I sniff traffic from the Whonix-gateway and see connections with different ip addresses. Whois (whoer.net) does not see that this ip addresses Tor. How can I make sure that there is no MITM attack? Between Whonix-gateway and Tor entry nodes. For example Whonix-gateway connect to ns211399.ip-188-165-213.eu → 188.165.213.156, wtf2.wtfismyip.com → 74.91.27.142 this Tor nodes?
What? Not sure I understand.
Use the original database. Not some third party website that could be broken.
ExoneraTor: a website that tells you whether a given IP address was a Tor relay:
https://metrics.torproject.org/exonerator.html
How can I make sure that there is no MITM attack?Probably only possible in limited obvious cases. Such as the Tor exits, see also: https://www.whonix.org/wiki/Warning#Man-in-the-middle_attacks
Or denial of service. Otherwise, I don’t think it’s possible to detect passive MITM. And if the MITM is successful, seems also very hard to detect. Maybe there is some clever way, but I would speculate, detection would be more probabilistic rather than conclusive.
See also:
I recommend to rephrase this question as a Tor-only or security-only question without any reference to Whonix. “detect mitm” Then you can ask such a general question in the bigger communities, see also:
I am not sure it’s a good idea to post your whole literal Tor circuit in public.
What you’re saying can be a big problem if its true. It can mean two things:
The gateway is leaking traffic outside Tor.
The gateway software is somehow compromised during build process and is phoning home.
But extraordinary claims need extraordinary proof.
Please post:
- Steps and version number to reproduce it.
- Wireshark logs
- Tell us if you run anything extra on the gateway other than what the image ships with.
- Check Tor node relay history to know if these IPs belonged to any Tor node at the time.
its going to be interesting if hes going to do ur requirements
valid-after 2015-04-20 19:00:00 r Unnamed xS96AmSufGUJdhZuoTmCUB7IEM4 w7VD4d14PWUlP82rCW4jXldAySE 2015-04-20 05:34:17 188.165.213.156 52743 52345Result is POSITIVE with high certainty!
We found one or more relays on IP address 188.165.213.156 in relay list published on 2015-04-20 that clients were likely to know.
valid-after 2015-04-20 19:00:00
r wtf2 Kp04COHd104MdpUvRyn5Po3dhlU FjQHSjNDUY9y2gvuKw88L9APuA4 2015-04-20 13:54:27 74.91.27.142 443 80Result is POSITIVE with high certainty!
We found one or more relays on IP address 74.91.27.142 in relay list published on 2015-04-20 that clients were likely to know.
Looks good to me.
[quote=“HulaHoop, post:5, topic:1033”][quote]valid-after 2015-04-20 19:00:00
r Unnamed xS96AmSufGUJdhZuoTmCUB7IEM4 w7VD4d14PWUlP82rCW4jXldAySE 2015-04-20 05:34:17 188.165.213.156 52743 52345
Result is POSITIVE with high certainty!
We found one or more relays on IP address 188.165.213.156 in relay list published on 2015-04-20 that clients were likely to know.
valid-after 2015-04-20 19:00:00
r wtf2 Kp04COHd104MdpUvRyn5Po3dhlU FjQHSjNDUY9y2gvuKw88L9APuA4 2015-04-20 13:54:27 74.91.27.142 443 80
Result is POSITIVE with high certainty!
We found one or more relays on IP address 74.91.27.142 in relay list published on 2015-04-20 that clients were likely to know.
[/quote]
Looks good to me.[/quote]
No errors, all right? This Thor address? Where can I check?
Update: I ask very sorry I found TOR ip check
https://exonerator.torproject.org
Excuse my bad English.