Closed MDMCK10 closed 3 years ago
While I don't quite know how to make PCAPs of it properly, I used the "any.run" service to do network analysis of the application itself and it seems that "any.run" provides PCAPs of the network traffic of the machine the application was ran in. I've attached said "any.run" tasks below, along with the PCAPs generated by "any.run" https://app.any.run/tasks/38ee0b69-18d2-4ed1-b778-4a3e6c74a71e/ (default configuration, machine has full network access) https://drive.google.com/file/d/10aFlVlyquZCxrc3CPAUw3U6KPLf6jr0H/view?usp=sharing
https://app.any.run/tasks/9ff353c3-58e2-480a-8952-ef7f6b85261c/ ("Fake net" enabled, which makes all requests fail, in this one it shows more clearly that the application tries to use different methods to connect) https://drive.google.com/file/d/1BeRUjEKZ-CFT9eFiarYuab50cciTlLv9/view?usp=sharing
Anyone have anything useful related to this?
I have analysed the two pcaps and I see a lot of junk connections like this. Not sure I can identify the few with the protocol you are mentioning
1 UDP 192.168.100.23:52569 -> 194.36.108.26:554 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][41.52 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2965/0 16094/0 5033/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: paristeltel.org][JA3C: 19fc5c235882855f161c8e8ce2aa445a][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
2 UDP 192.168.100.23:65119 -> 213.108.105.184:554 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][29.31 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2093/0 12800/0 3507/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: nanopuzzle.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (ispJTS)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
3 UDP 192.168.100.23:65361 -> 88.208.230.106:443 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][46.51 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3322/0 21076/0 6026/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: www.rayindianaarticle.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (02 Pwa)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
4 UDP 192.168.100.23:63712 -> 109.228.54.54:443 [proto: 188/QUIC][cat: Web/5][14 pkts/17388 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][23.48 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1956/0 10839/0 3245/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][Risk: ** Suspicious DGA domain name **][TLSv1.3][Client: www.brasilfabulouspublicationspark.org][JA3C: 19fc5c235882855f161c8e8ce2aa445a][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
5 UDP 192.168.100.23:52230 -> 217.174.240.141:554 [proto: 188/QUIC][cat: Web/5][13 pkts/16146 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][12.61 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1146/0 6399/0 1911/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: vcuiempiredowntown.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (QqBmern)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
6 TCP 192.168.100.23:49901 <-> 151.101.1.194:443 [proto: 91/TLS][cat: Web/5][16 pkts/10064 bytes <-> 10 pkts/2985 bytes][Goodput ratio: 91/81][0.02 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.542 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 7/5 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629/298 1514/1453 637/418][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: 19cc194917b610d58ad29129e7c3f1cf][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 13,0,6,0,0,0,0,13,0,0,0,0,0,0,0,6,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,34,0,0]
7 TCP 192.168.100.23:50611 <-> 193.148.19.242:443 [proto: 91/TLS][cat: Web/5][14 pkts/10059 bytes <-> 10 pkts/2985 bytes][Goodput ratio: 92/81][0.02 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.542 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 7/6 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 718/298 1514/1453 639/418][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: 8c23d614aa018ed7bc6c88b545ece240][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 13,0,6,0,0,0,0,13,0,0,0,0,0,0,0,0,13,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,34,0,0
@lucaderi well, the thing with Psiphon is that it's actually designed to be more of a censorship circumvention style VPN rather than just a normal one, meaning it tries it's hardest to make blocking it pretty difficult (well, not surprising given how it can even bypass the GFW in China), although I do hope something can be done to detect it. If you need any more info like more PCAPs, specific tests involving the application, etc, do let me know.
@lucaderi Has there been any progress in regards to this?
No I have not plan/time to implement this protocol but you can submit a PR with the code for supporting it.
So recently I've had to deal with the issue of VPNs being used to bypass network restrictions, while I've had success detecting most VPNs using both nDPI and other solutions, I've come across one I can't quite figure out how to detect, and that is Psiphon.
While I did check that there was a previous issue regarding this specific VPN, it seems that the original issue didn't go anywhere.
So: How does one detect this "Psiphon" VPN using nDPI?