Changes between Version 13 and Version 14 of doc/TorBOX/LeakTestsOld


Ignore:
Timestamp:
Sep 27, 2012, 11:43:19 PM (7 years ago)
Author:
proper
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBOX/LeakTestsOld

    v13 v14  
    1 [[TOC(noheading, depth=1)]]
    2 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX aos Homepage] [[BR]]
    3 '''Old instructions for copy and paste. This is available now as a script, see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/LeakTests LeakTests].'''
     1TorBOX has been renamed to Whonix.
    42
    5 This leak testing article was written by proper/hmoh and smarm for aos but it can be useful for other projects as well.
     3This page has been moved. The History of this page might still be interesting.
    64
    7 Discussion: “Leak testing” (as defined here), is the process of verifying that the aos-Gateway will not send unencrypted / “in the clear” network traffic.  Only Tor traffic should be observed coming from the aos-Gateway.
    8 
    9 = Leak through the aos-Gateway =
    10 Due to misconfiguration of the aos-Gateway the aos-Gateway might forward traffic for aos-Workstation which goes not trough Tor. The following tests are designed to test for such behaviour.
    11 
    12 == Step 0: restrict Tor outgoing ports while testing ==
    13 Why we do this will be clarified in Step 5.
    14 
    15 'nano /etc/tor/torrc' and uncomment
    16 {{{
    17 #+# #OptionalFeatureNr.6#
    18 #+# See aos/LeakTests. Activate this while testing for leaks. (Step 0)
    19 #+# Deactivate after you are done! (Important!) (Step 9)
    20 ReachableDirAddresses *:80
    21 ReachableORAddresses *:443
    22 }}}
    23 and restart Tor using '/etc/init.d/tor restart'
    24 
    25 This has to be undone after you finished testing. You will be reminded at the end of this chapter.
    26 
    27 == Step 1: Prepare the testing infrastructure ==
    28 
    29 Three tools are used during testing:
    30 
    31 [http://en.wikipedia.org/wiki/Scapy Scapy]: To create network traffic for testing.  It is also desirable that the network traffic used in testing does not expose you to possible violations of security!  Thus Scapy offers fine grained control over the creation of traffic for use with testing.  Functionality defined here can be formalized into [http://en.wikipedia.org/wiki/Unit_test “Unit Tests”] via [http://www.secdev.org/projects/UTscapy/ UTScapy].
    32 [[BR]]
    33 [http://en.wikipedia.org/wiki/Wireshark Wireshark]: Used to sniff network traffic.  Can be configured with fine grained [http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html “Capture Filters”], which can filter the traffic reported and captured by wireshark while sniffing traffic.
    34 [[BR]]
    35 [http://en.wikipedia.org/wiki/Python_%28programming_language%29 Python]: Used to support Scapy and can be used to easily script Scapy tests.
    36 
    37 Install `wireshark` to the aos-Gateway:
    38 {{{
    39 apt-get install tshark
    40 }}}
    41 
    42 Set capabilities to run wireshark with user privileges
    43 {{{
    44 sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
    45 }}}
    46 
    47 Install `scapy` to the aos-Workstation:
    48 {{{
    49 apt-get install python-scapy
    50 }}}
    51 (This automatically installs Python as a dependency of Scapy)
    52 
    53 == Step 2: Verify Wireshark is installed and working ==
    54 (aos-Gateway)
    55 
    56 '''Warning''': It is is unadvisable to run Wireshark as root. 'su user'
    57 [[BR]]
    58 Starting `Wireshark` without options will begin to capture packets on the first available interface:
    59 {{{
    60 tshark
    61 }}}
    62 
    63 You should see packets begin to scroll down the screen.  This indicates you are seeing normal network traffic (ARP, DHCP requests, Tor traffic, etc).  This will give you some idea of what to look for when we test for “leaked” traffic below.
    64 
    65 == Step 3: Verify Scapy is installed and working ==
    66 (aos-Workstation)
    67 
    68 Start Scapy with elevated privileges to allow both sending and receiving of packets:
    69 
    70 {{{
    71 sudo scapy
    72 }}}
    73 
    74 This should present you with an interactive prompt:
    75 
    76 {{{
    77 Welcome to Scapy 2.1.0
    78 >>>
    79 }}}
    80 
    81 Other “WARNING” or “INFO” items that appear when you start Scapy, are most likely not going to effect your use of Scapy for this testing.
    82 
    83 Type the `ls()` command, to see an overview of the protocols supported by Scapy:
    84 
    85 {{{
    86 >>> ls()
    87 }}}
    88 
    89 Type the `ls()` command and pass it a protocol type, to see information supported by that protocol and its packet construction:
    90 
    91 {{{
    92 >>> ls(IP)
    93 }}}
    94 
    95 Type the `exit()` command to end your interactive session with Scapy:
    96 
    97 {{{
    98 >>> exit()
    99 }}}
    100 
    101 See more information at the official [http://www.secdev.org/projects/scapy/doc/usage.html# Scapy documentation].
    102 
    103 == Step 4: Do a simple ping test ==
    104 (aos-Workstation)
    105 
    106 Since Scapy is scriptable via Python, we'll use Scapy from within a Python script for our testing.  An example script that creates a simple ICMP ping to the aos-Gateway's `eth1` interface:
    107 
    108 {{{
    109 nano simple_ping.py
    110 }}}
    111 Paste this code and save.
    112 {{{
    113 #! /usr/bin/env python
    114 
    115 # Since it will be useful to know something about the script, for the later tests, the terms are defined here:
    116 # (A discussion of Python language structure is beyond the scope of this document)
    117 
    118 # [1] http://en.wikipedia.org/wiki/Ipv4
    119 # [2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
    120 # [3] http://en.wikipedia.org/wiki/IP_routing
    121 # [4] http://en.wikipedia.org/wiki/Ping
    122 # [5] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#List_of_permitted_control_messages_.28incomplete_list.29
    123 # [6] http://www.secdev.org/projects/scapy/doc/usage.html#send-and-receive-packets-sr
    124 # [7] http://www.secdev.org/projects/scapy/doc/usage.html#stacking-layers
    125 
    126 import sys
    127 from scapy.all import *
    128 
    129 # define the target gateway & data payload
    130 target = "192.168.0.1"
    131 data = "testing"
    132 
    133 # define packets
    134 # These define two variables, that are set to the object types IP and ICMP respectively. These objects in Scapy define the protocol type for IP (default IPv4) [1] and ICMP [2] respectively. And will send packets on the wire of these types when used.
    135 ip = IP()
    136 icmp = ICMP()
    137 
    138 # define packet parameters
    139 ip.dst = target
    140 
    141 # IP packets are used for routing [3] between networks on the Internet. So, we assign the destination (''dst'') in the IP portion of the packet we're going to assemble and send out.
    142 icmp.type = 8
    143 icmp.code = 0
    144 
    145 # Defines the type of ICMP message to send out. The ''8 type'' is a type defined as ''echo request'', e.g. a simple ping [4]. See a list here of  various types of ICMP [5] messages here.
    146 
    147 # The  sr1() [6] command will ''send and receive network traffic, returning the 1st packet received''.
    148 # The notation of ''ip/icmp/data'' is the notation for encapsulation of various instances of networking protocols [7]. Read it right to left: ''data encapsulated inside an ICMP message and encapsulated inside an IP datagram''.
    149 test_ping = sr1(ip/icmp/data)
    150 
    151 if isinstance(test_ping, types.NoneType):
    152         print "No response"
    153 else:
    154 # Prints a short report on the packet received (if any).
    155         test_ping.summary()
    156 }}}
    157 
    158 Which will report the first successful ping from `eth1` on the  aos-Gateway.
    159 
    160 To test, simply:
    161 {{{
    162 sudo python simple_ping.py
    163 }}}
    164 
    165 Which will report with something similar to:
    166 
    167 {{{
    168 Begin emission:
    169 .....Finished to send 1 packets.
    170 .*
    171 Received 7 packets, got 1 answers, remaining 0 packets
    172 }}}
    173 
    174 == Step 5: Setting up a “non-Tor traffic” capture with Wireshark ==
    175 (aos-Gateway)
    176 
    177 The command:
    178 {{{
    179 tshark -S -i eth0 -f "ip and src host 10.0.2.15 and not (port 80 or port 443 or port 9001 or port 9030 or ssh)"
    180 }}}
    181 (if you are not using VirtualBox NAT, you have to change the IP to your eth0 ip address, to find out that address type 'ifconfig')
    182 (TODO: make the command independent from the IP, use eth0)
    183 
    184 When started wireshark should show NO packet information on the screen, as opposed to above where we capture Everything.  To verify it's working correctly (and logging something, as opposed to logging nothing), (open a second SSH session or learn 'screen') from your aos-Gateway attempt to ping google.com.  This should show something similar to:
    185 
    186 {{{
    187 5.115829 <eth0 IP address> -> <nearby Google mirror> ICMP 98 Echo (ping) request  id=0x1010,
    188  seq=1/256, ttl=64
    189   5.184410 <eth0 IP address> -> <DNS server> DNS 86 Standard query PTR <some reverse IP>
    190 .in-addr.arpa
    191 }}}
    192 
    193 Where the IP and DNS names have been redacted to protect the innocent.
    194 
    195 Leave this capture running for subsequent tests.
    196 
    197 __Discussion__:
    198 [[BR]]
    199 (See the [http://www.wireshark.org/docs/man-pages/tshark.html tshark manual page] for more information)
    200 [[BR]]
    201 '''-S''': Decode and display packets even while writing raw packet data using the -w option.
    202 [[BR]]
    203 '''-i''': Set the name of the network interface or pipe to use for live packet capture.
    204 [[BR]]
    205 '''-f''': Set the capture filter expression.
    206 
    207 The “capture expression” (the bit in quotes above, after the '-f') reads: IP packets and from host 10.0.2.15 (your '''eth0 IP''' address) where the ports are NOT 80, 443, 9901 or 9030 ([https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#DoIhavetoopenalltheseoutboundportsonmyfirewall common ports for Tor, see the FAQ]).  The “ssh” keyword on the end is a predefined primitive in wireshark, used to define SSH traffic only.  Adding this should not effect your capture if you are not using SSH to connect to the gateway, but should save you quite a bit of trouble filtering out your SSH traffic if you are.
    208 
    209 See the [http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html  documentation for the format of the “capture filter” here], for more information.
    210 
    211 (Note: This may not cover all valid TOR traffic emiting from your aos, some Tor nodes may use non-standard ports and was observed during testing.  The FAQ above, also covers this.)
    212 
    213 == Step 6: Scapy traffic testing: IP packets ==
    214 (aos-Workstation)
    215 
    216 Other testing is in the same vein as our ping (above).
    217 
    218 __First__: We'll test IP datagrams of all types to see if any are emitted:
    219 
    220 {{{
    221 nano exhaustive_ip_send.py
    222 }}}
    223 Paste this code and save.
    224 {{{
    225 #! /usr/bin/env python
    226 
    227 import sys
    228 from scapy.all import *
    229 
    230 #define the target gateway & data payload
    231 target = "google.com"
    232 data = "testing"
    233 
    234 #define packet
    235 ip = IP()
    236 
    237 #define packet parameters
    238 ip.dst = target
    239 
    240 #loop through all IP packet types
    241 for ip_type in range(0,255):
    242         ip.proto = ip_type
    243         send(ip/data)
    244 }}}
    245 
    246 Run
    247 {{{
    248 sudo python exhaustive_ip_send.py
    249 }}}
    250 
    251 On  aos-Gateway you should see NO output from Wireshark.  Otherwise you may have discovered a leak.  [http://en.wikipedia.org/wiki/IPv4#Packet_structure Documentation on IP packet structure] and [http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers IP Protocol numbers].
    252 
    253 == Step 7: Scapy traffic testing: TCP packets and ports ==
    254 (aos-Workstation)
    255 
    256 __Second__: We'll test TCP packets across all ports:
    257 (Note: This may appear as an '''ATTACK''' from some conservative ISP's / sites, use with caution.  Google fields many of these types of scan's per day, so testing like this is most likely lost in the noise)
    258 
    259 {{{
    260 nano tcp_test.py
    261 }}}
    262 Paste this code and safe.
    263 {{{
    264 #! /usr/bin/env python
    265 
    266 import sys
    267 from scapy.all import *
    268 
    269 #define the target gateway & data payload
    270 target = "google.com"
    271 data = "testing"
    272 
    273 #define packets
    274 ip = IP()
    275 tcp = TCP()
    276 
    277 #define packet parameters
    278 ip.dst = target
    279 
    280 #loop through all TCP ports
    281 for tcp_port in range(0,65535):
    282         tcp.dport = tcp_port
    283         send(ip/tcp/data)
    284 }}}
    285 
    286 Run
    287 {{{
    288 sudo python tcp_test.py
    289 }}}
    290 
    291 Again aos-Gateway should report NO activity, otherwise we've found a leak [http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers TCP / UDP port number documentation].
    292 
    293 == Step 8: Scapy traffic testing: UDP packets and ports ==
    294 (aos-Workstation)
    295 
    296 __Third__: We'll test UDP packets across all ports:
    297 [[BR]]
    298 (Note: This may also be construed as an attack, Google is a good target for this, just as with the TCP test)
    299 
    300 {{{
    301 nano udp_test.py
    302 }}}
    303 Paste this code and safe.
    304 {{{
    305 #! /usr/bin/env python
    306 
    307 import sys
    308 from scapy.all import *
    309 
    310 #define the target gateway & data payload
    311 target = "google.com"
    312 data = "testing"
    313 
    314 #define packets
    315 ip = IP()
    316 udp = UDP()
    317 
    318 #define packet parameters
    319 ip.dst = target
    320 
    321 #loop through all TCP ports
    322 for udp_port in range(0,65535):
    323         udp.dport = udp_port
    324         send(ip/udp/data)
    325 }}}
    326 
    327 Run
    328 {{{
    329 sudo python udp_test.py
    330 }}}
    331 
    332 Again, check for leaks.  [http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers TCP / UDP port number documentation].
    333 
    334 == Step 9: undo Step 0 ==
    335 Undo Step 0 now!
     5https://sourceforge.net/p/whonix/wiki/LeakTestsOld/