#20348: cyberoam assists bloody dictatorships. -----------------------------------------+------------------------- Reporter: dcf | Owner: Type: project | Status: closed Priority: Medium | Milestone: Component: Metrics/Censorship analysis | Version: Severity: Normal | Resolution: invalid Keywords: censorship block kz | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -----------------------------------------+-------------------------
Comment (by dcf): Replying to [comment:159 dcf]: > Replying to [comment:156 cypherpunks]: > > Redirect generated by KZ box for blocked site: > > https://paste.debian.net/plainh/39d8508f > > (can't paste here for spam filter block) > > {{{ > HTTP/1.1 302 Found\r\n > Content-Length: 210\r\n > Location: http://92.63.88.128/?NTDzLZ\r\n > Content-Type: text/html; charset=UTF-8\r\n > \r\n > <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">\n > <TITLE>302 Found</TITLE></HEAD><BODY>\n > <H1>302 Found</H1>\n > The document has moved\n > <A HREF="http://92.63.88.128/?NTDzLZ">here</A>\n > </BODY></HTML>\r\n > \r\n > }}} tl;dr: Nmap identifies a host with this signature as a Netgear wireless access point, by sending an HTTP request without a Host header. What do you see when you send `GET / HTTP/1.0\r\n\r\n` to the server that sent you this response? I ran [[attachment:grepsonar.go|a program]] to search [https://scans.io/study/sonar.http Project Sonar] scans of port 80 (I used 20160830-http.gz) for the HTTP signatures in comment:149 and comment:159. The signature in comment:159 has many many matches, redirecting to various URLs, mostly under subdomains of telcom.co.id, but also afrihost.com, 2090000.ru. Many of them are offline or have changed signature now, but by trying a few at random I found one that worked. {{{ $ nmap -Pn -sV -p 80 37.192.17.117 Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-17 17:48 PST Nmap scan report for l37-192-17-117.novotelecom.ru (37.192.17.117) Host is up (0.26s latency). PORT STATE SERVICE VERSION 80/tcp open http uhttpd 1.0.0 (Netgear WNDRMACv2 WAP http config) Service Info: Device: WAP; CPE: cpe:/h:netgear:wndrmacv2 }}} Nmap found this result using it `GetRequest` probe, which is just `GET / HTTP/1.0\r\n\r\n` and doesn't include a Host header. Indeed, if I probe it manually with a Host header, I get a similar 302 as in comment:159, but without a Host header I get a 401 with `Server: uhttpd/1.0.0` (note: doesn't seem to be the [https://wiki.openwrt.org/doc/howto/http.uhttpd uHTTPd] from OpenWRT). {{{ $ echo $'GET / HTTP/1.0\r\nHost: 37.192.17.117\r\n\r\n' | ncat 37.192.17.117 80 HTTP/1.1 302 Found Content-Length: 202 Location: http://0.2090000.ru Content-Type: text/html; charset=UTF-8 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Found</TITLE></HEAD><BODY> <H1>302 Found</H1> The document has moved <A HREF="http://0.2090000.ru">here</A> </BODY></HTML> $ echo $'GET / HTTP/1.0\r\n\r\n' | ncat 37.192.17.117 80 HTTP/1.0 401 Unauthorized Server: uhttpd/1.0.0 Date: Sun, 18 Dec 2016 01:41:43 GMT WWW-Authenticate: Basic realm="NETGEAR WNDRMACv2" Content-Type: text/html; charset="UTF-8" Connection: close <HTML><HEAD><META http-equiv='Pragma' content='no-cache'><META http-equiv ='Cache-Control' content='no-cache'><TITLE> 401 Authorization</TITLE> <script language=javascript type=text/javascript> function cancelevent() { location.href='/unauth.cgi'; } </script> </HEAD><BODY onload=cancelevent()></BODY></HTML> }}} I tried a bunch of the other IP addresses (about 200), but this is the only one I found that was still live and matched the `302 Found` signature. Perhaps this is an instance of client-side censorship, where the ISP has loaded a blocklist onto the customer's router, and the router is enforcing the redirect? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:161> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs