Linux revealing the true ip addr. There's a option in OO to use a proxy, it was set to system at the time and I tried just using foxyproxy. But yeah, like someone else mentioned, using iptables to redirect all attempts so that you don't have to worry about a app mis-behaving is a good idea. Cheers, Harry On Sun, 2008-12-14 at 19:26 -0600, H D Moore wrote: On Sunday 14 December 2008, Roc Admin wrote: It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. I am looking for feedback as well -- right now, the reporting side is pretty weak, but that should improve this evening. Roger pointed me at the torbutton design notes, so I will continue adding coverage/techniques there. This test should work on all browsers regardless of security settings or scripting. No test requires javascript, which should give an accurate view for folks who run noscript/torbutton. My own testing with torbutton shows it to be really solid (only tor exit and tor exit's DNS servers show up). -HD
Metasploit Decloak Project v2
I just noticed that HDMoore re-released his decloak engine. http://metasploit.com/data/decloak He's improved some of the attacks from before like java, flash, and DNS in pretty interesting ways. There's also a test for Microsoft Office documents which I thought was interesting. From the page: When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user. It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. -ROC Tor Admin
Re: Metasploit Decloak Project v2
On Sunday 14 December 2008, Roc Admin wrote: It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. I am looking for feedback as well -- right now, the reporting side is pretty weak, but that should improve this evening. Roger pointed me at the torbutton design notes, so I will continue adding coverage/techniques there. This test should work on all browsers regardless of security settings or scripting. No test requires javascript, which should give an accurate view for folks who run noscript/torbutton. My own testing with torbutton shows it to be really solid (only tor exit and tor exit's DNS servers show up). -HD
Re: Metasploit Decloak Project v2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roc Admin wrote: I just noticed that HDMoore re-released his decloak engine. http://metasploit.com/data/decloak He's improved some of the attacks from before like java, flash, and DNS in pretty interesting ways. There's also a test for Microsoft Office documents which I thought was interesting. From the page: When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user. It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. -ROC Tor Admin Seems the way to guard against this is to reconfigure the DNS lookup to execute via tor at a system level. Easily done with the network configuration tools of Windows and Linux flavors. Jon- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklFucoACgkQk8jp5ZVximL+fACgnTijon0ymXpas8d5EpGZ68/K XbIAn21naTJaCf7fQ8vWTxhq1/ES7+oL =qCXm -END PGP SIGNATURE-
Re: Metasploit Decloak Project v2
On Sun, 14 Dec 2008 18:57:18 -0600 Roc Admin onionrou...@gmail.com wrote: I just noticed that HDMoore re-released his decloak engine. http://metasploit.com/data/decloak He's improved some of the attacks from before like java, flash, and DNS in pretty interesting ways. There's also a test for Microsoft Office documents which I thought was interesting. From the page: When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user. It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. -ROC Tor Admin Well I must be doing something right... the only IP it showed for me was: External Address204.13.236.244 all the rest showed as unknown. and the above is definitely not my IP Still good to have something to test my config against tho. -- free...@gmail.com free...@yahoo.ca This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ ) signature.asc Description: PGP signature
Re: Metasploit Decloak Project v2
On Sunday 14 December 2008, Roc Admin wrote: It doesn't seem like there are any new attack vectors but I wanted to pass it along to see if anyone had comments. Added iTunes (itms://) and made the Office test much more useful. tor- button asks the user to confirm itms:// URLs before launching at least. -HD
Re: Metasploit Decloak Project v2
On Sun, Dec 14, 2008 at 07:26:43PM -0600, tors...@metasploit.com wrote 0.7K bytes in 14 lines about: : accurate view for folks who run noscript/torbutton. My own testing with : torbutton shows it to be really solid (only tor exit and tor exit's DNS : servers show up). My default browser config only shows the same; tor exit and tor dns servers show up. -- Andrew
