Jump to content
Not connected, Your IP: 18.232.171.18
snaggle

WITCH? — VPN and proxy detector. Can detect OpenVPN cipher, MAC and compression usage.

Recommended Posts

Hi all,

I have just stumbled across http://witch.valdikss.org.ru/ and https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413

I run Eddie on Arch Linux using UDP over port 53 - mostly when I visit the first link the Witch script ran and correctly confirmed this - all but the port number. This script worked well when I connect using SSL over port 433.

Is there a way to configure Eddie to fool Witch ?

 

Share this post


Link to post

Hello,

 

yes, try to use "mssfix" directive (you can insert it in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives").

 

Try different mssfix values (1400, 1350, 1300...) because the Witch code is still unripe so it provides many many false positives.

 

See also https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F216295%2F&edit-text=

 

Kind regards

Share this post


Link to post

Hello,

 

yes, try to use "mssfix" directive (you can insert it in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives").

 

Try different mssfix values (1400, 1350, 1300...) because the Witch code is still unripe so it provides many many false positives.

 

See also https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F216295%2F&edit-text=

 

Kind regards

Hi and thanks for the rapid response.

Please for give my ignorance but how do I add the value ? Is it as simple as - mssfix 1350 ?

I guess not.

Share this post


Link to post

my first test shows MTU of 1392 though I am using and always use "mssfix 0".

 

edit: my usage of "mtu-disc maybe" has no affect on perceived MTU by the script.

 

Hi,

​Same problem here when I set mssfix 0 in custom settings part of the OVPN directives, and other values as well. It doesn't seem to change the resulting test value, with a MTU of 1392 showing, presumably for the default settings most people are running on the Eddie client.

​This is worth looking into, or getting some clear advice on from the mods, as it otherwise provides the spooks with yet another finger-printing tool.

​If they can add OpenVPN config finger-printing into the mix, whilst they also detect proxy settings, use of Tor (or not), use of ad-blockers, extensions/add-ons/plug-ins, time-stamps, and a million other tracking tools via browser header and other data, it would be fair to say that most users will be uniquely identified by their configuration, unless they go to extreme lengths.

​I note that most people are not blocking time-stamps, who did the russian test. Tbey should read up on their Whonix documentation and apply the following (so should all AirVPN linux and Windows users):

https://www.whonix.org/wiki/Pre_Install_Advice

 

 

Linux or Qubes Temporary

You can skip this Temporary chapter and move on the to #Permanently if you are looking for a permanent solution.

To dynamically disable TCP timestamping on Linux...

Become root.

sudo su

Disable TCP timestamping.

echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Permanently

To make that change permanent...

Become root.

sudo su

You need to add the following line to /etc/sysctl.conf or /etc/sysctl.d/tcp_timestamps.conf:

net.ipv4.tcp_timestamps = 0

To do that, you could use the following command.

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

To apply the sysctl settings without reboot, run the following command.

sysctl -p

Check if it's really set.

sysctl -a | grep net.ipv4.tcp_timestamps
Windows

To disable TCP timestamping on Windows, run the following root command:

netsh int tcp set global timestamps=disabled

Note: You must have administrator privileges.

Share this post


Link to post

Adding mssfix 1400 to the ovpn config file did change the resulting mtu value.

 

For the most part the rest of the data is incorrect when I test. Interesting script though.

Share this post


Link to post

Same thing here, I have tried many, many different values. The best result I can get is -

Fingerprint and User-Agent mismatch. Either proxy or User-Agent spoofing.Probable OpenVPN detected. If it really is OpenVPN, then it's settings are as follows:Block size is 64 bytes long (probably AES), MAC is SHA1, LZO compression enabled.

The resulting MTU value does change however and is never the same as I change it to.

 

Share this post


Link to post

I suggest you to avoid using custom values since this can add more fingerprinting to your connection.

The method of combining p0f from lcamtuf and adding mss signatures to detect openvpn is very nice,

but I don't really see the purpose of this. The entire "detection" could be much easier - 95% of VPN

providers use "Business/Hosting" classified IP pools. So it's not a great deal to know that whoever is

coming from LeaseWeb IPs is using some kind of VPN... But the cipher/compression calculation is nice.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

It seems I have defeated the script by disabling TCP timestamps.

No custom mssfix values are used.

 

First seen    = 2015/07/27 10:18:52Last update   = 2015/07/27 10:18:52Total flows   = 1Detected OS   = Linux 2.2.x-3.x (no timestamps) [generic]HTTP software = Firefox 10.x or newer (ID seems legit)MTU           = 1052Network link  = ???Language      = EnglishDistance      = 10PTR           = PTR test      = Probably server userFingerprint and OS match. No proxy detected (this test does not include headers detection).No OpenVPN detected.

Almost all the details are incorrect.

I connect with Eddie using UDP, never the less disabling TCP timestamps does the trick.

Share this post


Link to post

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

Share this post


Link to post

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

 

Hi,

Ok I returned from work, rebooted my machine and retested--- OpenVPN detected!!

I added mssfix 1250 to OVPN directives and retested--- no  OpenVPN.

I then removed the mssfix entry and tested again--- still no OpenVPN

So suffice to say I'm non the wiser.

I'm guessing this needs a more knowledgeable insight than I can offer.

 

Edit: After some more testing it appears that a mssfix value of 1250 is key.

The changes to the OVPN directives take a reconnection to take effect or it seems even a restart of Eddie.

Can anyone confirm if mssfix 1250 works on there machine.

Share this post


Link to post

 

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

 

Hi,

Ok I returned from work, rebooted my machine and retested--- OpenVPN detected!!

I added mssfix 1250 to OVPN directives and retested--- no  OpenVPN.

I then removed the mssfix entry and tested again--- still no OpenVPN

So suffice to say I'm non the wiser.

I'm guessing this needs a more knowledgeable insight than I can offer.

 

Edit: After some more testing it appears that a mssfix value of 1250 is key.

The changes to the OVPN directives take a reconnection to take effect or it seems even a restart of Eddie.

Can anyone confirm if mssfix 1250 works on there machine.

 

mssfix 1250 and restart did it for me too

Share this post


Link to post

Thanks for the confirmation ZPKZ

 

I'm wondering what is the most generic value, I've found that 1360 also works and from what I can gather this is a more common value than 1250.

Some guidance would be very welcome.

Share this post


Link to post

Thanks for the confirmation ZPKZ

 

I'm wondering what is the most generic value, I've found that 1360 also works and from what I can gather this is a more common value than 1250.

Some guidance would be very welcome.

 

Thanks guys for this advice. I can confirm that mssfix 1250 also works on this configuration.

​Since we are talking about fingerprinting, people should also know that typing cadence on your keyboard is also a signature detected by algorithms within 10 minutes. See here->

http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.

The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.

Implication: VPNs, TOR etc won't help you if they already have your unique signature on databases, and various websites starting implementing this technique widely. And they will. Just like they are doing with canvas image data extraction etc. So, the solution seems to be to either:

​- Use a plug-in for Chrome that "prevents behavioural profiling by randomizing the rate at which characters reach the dom"

https://chrome.google.com/webstore/detail/keyboard-privacy/aoeboeflhhnobfjkafamelopfeojdohk

​ - Type all your stuff into Notepad/Leafpad or whatever, and cut and paste into your browser

​Hopefully Tor will address this issue in an upcoming release.

​All of this stuff really needs to be put together into an AirVPN guide for everyone at some stage. Lots of knowledge to be tapped around here and various pitfalls to avoid e.g. IPv6 concerns, DNS leaks, WebRTC IP leaks, time-stamps, OpenVPN profiling, further ways to attempt network, session, ID abstraction and so on.

 

It is all in the forums, but pretty hit and miss.

Share this post


Link to post

​All of this stuff really needs to be put together into an AirVPN guide for everyone at some stage. Lots of knowledge to be tapped around here and various pitfalls to avoid e.g. IPv6 concerns, DNS leaks, WebRTC IP leaks, time-stamps, OpenVPN profiling, further ways to attempt network, session, ID abstraction and so on.

 

It is all in the forums, but pretty hit and miss.

 

This forum, in fact the whole site is a really good resource IMO.

Totally agree that it can be hit and miss finding the correct info straight away.

Also agree a guide would really helpful.

 

Obviously it won't write its self, I would happily volunteer any spare time I have to helping.

Share this post


Link to post

Hi Snaggle,

​I have writing experience in other fields and would be keen to start drafting something for AirVPN and other users in the near-term. As a civil libertarian, I believe everyone has the right to be free of interference when using or communicating on the net. If they want our shit, they should get a warrant. Full stop. Maybe AirVPN could think about some free VPN hours to those putting a bit of time into this resource?

 

​In the first instance, users probably require a 'Threat Assessment Model' resource to determine what level of computer security they need to attempt for their own purposes.

 

Models I have seen normally come down to about 7 levels, from the 1st level - just a normal user who uses VPN + basic firewalls etc (not really trying to hide) - all the way through to paranoid users who are the next Snowden or Silk Road 2.0 e.g. using virtual environments, chaining of virtual and VPN environments, + Tor, + identity separation, + PfSense + Tor Bridges + JonDoNym mixers + advanced hardware networking solutions + use of hidden onion addresses + MAC spoofing + intrusion detection + hidden encrypted containers inside encrypted volumes, encrypted swap, BIOS and other firmware updates etc etc.

​After users know where they sit on the threat continuum, then the tools they need to use to achieve their preferred level of anonymity/psuedo-anonymity can be further explored in a solid document. This would use materials on this website, plus 100s of pages of info I have already collated across numerous security forums.

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

​Anyway, if you like this idea, I can start on the preliminary threat assessment article in the next week or so. Shouldn't take too long.

​PS Apparently the keyboard cadence finger-printing only works in Tor if you 'temporarily allow' scripts on that page. If you never allow scripts (not even for trusted websites), then apparently they CANNOT achieve this form of finger-printing (yet). Also, the mssfix value of 1360 also works for me, but agree the most common values need to be explored, so AirVPN users can 'hide in the crowd' and not make their signature MORE unique by accident i.e. very unusual directive in custom settings.

Share this post


Link to post

Hey bigbrosbitch

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

 

To me this sounds ideal, I see it as a work in progress that can evolve and develop.

If you have the talent and time to write then I think this is too good an offer to pass up, a well written guide would be a fantastic asset.

I'm intrested to know what other members of the community and staff think.

I believe anything we can do to help others achieve and maintain their privacy/rights online can only be a good thing.

Share this post


Link to post

found something interesting today.  With another VPN provider I use I can use the "mssfix 0" setting and no openvpn is detected.  Witch reports an MTU of 1500.

 

But, with AirVPN the mssfix 0 setting does not disguise openvpn use and MTU is reported to be 1392.

 

here is the VPN config of the other provider:

proto udp
mssfix 0
dev tun
tls-client
ns-cert-type server
key-direction 1
comp-lzo
auth SHA1
cipher AES-256-CBC
keysize 256
verb 3
nobind
persist-tun
persist-key
mute-replay-warnings
script-security 2
ping 6
hand-window 20
socket-flags TCP_NODELAY
topology subnet
pull
route-metric 2
 

That provider also claims to normalize IP packet TTL to prevent VPN detection by TTL analysis. 

 

What could be the difference between the two VPN providers to cause this difference in result by witch?

Share this post


Link to post

According to OpenVPN documentation mssfix works only with UDP protocol (--proto udp).

Could anyone describe what is going on when I use TCP protocol? Who decides to decrease MSS in this case?

I tried to play with --tun-mtu, but it doesn't give any effect.

Witch still detects my OpenVPN.

Share this post


Link to post

Hi Snaggle,

​I have writing experience in other fields and would be keen to start drafting something for AirVPN and other users in the near-term. As a civil libertarian, I believe everyone has the right to be free of interference when using or communicating on the net. If they want our shit, they should get a warrant. Full stop. Maybe AirVPN could think about some free VPN hours to those putting a bit of time into this resource?

 

​In the first instance, users probably require a 'Threat Assessment Model' resource to determine what level of computer security they need to attempt for their own purposes.

 

Models I have seen normally come down to about 7 levels, from the 1st level - just a normal user who uses VPN + basic firewalls etc (not really trying to hide) - all the way through to paranoid users who are the next Snowden or Silk Road 2.0 e.g. using virtual environments, chaining of virtual and VPN environments, + Tor, + identity separation, + PfSense + Tor Bridges + JonDoNym mixers + advanced hardware networking solutions + use of hidden onion addresses + MAC spoofing + intrusion detection + hidden encrypted containers inside encrypted volumes, encrypted swap, BIOS and other firmware updates etc etc.

​After users know where they sit on the threat continuum, then the tools they need to use to achieve their preferred level of anonymity/psuedo-anonymity can be further explored in a solid document. This would use materials on this website, plus 100s of pages of info I have already collated across numerous security forums.

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

​Anyway, if you like this idea, I can start on the preliminary threat assessment article in the next week or so. Shouldn't take too long.

​PS Apparently the keyboard cadence finger-printing only works in Tor if you 'temporarily allow' scripts on that page. If you never allow scripts (not even for trusted websites), then apparently they CANNOT achieve this form of finger-printing (yet). Also, the mssfix value of 1360 also works for me, but agree the most common values need to be explored, so AirVPN users can 'hide in the crowd' and not make their signature MORE unique by accident i.e. very unusual directive in custom settings.

Hello !

 

I don't know how far you actually got on that, but if you did post it, I'd love to see it. However I've already created a guide on getting started with AirVPN, which also acts as a collection point for the many useful threads we have on the forums already, relating to many different things; AirVPN policy, security, privacy, server locations and so forth. So if you do decide to embark on such a project, feel free to hit me up, as I'd love to help out if I can - even if it's just linking to each of your 50 page manuals, lol. I like the idea of a threat level thing; that'll allow us/me to abuse the spoiler tag even more than I've already done myself hahaha. We've got to keep it all accessible though - no requiring a PhD to understand the contents - otherwise few will read it and that'll all but defeat the purpose of it .


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.


Tired of Windows? Why Linux Is Better.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...