Detecting Anonymous Proxy Usage Final Report

6.5 CGI Proxy Detection

FÛ())M=£ÚÈÍ,4*¡—•@ßq^’'Ðæà÷›¡®Ï#‰Öÿbj檚c7q£¨²d ê”èœ'•ÛÕ¦i"hŠº¨ù ÔUã$ê:Ðã’êViöîÕÊÔ$Žäê,¨5ÈGÿ¯ßæ TðB÷«,wƒ9‰MED—‚~ðÚ´Hª%L0ToŸ"9"ãyI•Ë­µ¦À¡)ë5n±Ah',™¡@ÂöÑ~íB·œP B³9ó$Шºùÿ º€Ç‰hæ”û:Šköçjf qZòïÑ%bÔUûºy†>³>xå‹:~#*¦`Ž¨/úUÛò 1¨ó#‰~ õŒ˜ßö¯Ð–ŒÍGA†{°ŸÜ!¼’bè€\VŽÜ´î©®æ#€˜z<ÊKÇØã~˜OKJíÔþ½˜Zµ‹É’

The data received in the network packet is encrypted as it goes through a secure server using the Secure Socket Layer (SSL) protocol; this makes it extremely difficult to find the characteristics needed to determine if it is in fact a CGI proxy which is being used. Decrypting the data without the use of an encryption key would take many years; this unfortunately means it is impossible to provide the criteria necessary to detect the CGI proxy. The only visible data that can be used from the network packets is the protocol and the port number, which is used by a number of different websites that use ‘https’, including Gmail, Facebook and all banking websites.

When testing different CGI proxies that are available online it was noted that they all use SSL. 100% of the CGI proxies viewed online charged a subscription fee, which could cost up to €120 a year, or if paid on a monthly basis, €20 per month; due to this fee, they are not as common as Glype or PHPProxy, with both offering their services for free. This however only applies to the proxies using SSL, the CGI proxy can also be used without SSL, though it is highly recommended on the CGI webpage³⁷ that it should be used on a secure server.

Since the CGI script can be implemented on an unsecure server, the packets would then be readable. A sample of a packet that is produced by a CGI proxy script running on an unsecure server is:

“Destination MAC : 70:72:3c:db:c3:19 Source MAC : ac:72:89:8e:4a:9f Protocol : 8Version : 4 IP Header Length : 5 TTL : 128 Protocol : 6 Source Address : 192.168.1.103 Destination Address : 193.200.150.125Source Port : 8065 Dest Port : 80 Sequence Number : 705234219 Acknowledgement : 1875896103 TCP header length : 5Data : GET /cgi-bin/anon-www.cgi/http://static.guim.co.uk/sys-images/Books/Pix/pictures/2013/3/12/1363108898432/Sheryl-Sandberg-COO-Faceb-003.jpg HTTP/1.1

Host: anonymouse.org

Connection: keep-alive

Accept: image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Referer: http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.theguardian.com/uk/business

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

Cookie: __qca=P0-1151656657-1392741294427; _cb_ls=1; noticebar_cookie=2; eas_uid=8-1395255058502723820; ASP.NET_SessionId=zi1ventn2riib5r4gdkubmg0; SERVERID=web_111_121-3138; _chartbeat2=f6n7i50i5c7nt01g.1392741314017.1395255062698.0000000000000001; _chartbeat_uuniq=2; fsr.s=%7B%22v2%22%3A-2%2C%22v1%22%3A1%2C%22rid%22%3A%22d445cf4-83876450-6204-de6a-0a0d4%22%2C%22to%22%3A4.1%2C%22c%22%3A%22http%3A%2F%2Fanonymouse.org%2Fcgi-bin%2Fanon-www.cgi%2Fhttp%3A%2F%2Fwww.theguardian.com%2Fuk%2Fmoney%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1395255063699%7D; _p__cb_cp=l0betj8frczgu1l0; _p__chartbeat4=t=l0betj8frczgu1l0&E=2&ad=Top%3D2%3A%3A211%3A%3A50%3A%3A940%3A%3A101%3A%3A%3A%3A&x=0&c=0.02&y=3403&w=667; _cb_cp=r4kjxazsqhiwnda1; _chartbeat4=t=r4kjxazsqhiwnda1&E=1&x=0&c=0.02&y=3403&w=667; NSC_MC_WT_172.25.9.184_80=ffffffffaf1114dd45525d5f4f58455e445a4a423660; NSC_MC_W”

The CGI proxies’ main difference from the previous two proxies is the use of .cgi instead of .php. The proxy protocol is ‘HTTP’ and the command used is ‘GET’, it also uses port 80. Therefore the 4 characteristics used to determine the usage of an unsecure CGI proxy script are: HTTP, GET, .cgi and Dest Port : 80.

Figure - CGI Regular Expressions and Matching Statement

Figure shows the format of the code, which is similar to the other two proxies, the only difference being the extra matching string. If each of the characteristics are matched in the network proxy the result will be printed to the log firstly then the console. The result printed to the console can be seen in Figure .

Figure - CGI Proxy Usage Detected

6.6 Tor Browser Detection

The code for the Tor Browser was the last to be implemented. The detection characteristics compared to the other three proxies are completely different. This is mainly due to the randomness of the network packets when the Tor Browser is being used. The Tor Browser uses many different ports when sending and receiving packets, the different ports are: 9001, 9002, 9003, 9004, 9030, 9031, 9032, 9033, 9150, 9151, it also uses port 80 which is used for all normal web browsing that doesn’t use SSL and also port 443, which is used for secure browsing. The main two ports the Tor Browser uses are port 80 and 443, these two ports however cannot be used to identify the onion routing application, as all normal web browsing would also be flagged up as using the browser, therefore the other ports listed have to be used to identify it. This unfortunately means the Tor Browser could be used for many minutes before it is flagged up on the screen.

A sample of a network packet from the Tor Browser is the following: “Destination MAC : ac:72:89:8e:4a:9f Source MAC : 70:72:3c:db:c3:19 Protocol : 8Version : 4 IP Header Length : 5 TTL : 48 Protocol : 6 Source Address : 131.188.40.188 Destination Address : 192.168.1.101Source Port : 80 Dest Port : 22518 Sequence Number : 1739336269 Acknowledgement : 1073756582 TCP header length : 5Data : rÓ òÙÈê9"ú­dE¾bÍìøi‘§™ÎekvW‰KAqT®AF”}¦ëG§ô¦ö¢³ž¤¤€ö@Â!#X‡c¾)×N꟧ú‚õŸUV5¶Ì·UÕé•“æÜΓÊd>•‘+}Ô~Û‡™UøäKÏúAm"{‰k:{ø4ÄT£;¬çŒdߢ¢ÑG£1ºžÌJqHO%YÁI’¿NÙÆÖE]a᢫ž‘†Ã±ygqDÄ%KŒý‡âod‘sb³¿a6wŸ†¾î?å,ý/¶o¸Ò‚vìË‘G(ÐBƒ‡R†WªS“Ã/6…”#—’4ûO(g,Ë÷³{ÂZ‹œÔ¿·ÃDÓ˜ïý :_µòO™§çýÔìÉã?GtÛø·É±Æt±»Ó¦%‡FÜ7¡^áo-êU>ògõ?ÑV¥‡./ŠkÑÆ)ˆ¦žDŸº½Ÿ€ºîJ/â§ÕhȵÖѝªŽVÇ¡™œIfüg觡¦«ZúkJeTP(‡•.ls%jAä·yþ˜>x§Ó_Ü1T2vfžùlb‹[TP2ã=ˆ¨†Ý7u¾ ÌÌ.È¢ÏÔ•8^Ó1ùƒµQÅxã·ãD-Q>µ^Òéø(-_Ù:ågA¬±Y罦'Ô-k®ù'´0[•y=ÄC·eåÓ¸¹B…ÅKÖ#'†×îM²> c¨9ƒÝ»·tkZLŠßk 'Iq´³Æ°@'„Mfžò rQ€‰}¥£s) “©¥æÀƒZ·z‚ ¥¹½REÖƒ*1óÿä=ØP²j‰bge‰kÊâ‚ë.Á¨¯ûk;ù}½Öî^¸¥á”û¶!Ð+þ˜¡P—*Àìã¡×'sªBAMS üžãsÖõxò0âV!ˆA>hÇGRÔ¼H)MP•÷ÎIºÝ<¿Ûޏ&VlÈÁw³ntø}ÊÿŽnÈ9±õ‚×™vãTÌ›¤b¨ÌÏúhhOg×1=¿Ú›‰…#'dCŠ³F6´ã˜5dSδ+÷gÉó‚M‚e²Ãº60—taø>Ú\½Õ­/5pWŠƒlS“pXFƒœ¢+Z±÷ôU,–4m@G÷=¥Ð³‹ŽÞSŠ^?%ö쀮÷šÛÄžòÚ¶:,biч6¹ÁPh>:ô­pöÙ®Þ,Ã}à"|¨ýG\_æéj3¤

؝Èé\]t;Ã#q+uñ¬ë#‚ÿâD’«BâסŒºý¹$jõ©;[˜l›ì5VZŁxäçÌs@Ø{K˜'GˆcÅ÷ µ¹±Ð1qˆ5«à/çŠJ¾V85bŒÖÊvAD™5rjø‰v…††Yˆ©uP…¢Ð>Ã;±ÅsŒ˜OZZ,ùÄc…–—ZCž½6ê=á’œ5P ña(ðâ@óxK£ªÖú¿•‚ ´¨xè%¢cí1ÊeUû¡†k˜¨ßìOÚf©Á»ûP1µƒ_Èå6+O¼öAù
JïkpOØ‚R@ÐÅN.£©•Ý²à ƒ:6פßÏÚù•X…8“;‡ž{#‰u¹™qéXQq[”|·ñJ,j±Û1_eši‡©34(Ak­žÌ#•¾'5ÏuP:³êçOOàÛT„ïzêùZe}ÉGÏ)[®J½Û¦!ûó°Î7WγÊÉk°£‡én*úÔnõiŸ¹ª²µyÍaµ&Ù¡ë`p?ÝÅæRµ­$UêŶéÝ¥\kxP•ÃÕãˆM]ßÄLKÓ¶Ô}:ÁêÛ”0[xÄRþ<ØŸ+ð».ôÈF­X}>á­äºc$WÞ­åÞœuÕíMÊÿµÜçxyàwæB8=mà‡[ja”

When examining the packet there were a few interesting bits of data that could be seen, firstly the port that was used was port 80, this generally means the data that is in the network packet can be viewed, however the data in the packet in this instance is encrypted and therefore no details can be taken from it. The second thing noticed in the packet was the Source Address, which was 131.188.40.188. When searching for the IP it was found within a list of known Tor nodes, this verified that it was indeed a packet from the Tor Browser. The source address is useful to verify that it is the Tor browser; however due to the large amount of IP addresses in the Tor network it is not possible to add them to the characteristics. This leaves the only way to identify them is through the ports listed above, due to this the accuracy of the data may not always be 100% correct.

Figure - Tor Regular Expression and Matching Statements

One of the main differences in the code is the use of the operator ‘or’ instead of ‘and’, this is because the system doesn’t have to match 3 or 4 different characteristics, it only has to match one of them to flag it up on the console.

Figure - Onion Routing Usage Detected

Figure shows the outcome on the IDLE console when Onion Routing has been detected, the network administrator can then view the log and make sure the IP is in fact on the list of known Tor Nodes.

Another port that the Tor Browser uses is port 9100, this port however is used often by wireless printers and using this port would create a lot of false positive results, it was decided that due to the large amount of false positive results leaving that port out of the detection string would be the best action to take.

Download 0.59 Mb.

Share with your friends: