[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20348 [Metrics/Censorship analysis]: cyberoam assists bloody dictatorships.
#20348: cyberoam assists bloody dictatorships.
-----------------------------------------+-------------------------
Reporter: dcf | Owner:
Type: project | Status: closed
Priority: Medium | Milestone:
Component: Metrics/Censorship analysis | Version:
Severity: Normal | Resolution: invalid
Keywords: censorship block kz | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+-------------------------
Comment (by dcf):
Replying to [comment:159 dcf]:
> Replying to [comment:156 cypherpunks]:
> > Redirect generated by KZ box for blocked site:
> > https://paste.debian.net/plainh/39d8508f
> > (can't paste here for spam filter block)
>
> {{{
> HTTP/1.1 302 Found\r\n
> Content-Length: 210\r\n
> Location: http://92.63.88.128/?NTDzLZ\r\n
> Content-Type: text/html; charset=UTF-8\r\n
> \r\n
> <HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">\n
> <TITLE>302 Found</TITLE></HEAD><BODY>\n
> <H1>302 Found</H1>\n
> The document has moved\n
> <A HREF="http://92.63.88.128/?NTDzLZ";>here</A>\n
> </BODY></HTML>\r\n
> \r\n
> }}}
tl;dr: Nmap identifies a host with this signature as a Netgear wireless
access point, by sending an HTTP request without a Host header. What do
you see when you send `GET / HTTP/1.0\r\n\r\n` to the server that sent you
this response?
I ran [[attachment:grepsonar.go|a program]] to search
[https://scans.io/study/sonar.http Project Sonar] scans of port 80 (I used
20160830-http.gz) for the HTTP signatures in comment:149 and comment:159.
The signature in comment:159 has many many matches, redirecting to various
URLs, mostly under subdomains of telcom.co.id, but also afrihost.com,
2090000.ru. Many of them are offline or have changed signature now, but by
trying a few at random I found one that worked.
{{{
$ nmap -Pn -sV -p 80 37.192.17.117
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-17 17:48 PST
Nmap scan report for l37-192-17-117.novotelecom.ru (37.192.17.117)
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
80/tcp open http uhttpd 1.0.0 (Netgear WNDRMACv2 WAP http config)
Service Info: Device: WAP; CPE: cpe:/h:netgear:wndrmacv2
}}}
Nmap found this result using it `GetRequest` probe, which is just `GET /
HTTP/1.0\r\n\r\n` and doesn't include a Host header. Indeed, if I probe it
manually with a Host header, I get a similar 302 as in comment:159, but
without a Host header I get a 401 with `Server: uhttpd/1.0.0` (note:
doesn't seem to be the [https://wiki.openwrt.org/doc/howto/http.uhttpd
uHTTPd] from OpenWRT).
{{{
$ echo $'GET / HTTP/1.0\r\nHost: 37.192.17.117\r\n\r\n' | ncat
37.192.17.117 80
HTTP/1.1 302 Found
Content-Length: 202
Location: http://0.2090000.ru
Content-Type: text/html; charset=UTF-8
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
<TITLE>302 Found</TITLE></HEAD><BODY>
<H1>302 Found</H1>
The document has moved
<A HREF="http://0.2090000.ru";>here</A>
</BODY></HTML>
$ echo $'GET / HTTP/1.0\r\n\r\n' | ncat 37.192.17.117 80
HTTP/1.0 401 Unauthorized
Server: uhttpd/1.0.0
Date: Sun, 18 Dec 2016 01:41:43 GMT
WWW-Authenticate: Basic realm="NETGEAR WNDRMACv2"
Content-Type: text/html; charset="UTF-8"
Connection: close
<HTML><HEAD><META http-equiv='Pragma' content='no-cache'><META http-equiv
='Cache-Control' content='no-cache'><TITLE> 401 Authorization</TITLE>
<script language=javascript type=text/javascript>
function cancelevent()
{
location.href='/unauth.cgi';
}
</script>
</HEAD><BODY onload=cancelevent()></BODY></HTML>
}}}
I tried a bunch of the other IP addresses (about 200), but this is the
only one I found that was still live and matched the `302 Found`
signature.
Perhaps this is an instance of client-side censorship, where the ISP has
loaded a blocklist onto the customer's router, and the router is enforcing
the redirect?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:161>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs