Jump to content


Photo
- - - - -

WITCH? — VPN and proxy detector. Can detect OpenVPN cipher, MAC and compression usage.


  • Please log in to reply
29 replies to this topic

#1 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 26 July 2015 - 10:09 AM

Hi all,

I have just stumbled across http://witch.valdikss.org.ru/ and https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413

I run Eddie on Arch Linux using UDP over port 53 - mostly :whistle: when I visit the first link the Witch script ran and correctly confirmed this - all but the port number. This script worked well when I connect using SSL over port 433.

Is there a way to configure Eddie to fool Witch ?

 



#2 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 6949 posts

Posted 26 July 2015 - 10:22 AM

Hello,

 

yes, try to use "mssfix" directive (you can insert it in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives").

 

Try different mssfix values (1400, 1350, 1300...) because the Witch code is still unripe so it provides many many false positives.

 

See also https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F216295%2F&edit-text=

 

Kind regards



#3 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 26 July 2015 - 10:31 AM

Hello,

 

yes, try to use "mssfix" directive (you can insert it in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives").

 

Try different mssfix values (1400, 1350, 1300...) because the Witch code is still unripe so it provides many many false positives.

 

See also https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F216295%2F&edit-text=

 

Kind regards

Hi and thanks for the rapid response.

Please for give my ignorance but how do I add the value ? Is it as simple as - mssfix 1350 ?

I guess not.



#4 me.moo@posteo.me

me.moo@posteo.me

    Advanced Member

  • Members
  • PipPipPip
  • 335 posts

Posted 26 July 2015 - 11:15 AM

When I visit the Witch link the details it provides are all incorrect  ;)  Currently I am using AirVPN --> Tor Browser using Secret Agent extension (could be this that is confusing things).



#5 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1290 posts

Posted 26 July 2015 - 01:28 PM

my first test shows MTU of 1392 though I am using and always use "mssfix 0".

 

edit: my usage of "mtu-disc maybe" has no affect on perceived MTU by the script.



#6 bigbrosbitch

bigbrosbitch

    Advanced Member

  • Members
  • PipPipPip
  • 40 posts

Posted 26 July 2015 - 03:44 PM

my first test shows MTU of 1392 though I am using and always use "mssfix 0".

 

edit: my usage of "mtu-disc maybe" has no affect on perceived MTU by the script.

 

Hi,

​Same problem here when I set mssfix 0 in custom settings part of the OVPN directives, and other values as well. It doesn't seem to change the resulting test value, with a MTU of 1392 showing, presumably for the default settings most people are running on the Eddie client.

​This is worth looking into, or getting some clear advice on from the mods, as it otherwise provides the spooks with yet another finger-printing tool.

​If they can add OpenVPN config finger-printing into the mix, whilst they also detect proxy settings, use of Tor (or not), use of ad-blockers, extensions/add-ons/plug-ins, time-stamps, and a million other tracking tools via browser header and other data, it would be fair to say that most users will be uniquely identified by their configuration, unless they go to extreme lengths.

​I note that most people are not blocking time-stamps, who did the russian test. Tbey should read up on their Whonix documentation and apply the following (so should all AirVPN linux and Windows users):

https://www.whonix.org/wiki/Pre_Install_Advice

 

Linux or Qubes Temporary

You can skip this Temporary chapter and move on the to #Permanently if you are looking for a permanent solution.

To dynamically disable TCP timestamping on Linux...

Become root.

sudo su

Disable TCP timestamping.

echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Permanently

To make that change permanent...

Become root.

sudo su

You need to add the following line to /etc/sysctl.conf or /etc/sysctl.d/tcp_timestamps.conf:

net.ipv4.tcp_timestamps = 0

To do that, you could use the following command.

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

To apply the sysctl settings without reboot, run the following command.

sysctl -p

Check if it's really set.

sysctl -a | grep net.ipv4.tcp_timestamps
Windows

To disable TCP timestamping on Windows, run the following root command:

netsh int tcp set global timestamps=disabled

Note: You must have administrator privileges.



#7 rickjames

rickjames

    Advanced Member

  • Members
  • PipPipPip
  • 355 posts

Posted 26 July 2015 - 04:04 PM

Adding mssfix 1400 to the ovpn config file did change the resulting mtu value.

For the most part the rest of the data is incorrect when I test. Interesting script though.

#8 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 26 July 2015 - 06:07 PM

Same thing here, I have tried many, many different values. The best result I can get is -

Fingerprint and User-Agent mismatch. Either proxy or User-Agent spoofing.
Probable OpenVPN detected. If it really is OpenVPN, then it's settings are as follows:
Block size is 64 bytes long (probably AES), MAC is SHA1, LZO compression enabled.

The resulting MTU value does change however and is never the same as I change it to.

 



#9 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2077 posts

Posted 27 July 2015 - 02:19 AM

I suggest you to avoid using custom values since this can add more fingerprinting to your connection.

The method of combining p0f from lcamtuf and adding mss signatures to detect openvpn is very nice,

but I don't really see the purpose of this. The entire "detection" could be much easier - 95% of VPN

providers use "Business/Hosting" classified IP pools. So it's not a great deal to know that whoever is

coming from LeaseWeb IPs is using some kind of VPN... But the cipher/compression calculation is nice.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#10 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 27 July 2015 - 07:30 AM

It seems I have defeated the script by disabling TCP timestamps.

No custom mssfix values are used.

 

First seen    = 2015/07/27 10:18:52
Last update   = 2015/07/27 10:18:52
Total flows   = 1
Detected OS   = Linux 2.2.x-3.x (no timestamps) [generic]
HTTP software = Firefox 10.x or newer (ID seems legit)
MTU           = 1052
Network link  = ???
Language      = English
Distance      = 10
PTR           = 

PTR test      = Probably server user
Fingerprint and OS match. No proxy detected (this test does not include headers detection).
No OpenVPN detected.

Almost all the details are incorrect.

I connect with Eddie using UDP, never the less disabling TCP timestamps does the trick.



#11 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1290 posts

Posted 27 July 2015 - 01:22 PM

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.



#12 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 27 July 2015 - 03:50 PM

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

 

Hi,

Ok I returned from work, rebooted my machine and retested--- OpenVPN detected!!

I added mssfix 1250 to OVPN directives and retested--- no  OpenVPN.

I then removed the mssfix entry and tested again--- still no OpenVPN

So suffice to say I'm non the wiser.

I'm guessing this needs a more knowledgeable insight than I can offer.

 

Edit: After some more testing it appears that a mssfix value of 1250 is key.

The changes to the OVPN directives take a reconnection to take effect or it seems even a restart of Eddie.

Can anyone confirm if mssfix 1250 works on there machine.



#13 ZPKZ

ZPKZ

    Advanced Member

  • Members
  • PipPipPip
  • 326 posts

Posted 28 July 2015 - 10:55 AM

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

 

Hi,

Ok I returned from work, rebooted my machine and retested--- OpenVPN detected!!

I added mssfix 1250 to OVPN directives and retested--- no  OpenVPN.

I then removed the mssfix entry and tested again--- still no OpenVPN

So suffice to say I'm non the wiser.

I'm guessing this needs a more knowledgeable insight than I can offer.

 

Edit: After some more testing it appears that a mssfix value of 1250 is key.

The changes to the OVPN directives take a reconnection to take effect or it seems even a restart of Eddie.

Can anyone confirm if mssfix 1250 works on there machine.

 

mssfix 1250 and restart did it for me too :)



#14 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 28 July 2015 - 11:05 AM

Thanks for the confirmation ZPKZ

 

I'm wondering what is the most generic value, I've found that 1360 also works and from what I can gather this is a more common value than 1250.

Some guidance would be very welcome.



#15 bigbrosbitch

bigbrosbitch

    Advanced Member

  • Members
  • PipPipPip
  • 40 posts

Posted 30 July 2015 - 02:06 PM

Thanks for the confirmation ZPKZ

 

I'm wondering what is the most generic value, I've found that 1360 also works and from what I can gather this is a more common value than 1250.

Some guidance would be very welcome.

 

Thanks guys for this advice. I can confirm that mssfix 1250 also works on this configuration.

​Since we are talking about fingerprinting, people should also know that typing cadence on your keyboard is also a signature detected by algorithms within 10 minutes. See here->

http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.

The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.

Implication: VPNs, TOR etc won't help you if they already have your unique signature on databases, and various websites starting implementing this technique widely. And they will. Just like they are doing with canvas image data extraction etc. So, the solution seems to be to either:

​- Use a plug-in for Chrome that "prevents behavioural profiling by randomizing the rate at which characters reach the dom"

https://chrome.google.com/webstore/detail/keyboard-privacy/aoeboeflhhnobfjkafamelopfeojdohk

​ - Type all your stuff into Notepad/Leafpad or whatever, and cut and paste into your browser

​Hopefully Tor will address this issue in an upcoming release.

​All of this stuff really needs to be put together into an AirVPN guide for everyone at some stage. Lots of knowledge to be tapped around here and various pitfalls to avoid e.g. IPv6 concerns, DNS leaks, WebRTC IP leaks, time-stamps, OpenVPN profiling, further ways to attempt network, session, ID abstraction and so on.

 

It is all in the forums, but pretty hit and miss.



#16 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 30 July 2015 - 07:18 PM

​All of this stuff really needs to be put together into an AirVPN guide for everyone at some stage. Lots of knowledge to be tapped around here and various pitfalls to avoid e.g. IPv6 concerns, DNS leaks, WebRTC IP leaks, time-stamps, OpenVPN profiling, further ways to attempt network, session, ID abstraction and so on.

 

It is all in the forums, but pretty hit and miss.

 

This forum, in fact the whole site is a really good resource IMO.

Totally agree that it can be hit and miss finding the correct info straight away.

Also agree a guide would really helpful. :good:

 

Obviously it won't write its self, I would happily volunteer any spare time I have to helping.



#17 bigbrosbitch

bigbrosbitch

    Advanced Member

  • Members
  • PipPipPip
  • 40 posts

Posted 31 July 2015 - 01:57 AM

Hi Snaggle,

​I have writing experience in other fields and would be keen to start drafting something for AirVPN and other users in the near-term. As a civil libertarian, I believe everyone has the right to be free of interference when using or communicating on the net. If they want our shit, they should get a warrant. Full stop. Maybe AirVPN could think about some free VPN hours to those putting a bit of time into this resource? :asd:

 

​In the first instance, users probably require a 'Threat Assessment Model' resource to determine what level of computer security they need to attempt for their own purposes.

 

Models I have seen normally come down to about 7 levels, from the 1st level - just a normal user who uses VPN + basic firewalls etc (not really trying to hide) - all the way through to paranoid users who are the next Snowden or Silk Road 2.0 e.g. using virtual environments, chaining of virtual and VPN environments, + Tor, + identity separation, + PfSense + Tor Bridges + JonDoNym mixers + advanced hardware networking solutions + use of hidden onion addresses + MAC spoofing + intrusion detection + hidden encrypted containers inside encrypted volumes, encrypted swap, BIOS and other firmware updates etc etc.

​After users know where they sit on the threat continuum, then the tools they need to use to achieve their preferred level of anonymity/psuedo-anonymity can be further explored in a solid document. This would use materials on this website, plus 100s of pages of info I have already collated across numerous security forums.

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

​Anyway, if you like this idea, I can start on the preliminary threat assessment article in the next week or so. Shouldn't take too long.

​PS Apparently the keyboard cadence finger-printing only works in Tor if you 'temporarily allow' scripts on that page. If you never allow scripts (not even for trusted websites), then apparently they CANNOT achieve this form of finger-printing (yet). Also, the mssfix value of 1360 also works for me, but agree the most common values need to be explored, so AirVPN users can 'hide in the crowd' and not make their signature MORE unique by accident i.e. very unusual directive in custom settings.



#18 snaggle

snaggle

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts

Posted 31 July 2015 - 07:40 PM

Hey bigbrosbitch

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

 

To me this sounds ideal, I see it as a work in progress that can evolve and develop.

If you have the talent and time to write then I think this is too good an offer to pass up, a well written guide would be a fantastic asset.

I'm intrested to know what other members of the community and staff think.

I believe anything we can do to help others achieve and maintain their privacy/rights online can only be a good thing.



#19 just-me

just-me

    Advanced Member

  • Members
  • PipPipPip
  • 48 posts

Posted 01 August 2015 - 02:22 PM

befor mssfix 1250

 

TzpOTq3.jpg

and after inserting the fix

 

MAzl6nk.jpg

thx QKtYoqv.gifQKtYoqv.gif


Was wir an Niedern rühmen als Geduld, ist blasse Feigheit in der Brust - William Shakespeare


#20 just-me

just-me

    Advanced Member

  • Members
  • PipPipPip
  • 48 posts

Posted 03 August 2015 - 02:22 AM

1360 don't work for me on the same way like 1250

 

pwGxbuK.jpg

 

don't know why


Was wir an Niedern rühmen als Geduld, ist blasse Feigheit in der Brust - William Shakespeare






Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Users: 16096 - BW: 53499 Mbit/sYour IP: 54.224.197.251Guest Access.