VPN & Proxy Detection, Browser Spoof Detection using TCP

[iloveghosts]

I recently came across this new tool that leaks a lot of information about your network and browser.

Please have a look at this http://witch.valdikss.org.ru/ and this article as well
https://medium.com/@ValdikSS/detecti...e-1bcc59742413


I'm 100% verified that PayPal uses TCP OS Fingerprinting using a software called NetScanTools. I saw PayPal IP requesting TCP OS Fingerprint.

Anyone knows how to spoof this TCP OS fingerprint?

[phaz0rz]

Use virtual machines with a different OS and browser on each.

[iloveghosts]

Quote:

Originally Posted by phaz0rz

Use virtual machines with a different OS and browser on each.

it does not work. This is TCP Fingerprint which uses your Router to get info.

[iloveghosts]

Quote:

Originally Posted by phaz0rz

Use virtual machines with a different OS and browser on each.

Virtual Machine also can be detected using JavaScript Timing.

[phaz0rz]

Quote:

Originally Posted by iloveghosts

it does not work. This is TCP Fingerprint which uses your Router to get info.

The virtual network adapter of my VMs DHCP it's own local IP from the router. So my router sees each VM as a different host. Unless TCP is sending info about all connected devices on my network I don't see why this would be an issue.

[phaz0rz]

Quote:

Originally Posted by iloveghosts

Virtual Machine also can be detected using JavaScript Timing.

How?

I think using a bunch of different computers on different networks is the only workaround then.


Regardless, it's never been an issue for me.

[yankee]

This over the top paranoia for ebay and paypal is only for people trying to do some really sketchy stuff and hiding from the law.

[nate]

MTU value for VPN is a known issue. You can see it on whoer.net under extended version > TCP/IP. Its been that way forever and nothing has come of it yet. There must not be enough solid info that comes from this to determine you are using a VPN unless are using LT2P/IPsec client to connect. The info LT2P/IPsec gives, gives you away.

If you build your own VPN servers like I do you can always set your own MTU value on the server side from 1500 MTU to something lower to make the MTU numbers different from your other accounts. But why. Its not necessary.

[iloveghosts]

Quote:

Originally Posted by phaz0rz

The virtual network adapter of my VMs DHCP it's own local IP from the router. So my router sees each VM as a different host. Unless TCP is sending info about all connected devices on my network I don't see why this would be an issue.

You are using VM under host machine. I think this needs a special kind router to spoof TCP fingerprint with special firmware.

Regarding VM leak, Please do view following articles :

https://www.blackhat.com/docs/asia-1...-Detection.pdf

http://www.securitygalore.com/site3/...d_vm_detection

http://citeseerx.ist.psu.edu/viewdoc...=rep1&type=pdf

https://packetstormsecurity.com/file...-Browsers.html

[iloveghosts]

Quote:

Originally Posted by nate

MTU value for VPN is a known issue. You can see it on whoer.net under extended version > TCP/IP. Its been that way forever and nothing has come of it yet. There must not be enough solid info that comes from this to determine you are using a VPN unless are using LT2P/IPsec client to connect. The info LT2P/IPsec gives, gives you away.

If you build your own VPN servers like I do you can always set your own MTU value on the server side from 1500 MTU to something lower to make the MTU numbers different from your other accounts. But why. Its not necessary.

it's not about MTU man, Look at this whole TCP thing. It has a lot of different things such as Uptime, TCP Time, Language.

I know Mullvad VPN fix TCP problem but their VPN IP's are easy can be detected.

[nate]

Quote:

Originally Posted by iloveghosts

it's not about MTU man, Look at this whole TCP thing. It has a lot of different things such as Uptime, TCP Time, Language.

I know Mullvad VPN fix TCP problem but their VPN IP's are easy can be detected.

Yea, but your talking about something that can be detected by a opensource program like the tools in Kali Linux. To build something like that on the scale that ebay, PayPal, and amazon need could take years... and that's if its even possible to incorporate in their system.

[iloveghosts]

Quote:

Originally Posted by nate

MTU value for VPN is a known issue. You can see it on whoer.net under extended version > TCP/IP. Its been that way forever and nothing has come of it yet. There must not be enough solid info that comes from this to determine you are using a VPN unless are using LT2P/IPsec client to connect. The info LT2P/IPsec gives, gives you away.

If you build your own VPN servers like I do you can always set your own MTU value on the server side from 1500 MTU to something lower to make the MTU numbers different from your other accounts. But why. Its not necessary.

There are a lot of ways to detect VPN.

1. IP Network Intelligence.
2. IP Hostnames
3. They can also extract ISP name and scrape whole Google to find out who owns it. This can be done easily.

4. Ping Time: They can measure IP latency and detect VPN and Proxies.


I do not know much about TCP but I believe there are new TCP headers with additional info. Witch use p0f but p0f not updated since 2004 as I believe. TCP archived lot of advance since then. I can't find any new articles related to TCP fingerprinting.

There is one big company called TheartMetrix who heavily use TCP. PayPal also uses TheartMetrix as they defined in their Privacy Policy.

[iloveghosts]

Quote:

Originally Posted by nate

Yea, but your talking about something that can be detected by a opensource program like the tools in Kali Linux. To build something like that on the scale that ebay, PayPal, and amazon need could take years... and that's if its even possible to incorporate in their system.

Why do you say that? It's already incorporated. I set up a small honeypot and PayPal does request TCP and ICMP details. It does not take years. It only takes about 1-2 days. Nowadays they use Big data and machine learning system to analyze everything under seconds. Both Amazon and PayPal heavily hire data scientists to build this impossible tools.

ML systems can be used to detect patterns. As an example how you move the mouse is only unique to you. Please see this new company who use Mouse and Behavior-based fingerprinting: www.biocatch.com

[iloveghosts]

I do not use VPN's. I use AT&T hotspots. I just need a way to spoof this TCP stuff.

[nate]

A vpn shouldnt use a DNS name. There is an option to disable it. Its only needed if the IP of the server running the VPN software isnt static, or your behind a router.

The only way to get around these issues is to wait until they implement it, ban you, and try to find the loop hole with trial and error. Other wise its a waist of time and time is money.

Dont get me wrong. I appreciate the knowledge.... I've waisted hundreds if not thousands of hours working on VPN's to try and figure out everything there was to figure out. Problem is I think its never ending...

I literally wasted the whole day yesterday trying to fix my Chromebook because the built in Strongswan UI for OpenVPN got messed up by googles new update.

I tried all day to set up the VPN connection with Chrome OS's built in OpenVPN 2.4.4 through the command line in a shell. I was able to get connected but something was wrong with the DNS name server. I tried everything... Changing the name server on the VPN server that gets pushed by DHCP... I tried changing the DNS nameserver in /etc/resolv.config inside Chrome OS.... I tried pushing the DNS nameserver through the command line with echo "nameserver 8.8.8.8" >> "etc/resolv.config".... Nothing... it still took forever for the DNS to translate...

I ened up fixing the UI by disabling network config in Chrome OS by going to Chrome://flags/#disable-network-config-settings-config

That took me all the way up until 10pm to figure out. Waisted a whole day just to connect two of my accounts to their VPN's... Because I didnt want to use the built in Cisco (LT2P/IPsec) vpn client. Since it gives you away your behind a VPN.

[SBC]

Wow! Just read the "invisible challenges" on biocatch.

[nate]

Quote:

Originally Posted by iloveghosts

I do not use VPN's. I use AT&T hotspots. I just need a way to spoof this TCP stuff.

Why would you care. There are millions of people using a hotspot right this second for legitimate reasons.

You blend right in. A hotspot on a burner phone with no info connected to you is the best thing to hide behind.

Your best bet is to run Linux on the client side. then you can spoof MAC address and what ever else you are worried about.

Most people would think I'm lame using a Chromebook. They dont realize a Chromebook is a Linux machine that can do almost anything you can throw at it through the command line in shell. Just have to put the Chromebook in DEV mode.

[iloveghosts]

Quote:

Originally Posted by nate

A vpn shouldnt use a DNS name. There is an option to disable it. Its only needed if the IP of the server running the VPN software isnt static, or your behind a router.

The only way to get around these issues is to wait until they implement it, ban you, and try to find the loop hole with trial and error. Other wise its a waist of time and time is money.

Dont get me wrong. I appreciate the knowledge.... I've waisted hundreds if not thousands of hours working on VPN's to try and figure out everything there was to figure out. Problem is I think its never ending...

I literally wasted the whole day yesterday trying to fix my Chromebook because the built in Strongswan UI for OpenVPN got messed up by googles new update.

I tried all day to set up the VPN connection with Chrome OS's built in OpenVPN 2.4.4 I was able to get connected but something was wrong with the DNS name server. I tried everything... Changing the name server on the VPN server that gets pushed by DHCP... I tried changing the DNS nameserver in /etc/resolv.config inside Chrome OS.... I tried pushing the DNS nameserver through the command line with echo "nameserver 8.8.8.8" >> "etc/resolv.config".... Nothing... it still took forever for the DNS to translate...

I ened up fixing the UI by disabling network config in Chrome OS by going to Chrome://flags/#disable-network-config-settings-config

That took me all the way up until 10pm to figure out. Waisted a whole day just to connect two of my accounts to their VPN's... Because I didnt want to use the built in Cisco (LT2P/IPsec) vpn client. Since it gives you away your behind a VPN.

They've already implemented everything. They spent millions of dollars to build these things. Trust me, Aspkin people still have problems because of this little stuff like TCP. PayPal's people are Javascript gurus. Look at their obfuscated javascript scripts from here :

https://www.paypalobjects.com/websta...prod.pp.min.js
https://c.paypal.com/webstatic/r/fb/...rod.pp2.min.js

FB does not mean Facebook. It's PayPal own way to trick people to think script related to Facebook.

This script also uses HTML5 file API :

HTML5 FileAPI can be used to extract your computer name and file paths. Some companies use HTML5 FileAPI to get VBOX name to detect VM's.

Right now, Chrome has protections against FileAPI but Firefox & many other browsers are not.

[iloveghosts]

Quote:

Originally Posted by nate

Why would you care. There are millions of people using a hotspot right this second for legitimate reasons.

You blend right in. A hotspot on a burner phone with no data connection to you is the best thing to hide behind.

Your best bet is to run Linux on the client side. then you can spoof MAC address and whatever else you are worried about.

The problem is not fixed because no one cared. I do not need to spoof MAC address, I just want to fix TCP stuff to create better stealth accounts.

I know millions of people using a hotspot for legitimate stuff but I want it for Stealth accounts which are gray actually.

[aspkin]

If it's not broken, don't fix it.

Fresh VPNs work. I use VPN for all my accounts. Thousands of people on this forum use VPNs without any issue. It's more about the quality of that IP rather than whether you're using a VPN or not.

Mifi device works too and as you mentioned it's used by millions of people without issue.

We know about browser fingerprinting and there are ways around that as well. It's not in PayPal's interest to be overly strict about browser fingerprinting; it would block or give trouble to too many good people. Amazon is strict about it but VMs help here.

When things get harder we adjust.

I would be more concerned about other areas of stealth which you can't spoof. Everything else is easy.

[nate]

Quote:

Originally Posted by iloveghosts

The problem is not fixed because no one cared. I do not need to spoof MAC address, I just want to fix TCP stuff to create better stealth accounts.

I know millions of people using a hotspot for legitimate stuff but I want it for Stealth accounts which are gray actually.

I'm confused... with stealth, the nail that stands out gets hammered. If you hide all your TCP info you would stand out. If you spoofed it to look like a regular user. You would look like you do now.

There is no one single finger print for a PC that I know of. There are only odds of how many other PC's have the same finger print. The more PC's have the same finger print the better off you are.

If you want to kill all this, why dont you run Windows or Linux with a GUI on a VPS and remote into it with teamviewer or something similar.

[iloveghosts]

Quote:

Originally Posted by aspkin

If it's not broken, don't fix it.

Fresh VPNs work. I use VPN for all my accounts. Thousands of people on this forum use VPNs without any issue. It's more about the quality of that IP rather than whether you're using a VPN or not.

Mifi device works too and as you mentioned it's used by millions of people without issue.

We know about browser fingerprinting and there are ways around that as well. It's not in PayPal's interest to be overly strict about browser fingerprinting; it would block or give trouble to too many good people. Amazon is strict about it but VMs help here.

When things get harder we adjust.

I would be more concerned about other areas of stealth which you can't spoof. Everything else is easy.

It's broken that's why we have to fix it. Your account maybe running but my accounts getting worse every day. They actually can fingerprint your whole router with this stuff.

Like I said, I do not care about browser fingerprinting, because I already fixed that one myself.