Warning : leaks when using Nessus

[hybla0]

@SusmithKrishnan Hi, I am having leak issues when running a scan with Nessus : wireshark shows that the packets go directly to the target without passing through tor guard ip.It seems Nessus is able to bypass iptables.

[toxyl]

Not sure if it's related but I noticed that the real IP is sometimes leaked when switching circuits. That also happens if switching circuits failed. Are you certain that you are successfully connected?

[hybla0]

@Toxyl I dont know about that issue I just discovered that while others applications go through the tor guard ip, nessus doesnt and make a direct connection to the target.How do you know the ip is leaked? Did you check for leaks using https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#Checkingforleaks ?

[toxyl]

@hybla0 I had a test script running that repeatedly grabs my public IP (from my own IP service and other publicly available ones) and prints a warning when it matches my real IP. The problem is that switching circuits doesn't always work which then leaves you open.

[hybla0]

@Toxyl can you share that script?I was unaware of this, I thought that by analyzing traffic with wireshark/tcpdump I could detect any leaks.Does this happen only when you use "torghost switch" or every 10 minutes when tor automatically switches circuits?

[toxyl]

Basic gist:

if [ "$(curl https://www.icanhazip.com/ | tr -d "\n")" == "123.123.123.123" ] ; then
    echo "damn"
else
    echo "all good"
fi

Save that to a file (e.g. my-ip.sh), make it executable and then you can run it with watch:

watch ./my-ip.sh

In my test case I had another script running that would run torghost switch every X requests, so manually switching.

[SusmithKrishnan]

Not sure if it's related but I noticed that the real IP is sometimes leaked when switching circuits. That also happens if switching circuits failed. Are you certain that you are successfully connected?

I checked the issue. its working fine and there is no problem or leak while switching

[SusmithKrishnan]

Basic gist:

if [ "$(curl https://www.icanhazip.com/ | tr -d "\n")" == "123.123.123.123" ] ; then
    echo "damn"
else
    echo "all good"
fi

Save that to a file (e.g. my-ip.sh), make it executable and then you can run it with watch:

watch ./my-ip.sh

In my test case I had another script running that would run torghost switch every X requests, so manually switching.

This script is faulty it seems. There is some problem the string evaluation try this one

#!/usr/bin/python
from requests import get
import time

while True:
  ipaddr = get('https://api.ipify.org').text
  if ipaddr == "12.34.56.78":
    print "oopsie"
  else:
    print "nevermind"
  time.sleep(1)

and check if the problem is still there.

[toxyl]

Not sure if it's related but I noticed that the real IP is sometimes leaked when switching circuits. That also happens if switching circuits failed. Are you certain that you are successfully connected?

I checked the issue. its working fine and there is no problem or leak while switching

In my case it happened randomly. I fixed it by adding an extra check in the switching code that checks the control channel connection info repeatedly until it reports a successful connection and then checks the IP. There are situations where it deadlocks (control channel reports a successful connection, but the internet connection isn’t working) but I didn’t implement handling for that because I was fine with the VM running torghost to deadlock rather than risking IP leakage. And it happens rarely since I added checking the control channel.

[toxyl]

Basic gist:

if [ "$(curl https://www.icanhazip.com/ | tr -d "\n")" == "123.123.123.123" ] ; then
    echo "damn"
else
    echo "all good"
fi

Save that to a file (e.g. my-ip.sh), make it executable and then you can run it with watch:

watch ./my-ip.sh

In my test case I had another script running that would run torghost switch every X requests, so manually switching.

This script is faulty it seems. There is some problem the string evaluation try this one

#!/usr/bin/python
from requests import get
import time

while True:
  ipaddr = get('https://api.ipify.org').text
  if ipaddr == "12.34.56.78":
    print "oopsie"
  else:
    print "nevermind"
  time.sleep(1)

and check if the problem is still there.

Your script is doing the same in Python as mine does in Bash. And if my script reports my public IP as result of the curl call it is not faulty but means that the curl call went through the wrong connection. See my previous comment about the control channel check. I’m outta town currently, i.e. I don’t have access to my fix, I’ll make a PR for it when I’m back.

[hacker-h]

@Toxyl did you already merge the PR?

[SusmithKrishnan]

I wasn't able to reproduce the bug nor any other user. No other followups so, closing the issue. feel free to reopen if the issue still persists.