Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question on Ethernet networking-- who can see who...?


  • Please log in to reply
14 replies to this topic

#1 kingneil

kingneil

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 09 September 2016 - 12:35 PM

OK. Here is what I am trying to do.

 

Set up a dedicated computer that does nothing other than run Tor.... Call this "The Tor router".

 

Set up a 2nd computer that connects to the Tor computer, and runs web browsing, apps etc as normal.... Call this "The workstation".

 

All traffic from the workstation is always routed through the Tor router, and thus, the real IP address can never leak.

 

So even if the workstation gets hacked, no one can ever find out who it belongs to. If hacked, they can see WHAT I am doing on the computer, but not WHO I am.

 

The weak point in Tor is Firefox, and not Tor itself. So long as the Tor router can never be hacked, then everything in the workstation will always be routed through Tor. The real IP address can NEVER leak.

 

I want all of the networking to be WIRED.. because if it was wireless, and the workstation was hacked, the hacker could simply use the WiFi to search for nearby routers, and thus, be able to identify who I am by knowing which routers are nearest by. Governments can know which routers belong to who through drive-by vans, or even through agreements with ISPs to provide the data. They know which router belongs to who.

 

----

 

Now.... here is the question...

 

If I wire with Ethernet as follows:

MAIN ROUTER => The Tor router => The workstation

 

If I do this... is it ever possible for the main router to find out that it is connected to the workstation, or visa versa..?

 

Obviously, if The Tor router gets hacked, then the main router can find out that The workstation is connected to it.

 

But my assumption is that The Tor router cannot be hacked, and this is based on the fact that you never, ever see exploits for Tor itself... Only for the Firefox browser.

 

So that's the main question.


Edited by kingneil, 09 September 2016 - 12:50 PM.


BC AdBot (Login to Remove)

 


#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 September 2016 - 04:05 PM

"All traffic from the workstation is always routed through the Tor router, and thus, the real IP address can never leak."

 

The workstations private ip address would not ever be on the internet and as such couldn't be leaked.  Its the wan ip address of the router you need to be concerned about.

 

"is it ever possible for the main router to find out that it is connected to the workstation, or visa versa..?"

 

If tor is doing its job there is a encrypted tunnel to the tor relay server through the router from your tor router.  Main router doesn't track that.

 

Just what are you trying to protect yourself from?


Edited by Wand3r3r, 09 September 2016 - 04:06 PM.


#3 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:11:44 PM

Posted 09 September 2016 - 04:47 PM

Could you provide any documentation of how Tor router is configured?

 

As I understand it, a VPN protects your anonymity from outside viewers. For the Tor client on the router to establish that tunnel, it needs to connect to your internet(WAN) connection. If someone "hacks" your router they would have control of that configuration. I understand that your trying to create a double fail safe, but you don't want that redundancy to relay on the unlikeliness of a intruder just stopping after hacking your router. IMO focus should be given on hardening security of Tor router so it isn't hacked. Check the firmware and Tor client for updates to decrease vulnerabilities. 



#4 kingneil

kingneil
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 13 September 2016 - 01:21 PM

All I am asking is this question:

q0OToJz.png



#5 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 15 September 2016 - 01:29 PM

Routers don't "see" nor would it be aware of the tor traffic since its encapsulated within the tor tunnel.

 

Who is "they"?



#6 Kilroy

Kilroy

  • BC Advisor
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:11:44 PM

Posted 15 September 2016 - 02:16 PM

You can't do what you want.  Everything the TOR router does will be able to be traced back to YOUR public IP address and you might get to experience something like this.  



#7 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 15 September 2016 - 04:14 PM

That is not what the article speaks about nor is that a accurate depiction of what happens with TOR.

 

It is not true what the OPs Tor router does is traceable back to the main internet facing router.  If you reread the article it was talking about the exit tor servers as when you actually come out to the internet.  Now that TOR exit servers public ip is traceable but that exit tor server has no knowledge of the OPs wan ip since that traffic was tunneled through the internet.

 

Think of It as the difference between running a tracert to google via a regular connection vs via a vpn.

Regular tracert will show the local public ip address

VPN tracert will show nothing until you exit the vpn server and go to the internet and then it will show that servers public wan address.

 

https://en.wikipedia.org/wiki/Tor_(anonymity_network)

 

Between the encryption, the relays before hitting the internet, I don't see how Tor traffic could be traceable.  Only the exit servers can be tracked


Edited by Wand3r3r, 15 September 2016 - 04:15 PM.


#8 kingneil

kingneil
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 18 September 2016 - 06:21 PM

Alright.
 
I came to the conclusion that this is all a waste of time.
 
A hacker (especially nation state) would hack your main home router.
 
Then hack your endpoint laptop.
 
Then they can see that both are connected to a dedicated Tor router in the middle, through its MAC address or other identifier, such as device name.
 
So they can see that both are connected to the same dedicated Tor router, and thus, they can see who you are that way.
 
So unless you are confident that you can secure your main home router, then this idea of a dedicated Tor router is hopeless.
 
You would be better off using a QUBES live disc and ONLY use Tor from the very start.
 
As the internal NSA Snowden documents say, "one page request" is all it takes to hack you.. but note, they can only do this page request if you are actually connecting via your real IP address.
 
Therefore, use a QUBES live disc, use TOR ONLY (never mix it up with clearnet), and make sure your BIOS is freshly installed, and then just cross your fingers and hope you don't get hacked while using Tor browser. By all means, use NoScript etc.


#9 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 19 September 2016 - 02:48 PM

Facts fly in the face of that conclusion but only you know what you are protecting yourself from or why you would be a target.



#10 kingneil

kingneil
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 19 September 2016 - 08:56 PM

OK... I actually came up with a way to prevent a hacked MAIN ROUTER and a hacked ENDPOINT LAPTOP from seeing that they are connected to the same DEDICATED TOR ROUTER.

 

The set up would look like this:

MAIN ROUTER => TOR ROUTER 1 => TOR ROUTER 2 => LAPTOP

 

This way, main router only knows it's connected to Tor router 1

 

And laptop only knows it's connected to Tor router 2

 

Therefore, if the hacker has your main router and your laptop.. they still don't know it's on the same machine.

 

Hmmm

 

So I actually now disagree with what I wrote yesterday.

 

I think this idea DOES work now. Hmm... Quite exciting.



#11 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 20 September 2016 - 03:10 PM

I would suggest that you need a better understanding of how tor works as well as what a router "sees" or "knows".

 

You are trying to design a house with no understanding of what the foundation does.



#12 kingneil

kingneil
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 20 September 2016 - 04:51 PM

It's pretty simple.

 

You run a command like "nmap", and you can see all the devices connected.

 

If someone hacked the main router, they can run something like "nmap", and find the MAC address, IP address and hostname of the computer that runs the Tor router.

 

Meanwhile, if that same person also hacked the laptop, they could also run "nmap" and find the MAC address, IP address and hostname of the computer that runs the Tor router.

 

So, if someone hacked both devices, they could do a correlation, and see that it's you. The main router of course is then connected to your real IP address, and thus, they have unmasked you.

 

Therefore, the computer that runs the Tor router.. this computer needs to show a different MAC address, IP and hostname to the MAIN ROUTER, than it does to the LAPTOP.

 

I have heard about various systems in Linux where you can show different hostnames.

For example:

http://unix.stackexchange.com/questions/115870/configure-multiple-interfaces-with-different-hostnames-using-dhcp-and-dns

 

 

 

In theory, it's possible by editing /etc/dhcp/dhclient.conf. Try adding a stanza like:
 
interface "eth0" {
    send host-name "host0";
}
 
interface "eth1" {
    send host-name "host1";
}
Make sure any other host-name options in that file are commented out and remove the hostname you specified in /etc/network/interfaces.

 

 

So it's just a question of precisely how to do this.

For example, if you used 2 physical computers in the middle, then you are definitely using 2 different MAC / IP / hostnames.

 

But then, that costs you more money etc.

 

But if you can somehow get a single physical computer to display a different MAC / IP / hostname on the ETHERNET port, versus the WIFI... then you can make it look like a different device to the main router, than it looks to the laptop.

 

It's all about making the main router and laptop not realise that they are connected to the same device.



#13 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 21 September 2016 - 08:18 PM

mac address never goes beyond the first router the host encounters.

so the laptop's mac would never make it past the Tor router.

you aren't tracked by a mac address.  Even the online checkers can only give the ISP's wan ip for you if you check.

 

If the main router and the laptop and then the tor router are hacked... that is a lot of conjecture and not how/what hackers do.

 

What ever you are trying to hide from, legitimately, tor can give you that anonymity.   You just need a clear understanding how this works and how hackers work.

 

Appears to me you are missing an understanding of both parts.



#14 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:11:44 PM

Posted 23 September 2016 - 09:31 AM

 

you aren't tracked by a mac address.  Even the online checkers can only give the ISP's wan ip for you if you check.

 

 

While I agree with almost everything you said, how would IPv6 change this? Isn't the IPv6 address contain some hash of the MAC address in the broadcast? Also, before a IPv4 address is renewed, doesn't it send a ARP request out that could be tracked?



#15 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 23 September 2016 - 10:37 AM

No mac address hash that I have ever read of is included in ipv6.  I don't see how a broadcast would be very useful if it contained a specific host mac address.  Even so that private ip address space would never go beyond the first router.

 

To track the communication between the laptop and the tor router there would need to be a way of capturing the communication data.  In this case the laptop would have to be hacked for that to happen which kind of defeats the idea of tracking traffic if already hacked.

 

I think the best way of explaining what the tor router is doing is to relate what is happening to the show Stargate SG1. 
When they step through the portal they come out at another stargate in a different planet in the universe.

 

In the laptops case this is all it knows.  It went in one portal and came out another.

 

The fact is with tor it goes to one server and then another and then another [relays] before coming out the final portal [exit server] to the internet.  The traffic is encrypted the entire way.

IMHO this makes tor virtually unhackable which is by design.

 

Lets for a moment look at the scenario of the main router getting hacked.  What exactly does that mean?  Someone is able to read all the traffic? Nope, router can't do that even if hacked.  How is a router hacked?  If there is a bios weakness that can be exploited or the admin never changes the default credentials, then the router can theoretically be hacked.  What level of access would that result in for the hacker?  Not much.  It would see the tor router as a connected device but tor couldn't be hacked from the router it would have to hacked through the router, which if you think about it is happening to everyones routers on a daily basis [if you ever read your firewall logs] whith attempted known exploit attacks.

 

Now if you really wanted to know if you were being hacked at this level [and you didn't want to monitor your router closely] you would setup a server on the main routers lan along side of the tor router.  This is called a honey pot.  Hackers will try to hit it [being a easier target] before messing with the tor router.

 

All comes down to what main router you get and how you maintain it.

 

For the OP there appears to be a misunderstanding of what can be performed on a router.  For example you can run nmap from a OS loaded device but not from a router


Edited by Wand3r3r, 23 September 2016 - 10:41 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users