Risk Analysis Tools
This chapter introduce tools for checking if your proxy network is setup properly and working as they should, and for monitoring if your machine is compromised, or not configured properly.
Wireshark is a free network protocol analyser, available for Windows and included in many Linux distributions.
The first toolbar button lists the network interfaces of your machine. If you have one Ethernet Controller card, you will see only one active interface on the list, with the packet counter increasing. Pressing the start button next to the interface will start capturing packets. As you can see, it's difficult to find useful data if you capture all packets.
To setup a capture filter, first stop any capturing and click on the options button. You enter the filter criteria on the "Capture Filter" field, before starting capture packets again. The other options can make use of the default values. The filter elements are:
- host - the IP of the source computer or the destination, which can be further specified by src or dst.
- port - typically 80 for http traffic in windows machine, 9050 for TOR and 8118 via Privoxy.
- protocol - http for plain hypertext, udp for local network data packets.
- operators - any filter criteria can be prefixed by "not", and joined by "and" or "or".
If you are directly connected to the internet via a modem, you may see your external IP at the interface. If you are behind a firewall or router, you private IP may start with 192.168.xxx.xxx. If you are on a local area network, including a virtual one, your IP may start with 10.xxx.xxx.xxx.
If you want to capture any spyware reporting to base, you can try:
- src 192.168.0.100 and not dst 192.168.0.1
You are only interested in packets originating from your machine 192.168.0.100, which doesn't end at your firewall 192.168.0.1. If you capture packets for a long duration, you should stop other internet activities, such as Windows updater and Google updater. If there are any suspicious external IPs you can look up the owner and location.
When your browser need to connect to www.torproject.org for example, it has to resolve the hostname into IP address like 126.96.36.199. In earlier versions of Firefox, this DNS request do not go through the proxy port as specified in the options. Therefore anyone spying on you can see the destination that you are about to visit.
In the latest versions of Firefox, the DNS request goes through the proxy port by default. However, any browser extensions are given full access of your machine, allowing them to make their own DNS request bypassing TOR.
To check if there are any DNS leaks, the filter is simply the port DNS uses:
- port 53
If you are running a VPN and browser, it is simple to check if the VPN is working by checking your IP address at whatismyip.com for example. If you are running a proxy chain, you can enable and check each stage individually. Any malfunctioning will halt the http traffic.
For other applications such as instant messaging, it is not so straightforward. Also, when you run another proxy client on top of a VPN, your IP will becomes that of the proxy server, independent on the working state of the VPN.
When you look at the list of interfaces via WireShark, you can see your original Ethernet Controller, plus a virtual VPN adapter, with packets traveling in both interfaces. Any application packets will now go through the VPN adapter, instead of the Ethernet Controller. The VPN client will reformat and encrypt/decrypt these packets, for transport across your Ethernet Controller and the VPN server. For more efficient transport, VPNs use the UDP protocol exclusively. To check if there are any packets that leaks directly into the internet, the filter is:
- not host 192.168.0.1 and not udp
Any packets for the VPN tunnel and for the local firewall are rejected. So there should be no captured packets if the VPN is fully functional. TCP protocol can also be used with SSL encryption for example, as in OpenVPN.
If two VPN's can be chained by the use of a virtual machine, the external destination of the packets at the host should be the IP address of a single VPN server only, while the guest communicates with the other VPN server.
Forwarded Traffic MonitoringEdit
You can confuse your adversary who is spying on you by hiding your traffic among other users. You can run a relay for TOR, forward other user traffic for JonDo, and use Skype via GPass. With WireShark, you can see when and what types of traffic are arriving. If you time your low-latency traffic to coincide with other users, it is harder to trace where you are visiting.