Thunderbird & Gmail

Gerardo Rodríguez grchapa at hotmail.com
Wed Oct 15 04:35:15 UTC 2008 

I also change the first three numbers in the mac addresses :0)

Any help will be appreciated

GR

Gerardo Rodríguez escribió:
> Hi once again. I was wondering if tor with thunderbird send 
> information to the pop3/smtp servers, this is what i found out. I had 
> to use thundebird ver 1.5.* with torbutton 1.0.4, and used the 
> WireShark to capture packets.
>
> While retrieving the mail this two readings where constant:
> _____________________________________________________________________________ 
>
>
> Frame 10 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: 2wire_2e:d4:89 (aa:aa:aa:2e:d4:89), Dst: 
> Intel_94:e0:d3 (ff:ff:ff:94:e0:d3)
> Internet Protocol, Src: 83.132.242.113 (83.132.242.113), Dst: 
> 192.168.1.70 (192.168.1.70)
> Transmission Control Protocol, Src Port: mosaicsyssvc1 (1235), Dst 
> Port: 53328 (53328), Seq: 1, Ack: 1, Len: 0
>
> No.     Time        Source                Destination           
> Protocol Info
> 11 9.437005    2wire_2e:d4:89        Broadcast             ARP      
> Who has 192.168.1.65?  Tell 192.168.1.254
> _____________________________________________________________________________ 
>
>
> &
> _____________________________________________________________________________ 
>
>
> No.     Time        Source                Destination           
> Protocol Info
> 12 10.373837   192.168.1.70          88.198.51.7           TCP      
> 43089 > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64949 Len=586
>
> Frame 12 (640 bytes on wire, 640 bytes captured)
> Ethernet II, Src: Intel_94:e0:d3 (ff:ff:ff:94:e0:d3), Dst: 
> 2wire_2e:d4:89 (aa:aa:aa:2e:d4:89)
> Internet Protocol, Src: 192.168.1.70 (192.168.1.70), Dst: 88.198.51.7 
> (88.198.51.7)
> Transmission Control Protocol, Src Port: 43089 (43089), Dst Port: 
> etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
> Data (586 bytes)
>
> 0000  17 03 01 00 20 bc 7f 8b ef dc 1e 82 ca fa 53 e0   .... .........S.
> etc.
> _____________________________________________________________________________ 
>
>
> And while sending mail this two:
> _____________________________________________________________________________ 
>
>
> No.     Time        Source                Destination           
> Protocol Info
> 23 3.306572    CompName             schatten.darksystem.net TCP      
> florence > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64363 Len=586
>
> Frame 23 (640 bytes on wire, 640 bytes captured)
> Ethernet II, Src: CompName (ff:ff:ff:94:e0:d3), Dst: 192.168.1.254 
> (aa:aa:aa:2e:d4:89)
> Internet Protocol, Src: CompName (192.168.1.70), Dst: 
> schatten.darksystem.net (88.198.51.7)
> Transmission Control Protocol, Src Port: florence (1228), Dst Port: 
> etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
> Data (586 bytes)
>
> 0000  17 03 01 00 20 39 1e d3 cb fe 30 60 3f f2 5f 43   .... 9....0`?._C
> etc.
> _____________________________________________________________________________ 
>
>
> &
> _____________________________________________________________________________ 
>
>
> No.     Time        Source                Destination           
> Protocol Info
> 24 3.532021    schatten.darksystem.net CompName             TCP      
> etlservicemgr > florence [ACK] Seq=1 Ack=587 Win=65535 Len=0
>
> Frame 24 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: 192.168.1.254 (aa:aa:aa:2e:d4:89), Dst: CompName 
> (ff:ff:ff:94:e0:d3)
> Internet Protocol, Src: schatten.darksystem.net (88.198.51.7), Dst: 
> CompName (192.168.1.70)
> Transmission Control Protocol, Src Port: etlservicemgr (9001), Dst 
> Port: florence (1228), Seq: 1, Ack: 587, Len: 0
> _____________________________________________________________________________ 
>
>
> Now:
>
> aa:aa:aa:2e:d4:89   is the actual mac address of the adapter in my router
> ff:ff:ff:94:e0:d3       is the actual mac address of the adapter in my pc
> CompName          is the name of my pc (faked :-)
>
> I´m not an expert in reading packets, but, this is a leak ain´t it?
>
>
>
>
> Gerardo Rodríguez escribió:
>> Thanks a lot, I´ll be running tests & I´ll post the results
>>
>> anonym escribió:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 08/10/08 01:09, Jonathan Addington wrote:
>>>  
>>>> With Wireshark you can filter by port.     
>>> ..
>>>  
>>>> To address the above, filter by ports, and then by your IP inside the
>>>> packet     
>>>
>>> Sure, filters make it easier finding stuff when you know what to look
>>> for, but I'm not sure that's the case here. In an analysis like this we
>>> are much more interested that which we had not anticipated. For 
>>> example,
>>> what if Thunderbird leaked DNS requests? Filtering away all but POP and
>>> SMTP would then hide this for us.
>>>
>>> We're not dealing with huge amounts of packets here really, perhaps a
>>> couple of hundreds of packets at most. That's a piece of cake to go
>>> through and will make the analysis more complete and thorough. IMHO,
>>> when dealing with these kinds of issues filtering comes in when that's
>>> not a realistic option.
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.9 (GNU/Linux)
>>>
>>> iEYEARECAAYFAkjr/NAACgkQp8EswdDmSVjMrwCfT2aJ7j7Cko2HhYIItj35gmrK
>>> VW4AoOjIfgtkSPrgghm9yusAz+137GSg
>>> =xWB4
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>>   
>>
>>
>>
>
>
>

More information about the tor-talk mailing list