How NOT to use I2P and TOR

CarderPlanet

CarderPlanet

Professional
Messages
2,549
Reaction score
746
Points
113
4c35a1516fcda2b3e1aea.png


Or, a tale about unexpected ways of disclosing users of distributed anonymizing networks.

Users of anonymous networks and browsers probably use them to visit mostly blocked / protected sites. At the same time, not all of them expect that the fact of this visit will remain anonymous. If anonymity does not bother you, then the further content of the article, most likely, will not interest you.

I ask the rest of the users under the cat, where you can familiarize yourself with the abstract reasoning of a beginner paranoid about how users of anonymous browsers can be exposed.

Statement​

The author assumes no responsibility for any paranoia you may experience while reading this publication. Well, and, for the reliability of the information contained in it.

Attack vectors​

In our reasoning, we will not go into the intricacies of the functioning of the listed networks and try to hack them. As you know, even in the most perfect means of protection, the bottleneck is a person. Therefore, we will talk about methods that bypass distributed protocols, exploit typical errors of users, settings, or the software itself.

By de-anonymization, we mean the disclosure of the user's real IP address.

Fingerprinting​

If a user uses the same browser for surfing on a regular and "anonymous" network, then it can be easily calculated through the fingerprint. The fingerprint is saved from the "anonymous" browser session, and then it is in the fingerprint databases that are stored by billions of Google, Facebook and other, including government, institutions of different countries.

There are many ways to take prints, and they are all known, therefore, I will not list them here. It is worth using a separate browser to surf the "closed" Internet. And, even there, it is advisable to overwrite history after each use.

The ability to access the regular network​

Suppose you are using a separate browser to surf on a "closed" network. But, if this browser retains the fundamental possibility of accessing the regular Internet bypassing the "secure network", then a site from the onion / i2p domain can use this opportunity for your deanonymization by sending a request to wherever you need it. This can be done via HTTP, DNS, WebRTC, etc.

To avoid this, at least deny this browser on the Firewall all incoming and outgoing connections to all IP except localhost and the port on which your anonymizing proxy is running.

You cannot do this if your anonymizer is built into the browser and works with it in the same process.

In addition, you need to somehow make sure that your browser, under no circumstances, will use the operating system API for resolving DNS names, etc.

You can check the latter by generating a request through the address bar while viewing traffic through wireshark or tcpdump in parallel.

Non-standard protocols​

Well, besides http: // and https: // there are other protocols that can have their holes. For example file: // and smb: //, with which you can try to force your browser / OS to send a request to the correct address.

All protocols except http: // https: // must be permanently disabled in the browser.

GPS coordinates / microphone / camera in the browser​

Obviously, but it is possible to burn very simply and stupidly.

Holes in the browser​

This is pretty obvious, but browsers are a sieve. They need to be updated regularly. But, and this will not save you much. Sooner or later, a new hole will appear.

Browser plugins​

Yes. Be careful with browser plugins. They may have vulnerabilities. They can see everything you do and, in some cases, can send data to the outside.

Antivirus​

Your antivirus can de-anonymize you. How?

A site in the onion / i2p domain will simply let you download a unique page / file. The browser will save it to disk. Before scanning your file for "billion" of existing viruses, your antivirus can first look for the hash of this file in the database of an antivirus company, or a distributed network that unites all users. Thus, you will be de-anonymized.

OS telemetry​

Yes. Perhaps your OS has a built-in antivirus or telemetry tools, which also do not hesitate to collect and send hashes of your files to the "clouds".

How to be​

I recommend using a virtual machine isolated from the network, which automatically stops when it detects unexpected traffic (other than tor | i2p) from its IP address.

Control must be external. By means of another VM or, better, another physical host.

I recommend an approach based on three types of traffic from a virtual machine:
  1. Green - only access to the I2P / TOR proxy running on ANOTHER virtual machine. The VM itself, in principle, should not be able to access the open Internet, and know the user's external IP.
  2. Yellow - previously analyzed third-party traffic that was found to be valid. It should be completely blocked. Its "validity" means that we will not stop the VM when it is detected, but simply lock it. These are, for example, attempts by Windows to reach Windows Update or send telemetry.
  3. (Just in case, I'll clarify that mentioning Windows here as a guest is more of a joke than a recommendation.)
  4. Red is everything else. Blocked completely. In addition, when a VM is detected, it immediately stops, and the traffic recording (which is continuously maintained by means of monitoring) and the state of the VM is analyzed. According to the results, the traffic is either recognized as "yellow", or its source / hole in the system is determined. In the latter case, if the traffic cannot be guaranteed to be recognized as "yellow", I recommend rolling back the VM to the "factory settings". In general, I recommend rolling back to the "factory settings" after each use.
This VM should not be used for anything other than surfing secure networks. And, be careful with the keys of the licensed software, MAC addresses and serial numbers of the hardware that the OS of this VM sees. For, all this can be successfully merged through a secure network without starting the automatic shutdown mechanisms of the VM. For this reason, I highly discourage doing all this on real hardware.

Cameras / microphones within reach​

Cameras are pretty obvious. I hope no one will guess to climb closed sites on camera. About microphones on other devices - this is not entirely obvious, but.

When you type a message to a "secure" site, that site (or the script inserted there) can measure the intervals between keystrokes on the keyboard.

Interestingly, this information can be extracted even from a secure / encrypted TCP / HTTPS user session by measuring the intervals between IP packets.

A microphone (for example, in your cell phone) within range can do the same. Based on this, a special index can be compiled, which, by analogy with the service for determining the name of a musical composition playing in the background, will be able to determine that it is you who are typing the message.

Disabling JS partially saves, but mouse clicks do not disappear when navigating through the pages, so keep the microphones away from your workplace.

PS Good paranoia, comrades!
 
You must log in or register to reply here.

Similar threads

Investor
All about CC carding for beginners and professionals carders - CC merchants / CC drops / Reroute / Pickup / Antifraud etc. (trash info)
Replies
0
Views
100
Investor
Investor
P
Bypass KYC verification for most websites
Replies
0
Views
603
Papa Carder
P
P
Guide: Carding Facebook Ads 2026
Replies
1
Views
1K
Sage-003
S
Professor
Ransomware for individuals 2026: Your life is an encrypted file, your reputation is a bargaining chip.
Replies
0
Views
300
Professor
Professor
Good Carder
Is carding still relevant in 2026?
Replies
2
Views
1K
Papa Carder
P
Back
Top