Heads, the grsec-hardened Devuan based Fork of Tails (14)
(No. 0) No. 1 No. 2 No. 3 No. 4 No. 5 No. 6 No. 7 No. 8 No. 9 No. 10 No. 11 No. 12 No. 13 No. 14
I'll put this page together as a tip for people who wish to learn a quick way to download something (big or small) in private, from the internet. I just figured out how to do it myself.
To that purpose, read also this tip at Devuan (Dev1) Galaxy Forums:
Heads, the libre privacy distro, some basic usage
https://dev1galaxy.org/viewtopic.php?pid=1032
I'm running out of hosting space though... OTOH, just plain text without showing it, and without some of the network trace (not entire, I don't run uncenz (yet) in the Heads, and so the SSL is not decrypted, I'll save me and the readers some MBs to post/download, by removing those conversations...
It still needs to be pretty complete before I try and make a tip on:
dev1galaxy.org/
first, and then, later, on Gentoo Wiki.
This is how I dealt with the PCAP. (You need these tshark-hosts-conv tshark-streams to be able to follow the procedure.) First I ran:
$ tshark-hosts-conv.sh -r dump_170324_2133_g0n.pcap -k dump_170324_2133_g0n_SSLKEYLOGFILE.txt
And in a separate dir I ran:
$ tshark-streams.sh -r dump_170324_2133_g0n.pcap -k dump_170324_2133_g0n_SSLKEYLOGFILE.txt
While the tshark-hosts-conv.sh is grossly dirty and unprofessionally put together, even containing a few mistakes at this time, it still gets you, maybe with a little manual intervention when it tells you so, to get clear insight into who talked to your machine, when, how long, and how much was the traffick, and if it is decryptable for you.
This is the complete PCAP:
$ ls -ABRgo *n.pcap -rw-r--r-- 1 23858692 2017-03-24 21:41 dump_170324_2133_g0n.pcap $ ls -ABRgoh *n.pcap -rw-r--r-- 1 23M 2017-03-24 21:41 dump_170324_2133_g0n.pcap $
And these are relevant, gotten after the few first interactions in tshark-hosts-conv:
$ ls -ABRgo dump_170324_2133_g0n-frame-http-request-full_uri.txt dump_170324_2133_g0n.[chP]* -rw-r--r-- 1 2693 2017-03-24 23:04 dump_170324_2133_g0n.conv-ip -rw-r--r-- 1 149 2017-03-24 23:04 dump_170324_2133_g0n-frame-http-request-full_uri.txt -rw-r--r-- 1 535 2017-03-24 23:04 dump_170324_2133_g0n.hosts -rw-r--r-- 1 9947 2017-03-24 23:04 dump_170324_2133_g0n.POST $
$ cat dump_170324_2133_g0n-frame-http-request-full_uri.txt 25737 http://ocsp.usertrust.com/ 25781 http://ocsp.int-x3.letsencrypt.org/ 25793 https://secure.informaction.com/ipecho/ 25809 http://93.138.21.243/ $
But all of it happened at the very end, at the time "t=0:08:00" of the screencast, this link opens it in a new tab or window at 0:7:57
$ capinfos dump_170324_2133_g0n.pcap | grep 'Number of packets' Number of packets: 25 k Number of packets = 25902 $
And all that traffic was with my host's Palemoon, to get the Heads page at Dyne, and also by Noscript.
Sometimes it looks to me that Noscript basically tracks you a little... I'm saying so because I always find these Noscript conversations, unlike with other plugins, such as uMatrix and uBlock Origin or Decentraleyes... If that was happening in the guest, I would be, or if indeed that is happening (but I have no means to know yet --read around the string "(yet)" above) in Heads itself, I am concerned... Wait! No, it's not happening (at least it didn't happen during the online of this PCAP)! Phew!... How do I know, you may ask? Because the conversations with informaction/noscript happened only in my host, i.e. after time 480s since the start of capture! See:
$ grep -E 'informaction|noscript' dump_170324_2133_g0n.hosts 69.195.158.195 secure.informaction.com 69.195.158.197 secure.informaction.com 69.195.158.194 secure.informaction.com 69.195.158.198 secure.informaction.com 69.195.158.196 secure.informaction.com $
and:
$ grep 69.195.158.19 dump_170324_2133_g0n.conv-ip 69.195.158.198 <-> 192.168.1.2 18 2202 16 8074 34 10276 480.351216504 0.7056 $
where the "480.351216504" is relative start. Pls see the combined hosts + conv-ip (after my manual editing of the dump_170324_2133_g0n.non-local-hosts-ls-1 in the tshark-hosts-conv_170324_230432.log and here is the relevant part:
$ cat tshark-hosts-conv_170324_230432.log | grep -A3000 =-=-=-=-=-=- | grep -B3000 =-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ... | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 81.2.237.32 <-> 192.168.1.2 16 1320 16 2416 32 3736 480.236451263 0.4748 --- 69.195.158.198 secure.informaction.com | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 69.195.158.198 <-> 192.168.1.2 18 2202 16 8074 34 10276 480.351216504 0.7056 --- 178.21.114.142 assata.dyne.org | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 178.21.114.142 <-> 192.168.1.2 30 3476 24 20740 54 24216 480.481691681 5.1146 --- 178.255.83.1 ocsp.usertrust.com | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 178.255.83.1 <-> 192.168.1.2 10 1634 10 2414 20 4048 480.597838473 0.1235 --- 23.64.15.88 a771.dscq.akamai.net | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 23.64.15.88 <-> 192.168.1.2 12 1792 8 2386 20 4178 480.721211352 4.8787 --- | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 93.138.21.243 <-> 192.168.1.2 16 1438 16 11112 32 12550 480.931342582 0.0316 --- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Anyway, continuing the running of the tshark-hosts-conv.sh command shown above, and accepting most of the offered actions (but I also deleted a few of the inconsequental, such as empty, files that those actions created), I was left with these PCAPs, the main, and the extracted from the main:
$ ls -ABgotr | grep '\.pcap' -rw-r--r-- 1 23858692 2017-03-24 21:41 dump_170324_2133_g0n.pcap -rw-r--r-- 1 19216 2017-03-24 23:17 dump_170324_2133_g0n_224.1.1.77.pcap -rw-r--r-- 1 2360484 2017-03-24 23:18 dump_170324_2133_g0n_212.47.244.38.pcap -rw-r--r-- 1 2441380 2017-03-24 23:18 dump_170324_2133_g0n_163.172.149.122.pcap -rw-r--r-- 1 2226448 2017-03-24 23:18 dump_170324_2133_g0n_158.69.92.127.pcap -rw-r--r-- 1 16169824 2017-03-24 23:19 dump_170324_2133_g0n_89.163.224.25.pcap -rw-r--r-- 1 2752 2017-03-24 23:19 dump_170324_2133_g0n_224.1.3.214.pcap -rw-r--r-- 1 1600 2017-03-24 23:19 dump_170324_2133_g0n_224.1.3.217.pcap -rw-r--r-- 1 5000 2017-03-24 23:20 dump_170324_2133_g0n_81.2.237.32.pcap -rw-r--r-- 1 11576 2017-03-24 23:21 dump_170324_2133_g0n_69.195.158.198.pcap -rw-r--r-- 1 26160 2017-03-24 23:23 dump_170324_2133_g0n_178.21.114.142.pcap -rw-r--r-- 1 4888 2017-03-24 23:23 dump_170324_2133_g0n_178.255.83.1.pcap -rw-r--r-- 1 5016 2017-03-24 23:24 dump_170324_2133_g0n_23.64.15.88.pcap -rw-r--r-- 1 13776 2017-03-24 23:24 dump_170324_2133_g0n_93.138.21.243.pcap $
And I decided to remove the heavy traffic conversations:
$ tshark -r dump_170324_2133_g0n.pcap -Y \ '!((ip.addr==212.47.244.38)||(ip.addr==163.172.149.122)||(ip.addr==158.69.92.127)||(ip.addr==89.163.224.25))' \ -w dump_170324_2133_g0n_lite.pcap
because those are just encrypted mumbo-jumbo, useless if you don't have the SSL-keys (see also how it looks like with Heads predecessor, this same section, number 10)... and that's:
$ mv -iv dump_170324_2133_g0n_lite.pcap dump_170324_2133_g0n.pcap
the PCAP that I publish.
---
That's the PCAP that I publish:
It really is different, reading the network with Tor, because it all happens in three or so hops distant servers, that you can't capture all that happened throughout... But I do want to learn to control my side, completely, if I manage...
In the screencast you saw a script that I used. But I'm not posting it here. First I'll post it on the dev1galaxy.org forums, but will give you the link here (here it is:
Heads, the libre privacy distro, some basic usage
https://dev1galaxy.org/viewtopic.php?pid=1032
), and later (depends on other circumstances when I can find time) on Gentoo Wiki (and also give you the link here, sure).
---
The main files are listed in:
dump_170324_2133_g0n.pcap dump_170324_2133_g0n_SSLKEYLOGFILE.txt Screen_170324_2133_g0n.webmand verify to: ls-1-14.sum signed by: ls-1-14.sum.asc
The files necessary for this study in more details are listed in:
pg14/dump_170324_2133_g0n.conv-ip pg14/dump_170324_2133_g0n-frame-http-request-full_uri.txt pg14/dump_170324_2133_g0n.hosts pg14/dump_170324_2133_g0n.non-local-hosts-ls-1 pg14/dump_170324_2133_g0n.POST pg14/tshark-hosts-conv_170324_230432.logand verify to: ls-1pg14.sum signed by: ls-1pg14.sum.asc
You might find dump_dLo.sh script from my uncenz program more useful than downloading each file separately.