ＷＩＴＣＨ？ — VPN and proxy detector. Can detect OpenVPN cipher, MAC and compression usage.

[snaggle 25]

Hi all,

I have just stumbled across http://witch.valdikss.org.ru/ and https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413

I run Eddie on Arch Linux using UDP over port 53 - mostly when I visit the first link the Witch script ran and correctly confirmed this - all but the port number. This script worked well when I connect using SSL over port 433.

Is there a way to configure Eddie to fool Witch ?

 

[Staff 10200]

Hello,

 

yes, try to use "mssfix" directive (you can insert it in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives").

 

Try different mssfix values (1400, 1350, 1300...) because the Witch code is still unripe so it provides many many false positives.

 

See also https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F216295%2F&edit-text=

 

Kind regards

[snaggle 25]

Hello,

 

yes, try to use "mssfix" directive (you can insert it in "AirVPN" -> "Preferences" -> "Advanced" -> "OVPN directives").

 

Try different mssfix values (1400, 1350, 1300...) because the Witch code is still unripe so it provides many many false positives.

 

See also https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F216295%2F&edit-text=

 

Kind regards

Hi and thanks for the rapid response.

Please for give my ignorance but how do I add the value ? Is it as simple as - mssfix 1350 ?

I guess not.

[me.moo@posteo.me 80]

When I visit the Witch link the details it provides are all incorrect    Currently I am using AirVPN --> Tor Browser using Secret Agent extension (could be this that is confusing things).

[go558a83nk 377]

my first test shows MTU of 1392 though I am using and always use "mssfix 0".

 

edit: my usage of "mtu-disc maybe" has no affect on perceived MTU by the script.

[bigbrosbitch 65]

my first test shows MTU of 1392 though I am using and always use "mssfix 0".

 

edit: my usage of "mtu-disc maybe" has no affect on perceived MTU by the script.

 

Hi,

​

​Same problem here when I set mssfix 0 in custom settings part of the OVPN directives, and other values as well. It doesn't seem to change the resulting test value, with a MTU of 1392 showing, presumably for the default settings most people are running on the Eddie client.

​

​This is worth looking into, or getting some clear advice on from the mods, as it otherwise provides the spooks with yet another finger-printing tool.

​

​If they can add OpenVPN config finger-printing into the mix, whilst they also detect proxy settings, use of Tor (or not), use of ad-blockers, extensions/add-ons/plug-ins, time-stamps, and a million other tracking tools via browser header and other data, it would be fair to say that most users will be uniquely identified by their configuration, unless they go to extreme lengths.

​

​I note that most people are not blocking time-stamps, who did the russian test. Tbey should read up on their Whonix documentation and apply the following (so should all AirVPN linux and Windows users):

​

​https://www.whonix.org/wiki/Pre_Install_Advice

​

 

 

Linux or Qubes Temporary

You can skip this Temporary chapter and move on the to #Permanently if you are looking for a permanent solution.

To dynamically disable TCP timestamping on Linux...

Become root.

sudo su

Disable TCP timestamping.

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Permanently

To make that change permanent...

Become root.

sudo su

You need to add the following line to /etc/sysctl.conf or /etc/sysctl.d/tcp_timestamps.conf:

net.ipv4.tcp_timestamps = 0

To do that, you could use the following command.

echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf

To apply the sysctl settings without reboot, run the following command.

sysctl -p

Check if it's really set.

sysctl -a | grep net.ipv4.tcp_timestamps

Windows

To disable TCP timestamping on Windows, run the following root command:

netsh int tcp set global timestamps=disabled

Note: You must have administrator privileges.

​

[rickjames 106]

Adding mssfix 1400 to the ovpn config file did change the resulting mtu value.

 

For the most part the rest of the data is incorrect when I test. Interesting script though.

[snaggle 25]

Same thing here, I have tried many, many different values. The best result I can get is -

Fingerprint and User-Agent mismatch. Either proxy or User-Agent spoofing.Probable OpenVPN detected. If it really is OpenVPN, then it's settings are as follows:Block size is 64 bytes long (probably AES), MAC is SHA1, LZO compression enabled.

The resulting MTU value does change however and is never the same as I change it to.

 

[zhang888 1067]

I suggest you to avoid using custom values since this can add more fingerprinting to your connection.

The method of combining p0f from lcamtuf and adding mss signatures to detect openvpn is very nice,

but I don't really see the purpose of this. The entire "detection" could be much easier - 95% of VPN

providers use "Business/Hosting" classified IP pools. So it's not a great deal to know that whoever is

coming from LeaseWeb IPs is using some kind of VPN... But the cipher/compression calculation is nice.

[snaggle 25]

It seems I have defeated the script by disabling TCP timestamps.

No custom mssfix values are used.

 

First seen    = 2015/07/27 10:18:52Last update   = 2015/07/27 10:18:52Total flows   = 1Detected OS   = Linux 2.2.x-3.x (no timestamps) [generic]HTTP software = Firefox 10.x or newer (ID seems legit)MTU           = 1052Network link  = ???Language      = EnglishDistance      = 10PTR           = PTR test      = Probably server userFingerprint and OS match. No proxy detected (this test does not include headers detection).No OpenVPN detected.

Almost all the details are incorrect.

I connect with Eddie using UDP, never the less disabling TCP timestamps does the trick.

[go558a83nk 377]

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

[snaggle 25]

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

 

Hi,

Ok I returned from work, rebooted my machine and retested--- OpenVPN detected!!

I added mssfix 1250 to OVPN directives and retested--- no  OpenVPN.

I then removed the mssfix entry and tested again--- still no OpenVPN

So suffice to say I'm non the wiser.

I'm guessing this needs a more knowledgeable insight than I can offer.

 

Edit: After some more testing it appears that a mssfix value of 1250 is key.

The changes to the OVPN directives take a reconnection to take effect or it seems even a restart of Eddie.

Can anyone confirm if mssfix 1250 works on there machine.

[Guest]

 

I disabled tcp timestamps on my windows 7 machine but it made no difference.  VPN is run on my router.  I disabled timestamps on it, too, but still no difference in test results.

 

Hi,

Ok I returned from work, rebooted my machine and retested--- OpenVPN detected!!

I added mssfix 1250 to OVPN directives and retested--- no  OpenVPN.

I then removed the mssfix entry and tested again--- still no OpenVPN

So suffice to say I'm non the wiser.

I'm guessing this needs a more knowledgeable insight than I can offer.

 

Edit: After some more testing it appears that a mssfix value of 1250 is key.

The changes to the OVPN directives take a reconnection to take effect or it seems even a restart of Eddie.

Can anyone confirm if mssfix 1250 works on there machine.

 

mssfix 1250 and restart did it for me too

[snaggle 25]

Thanks for the confirmation ZPKZ

 

I'm wondering what is the most generic value, I've found that 1360 also works and from what I can gather this is a more common value than 1250.

Some guidance would be very welcome.

[bigbrosbitch 65]

Thanks for the confirmation ZPKZ

 

I'm wondering what is the most generic value, I've found that 1360 also works and from what I can gather this is a more common value than 1250.

Some guidance would be very welcome.

 

Thanks guys for this advice. I can confirm that mssfix 1250 also works on this configuration.

​

​Since we are talking about fingerprinting, people should also know that typing cadence on your keyboard is also a signature detected by algorithms within 10 minutes. See here->

​

​http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/

​

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.

The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.

​

Implication: VPNs, TOR etc won't help you if they already have your unique signature on databases, and various websites starting implementing this technique widely. And they will. Just like they are doing with canvas image data extraction etc. So, the solution seems to be to either:

​

​- Use a plug-in for Chrome that "prevents behavioural profiling by randomizing the rate at which characters reach the dom"

​

​https://chrome.google.com/webstore/detail/keyboard-privacy/aoeboeflhhnobfjkafamelopfeojdohk

​

​ - Type all your stuff into Notepad/Leafpad or whatever, and cut and paste into your browser

​

​Hopefully Tor will address this issue in an upcoming release.

​

​All of this stuff really needs to be put together into an AirVPN guide for everyone at some stage. Lots of knowledge to be tapped around here and various pitfalls to avoid e.g. IPv6 concerns, DNS leaks, WebRTC IP leaks, time-stamps, OpenVPN profiling, further ways to attempt network, session, ID abstraction and so on.

 

It is all in the forums, but pretty hit and miss.

[snaggle 25]

​All of this stuff really needs to be put together into an AirVPN guide for everyone at some stage. Lots of knowledge to be tapped around here and various pitfalls to avoid e.g. IPv6 concerns, DNS leaks, WebRTC IP leaks, time-stamps, OpenVPN profiling, further ways to attempt network, session, ID abstraction and so on.

 

It is all in the forums, but pretty hit and miss.

 

This forum, in fact the whole site is a really good resource IMO.

Totally agree that it can be hit and miss finding the correct info straight away.

Also agree a guide would really helpful.

 

Obviously it won't write its self, I would happily volunteer any spare time I have to helping.

[bigbrosbitch 65]

Hi Snaggle,

​

​I have writing experience in other fields and would be keen to start drafting something for AirVPN and other users in the near-term. As a civil libertarian, I believe everyone has the right to be free of interference when using or communicating on the net. If they want our shit, they should get a warrant. Full stop. Maybe AirVPN could think about some free VPN hours to those putting a bit of time into this resource?

 

​In the first instance, users probably require a 'Threat Assessment Model' resource to determine what level of computer security they need to attempt for their own purposes.

 

Models I have seen normally come down to about 7 levels, from the 1st level - just a normal user who uses VPN + basic firewalls etc (not really trying to hide) - all the way through to paranoid users who are the next Snowden or Silk Road 2.0 e.g. using virtual environments, chaining of virtual and VPN environments, + Tor, + identity separation, + PfSense + Tor Bridges + JonDoNym mixers + advanced hardware networking solutions + use of hidden onion addresses + MAC spoofing + intrusion detection + hidden encrypted containers inside encrypted volumes, encrypted swap, BIOS and other firmware updates etc etc.

​

​After users know where they sit on the threat continuum, then the tools they need to use to achieve their preferred level of anonymity/psuedo-anonymity can be further explored in a solid document. This would use materials on this website, plus 100s of pages of info I have already collated across numerous security forums.

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

​

​Anyway, if you like this idea, I can start on the preliminary threat assessment article in the next week or so. Shouldn't take too long.

​

​PS Apparently the keyboard cadence finger-printing only works in Tor if you 'temporarily allow' scripts on that page. If you never allow scripts (not even for trusted websites), then apparently they CANNOT achieve this form of finger-printing (yet). Also, the mssfix value of 1360 also works for me, but agree the most common values need to be explored, so AirVPN users can 'hide in the crowd' and not make their signature MORE unique by accident i.e. very unusual directive in custom settings.

[snaggle 25]

Hey bigbrosbitch

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

 

To me this sounds ideal, I see it as a work in progress that can evolve and develop.

If you have the talent and time to write then I think this is too good an offer to pass up, a well written guide would be a fantastic asset.

I'm intrested to know what other members of the community and staff think.

I believe anything we can do to help others achieve and maintain their privacy/rights online can only be a good thing.

[just-me 3]

befor mssfix 1250

 

and after inserting the fix

 

thx

[just-me 3]

1360 don't work for me on the same way like 1250

 

 

don't know why

[go558a83nk 377]

found something interesting today.  With another VPN provider I use I can use the "mssfix 0" setting and no openvpn is detected.  Witch reports an MTU of 1500.

 

But, with AirVPN the mssfix 0 setting does not disguise openvpn use and MTU is reported to be 1392.

 

here is the VPN config of the other provider:

proto udp
mssfix 0
dev tun
tls-client
ns-cert-type server
key-direction 1
comp-lzo
auth SHA1
cipher AES-256-CBC
keysize 256
verb 3
nobind
persist-tun
persist-key
mute-replay-warnings
script-security 2
ping 6
hand-window 20
socket-flags TCP_NODELAY
topology subnet
pull
route-metric 2
 

That provider also claims to normalize IP packet TTL to prevent VPN detection by TTL analysis. 

 

What could be the difference between the two VPN providers to cause this difference in result by witch?

[ivasja1987 0]

According to OpenVPN documentation mssfix works only with UDP protocol (--proto udp).

Could anyone describe what is going on when I use TCP protocol? Who decides to decrease MSS in this case?

I tried to play with --tun-mtu, but it doesn't give any effect.

Witch still detects my OpenVPN.

[Guest]

Im connected via TCP and it shows "no openvpn detected"

 

mssfix 1250

[LZ1 675]

Hi Snaggle,

​

​I have writing experience in other fields and would be keen to start drafting something for AirVPN and other users in the near-term. As a civil libertarian, I believe everyone has the right to be free of interference when using or communicating on the net. If they want our shit, they should get a warrant. Full stop. Maybe AirVPN could think about some free VPN hours to those putting a bit of time into this resource?

 

​In the first instance, users probably require a 'Threat Assessment Model' resource to determine what level of computer security they need to attempt for their own purposes.

 

Models I have seen normally come down to about 7 levels, from the 1st level - just a normal user who uses VPN + basic firewalls etc (not really trying to hide) - all the way through to paranoid users who are the next Snowden or Silk Road 2.0 e.g. using virtual environments, chaining of virtual and VPN environments, + Tor, + identity separation, + PfSense + Tor Bridges + JonDoNym mixers + advanced hardware networking solutions + use of hidden onion addresses + MAC spoofing + intrusion detection + hidden encrypted containers inside encrypted volumes, encrypted swap, BIOS and other firmware updates etc etc.

​

​After users know where they sit on the threat continuum, then the tools they need to use to achieve their preferred level of anonymity/psuedo-anonymity can be further explored in a solid document. This would use materials on this website, plus 100s of pages of info I have already collated across numerous security forums.

 

It could be condensed down into something manageable e.g. I imagine 50 pages or so and split up into various chapters e.g. firewalls, general networking, O/S (host) configuration, using virtual environments, nesting/chaining VPN connections, advanced O/S e.g. Qubes/Whonix, whistleblowers e.g. TAILS, secure communication methods, using Tor safely, configuring browsers, OpenVPN configurations, SSH/SSL tunnelling, Tor over VPN/VPN over Tor, using Tomato/DD-WRT etc routers, open-source encryption options etc etc.

​

​Anyway, if you like this idea, I can start on the preliminary threat assessment article in the next week or so. Shouldn't take too long.

​

​PS Apparently the keyboard cadence finger-printing only works in Tor if you 'temporarily allow' scripts on that page. If you never allow scripts (not even for trusted websites), then apparently they CANNOT achieve this form of finger-printing (yet). Also, the mssfix value of 1360 also works for me, but agree the most common values need to be explored, so AirVPN users can 'hide in the crowd' and not make their signature MORE unique by accident i.e. very unusual directive in custom settings.

Hello !

 

I don't know how far you actually got on that, but if you did post it, I'd love to see it. However I've already created a guide on getting started with AirVPN, which also acts as a collection point for the many useful threads we have on the forums already, relating to many different things; AirVPN policy, security, privacy, server locations and so forth. So if you do decide to embark on such a project, feel free to hit me up, as I'd love to help out if I can - even if it's just linking to each of your 50 page manuals, lol. I like the idea of a threat level thing; that'll allow us/me to abuse the spoiler tag even more than I've already done myself hahaha. We've got to keep it all accessible though - no requiring a PhD to understand the contents - otherwise few will read it and that'll all but defeat the purpose of it .

[mehāniskākaravīrs935 24]

Another tool out there to compromise the security of VPN users by exposing their usage of VPN. Netflix and other services no doubt want their dirty hands on it. If there is a fix it should be implemented in Eddie by default in the future.