[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Thunderbird & Gmail



anonym escribió:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/10/08 06:07, Gerardo Rodríguez wrote:

While retrieving the mail this two readings where constant:
_____________________________________________________________________________


Frame 10 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 2wire_aa:aa:aa (aa:aa:aa:aa:aa:aa), Dst:
Intel_ff:ff:ff (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 83.132.242.113 (83.132.242.113), Dst:
192.168.1.70 (192.168.1.70)
Transmission Control Protocol, Src Port: mosaicsyssvc1 (1235), Dst Port:
53328 (53328), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol
Info
11 9.437005    2wire_2e:d4:89        Broadcast             ARP      Who
has 192.168.1.65?  Tell 192.168.1.254
_____________________________________________________________________________


You have mixed the information from two packets here:

Number 10 (the upper part) from 83.132.242.113 is from something outside
of the Tor network. A reverse DNS reveals it's from netcabo.pt, which
seems to be a Portuguese ISP. The source port number suggests it's some
sorts of audio/video streaming protocol (Vosiac). If this part appears
every time you do POP, it's a bit suspicious.

Number 11 (the lower part) is just an ARP request. It seems your router
(192.168.1.254) simply want to know the MAC address of 192.168.1.65 for
whatever reason. What is 192.168.1.65 on your network?

Are you really sure that these two appears _every_ single time you do
POP? Are you sure that you have turned off all other applications that
use the Internet?
Thanks, 192.168.1.65 is the pc where i was running the test, and I turned off all programs while running it, I suppose something kept running; any way, this is obviously a mistake I made, the packages to look at would be #12, 23 & 24 => 
_____________________________________________________________________________


No.     Time        Source                Destination           Protocol
Info
12 10.373837 192.168.1.70 88.198.51.7 TCP 43089 > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64949 Len=586 

Frame 12 (640 bytes on wire, 640 bytes captured)
Ethernet II, Src: Intel_ff:ff:ff (ff:ff:ff:ff:ff:ff), Dst:
2wire_aa:aa:aa (aa:aa:aa:aa:aa:aa)
Internet Protocol, Src: 192.168.1.70 (192.168.1.70), Dst: 88.198.51.7
(88.198.51.7)
Transmission Control Protocol, Src Port: 43089 (43089), Dst Port:
etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
Data (586 bytes)

0000  17 03 01 00 20 bc 7f 8b ef dc 1e 82 ca fa 53 e0   .... .........S.
etc.
_____________________________________________________________________________


88.198.51.7 is a Tor relay, probably your entry guard.



And while sending mail this two:
_____________________________________________________________________________


No.     Time        Source                Destination           Protocol
Info
23 3.306572 CompName schatten.darksystem.net TCP florence > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64363 Len=586 

Frame 23 (640 bytes on wire, 640 bytes captured)
Ethernet II, Src: CompName (ff:ff:ff:ff:ff:ff), Dst: 192.168.1.254
(aa:aa:aa:aa:aa:aa)
Internet Protocol, Src: CompName (192.168.1.70), Dst:
schatten.darksystem.net (88.198.51.7)
Transmission Control Protocol, Src Port: florence (1228), Dst Port:
etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
Data (586 bytes)

0000  17 03 01 00 20 39 1e d3 cb fe 30 60 3f f2 5f 43   .... 9....0`?._C
etc.
_____________________________________________________________________________


&
_____________________________________________________________________________


No.     Time        Source                Destination           Protocol
Info
24 3.532021 schatten.darksystem.net CompName TCP etlservicemgr > florence [ACK] Seq=1 Ack=587 Win=65535 Len=0 

Frame 24 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 192.168.1.254 (aa:aa:aa:aa:aa:aa), Dst: CompName
(ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: schatten.darksystem.net (88.198.51.7), Dst:
CompName (192.168.1.70)
Transmission Control Protocol, Src Port: etlservicemgr (9001), Dst Port:
florence (1228), Seq: 1, Ack: 587, Len: 0
_____________________________________________________________________________


schatten.darksystem.net is the same as 88.198.51.7, which probably is
your entry guard.


aa:aa:aa:aa:aa:aa is the actual mac address of the adapter in my router
ff:ff:ff:ff:ff:ff       is the actual mac address of the adapter in my pc


When obfuscating MAC addresses it's better to do so with the latter part
of it -- the first numbers are much more easy to guess since they are
determined by the manufacturer, model etc. of the network interface.

thanks :-)

I´m not an expert in reading packets, but, this is a leak ain´t it?


Why do you think there is a leak? Only the first two packages (10 and
11) seems to be a bit out of the ordinary. All the other traffic is
between you and the Tor network which is expected.
That would be the mainly thing I´m concerned about, does this dialog with the Tor network (which includes my mac addresses and computer name) goes beyond the entry guard? 
And since you use NAT, the EHLO/HELO leak mentioned earlier isn't so
bad, but since you use Torbutton that should be taken care of any way.
Yes, it´s almost impossible to get any information with the headers of the (received) mail, is what information the email company receives I wonder . 



Thanks anonym for your help,

GR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkj15wMACgkQp8EswdDmSVi+yACdFD0YhVZMkzjh0OWRYpnzxcQ4
rboAn352ktlPwrnFO+sFtbOh34V/hpiH
=ma/W
-----END PGP SIGNATURE-----