search

nyxnor / tor-ctrl

Raw use of tor's controller
Other
5 stars 3 forks source link

SOURCE_ADDR #32

Open nyxnor opened 2 years ago

nyxnor commented 2 years ago

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/tor-ctrl-tor-control-port-command-line-tool/8074/48

https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n2501

Two things:

  1. print source_addr on the organized table
  2. option to filter source_addr, to help distinguish clients
nyxnor commented 2 years ago

On a qube debian template, not whonix, run:

curl -x http://127.0.0.1:8082 https://google.com
650 STREAM 16314 NEWRESOLVE 0 google.com:0 SOURCE_ADDR=127.0.0.1:33902
650 STREAM 16315 NEWRESOLVE 0 google.com:0 SOURCE_ADDR=127.0.0.1:33902
650 STREAM 16314 SENTRESOLVE 15198 google.com:0 CLIENT_PROTOCOL=DNS
650 STREAM 16315 SENTRESOLVE 15198 google.com:0 CLIENT_PROTOCOL=DNS
650 STREAM 16314 REMAP 15198 172.217.16.206:0 SOURCE=EXIT
650 STREAM 16315 REMAP 15198 [2a00:1450:4001:808::200e]:0 SOURCE=EXIT
650 STREAM 16314 CLOSED 15198 172.217.16.206:0 REASON=DONE
650 STREAM 16315 CLOSED 15198 [2a00:1450:4001:808::200e]:0 REASON=DONE

650 STREAM 16316 NEW 0 172.217.16.206:443 SOURCE_ADDR=10.137.0.8:44012
650 STREAM 16316 SENTCONNECT 15200 172.217.16.206:443 CLIENT_PROTOCOL=TRANS
650 STREAM 16316 REMAP 15200 172.217.16.206:443 SOURCE=EXIT
650 STREAM 16316 CLOSED 15200 172.217.16.206:443 REASON=DONE

SOURCE_ADDR appears on NEW and NEWRESOLVE stream types.

DNS resolve: The whonix gateway qube receives the the call via the update proxy, that templates uses 127.0.0.1:8082, and then the gateway forwards from another port on localhost. The source addr is 127.0.0.1:rand_port. How can I know which qube made the request if the port does not stay the same?

Connection: The source addr is now the gateway qube local ip.

If the connection was made by a whonix workstation, the source_addr will always be the workstation qube local ip.

nyxnor commented 2 years ago

Thinking if this should be added to -observer or not, because it can get the client ip address if the gateway is not hosted locally. It can expose the pubic client address, if for example the gateway is at a remote location and the workstation at home.

Haven't tested to see how the connection is made with remote gateways.

nyxnor commented 2 years ago

https://github.com/QubesOS/qubes-core-agent-linux/find/master

Search: update-proxy

nyxnor commented 2 years ago

This should be fixed upstream in Qubes, for now, it is impossible to distinguish clients connecting to the localhost proxy.

nyxnor commented 2 years ago

The problem is on qubes, when using the update proxy, it is not helpful to filter a single source because:

while filtering whonix ws ip is much more helpful because the gateway detects correctly the source addr because there is passing through the tinyproxy.

nyxnor commented 2 years ago

TODO: add source_addr to tor-ctrl-observer and warnings