Heads, the grsec-hardened Devuan based Fork of Tails (14)

(No. 0)  No. 1  No. 2  No. 3  No. 4  No. 5  No. 6  No. 7  No. 8  No. 9  No. 10  No. 11  No. 12  No. 13  No. 14 

I'll put this page together as a tip for people who wish to learn a quick way to download something (big or small) in private, from the internet. I just figured out how to do it myself.

To that purpose, read also this tip at Devuan (Dev1) Galaxy Forums:
Heads, the libre privacy distro, some basic usage
https://dev1galaxy.org/viewtopic.php?pid=1032

I'm running out of hosting space though... OTOH, just plain text without showing it, and without some of the network trace (not entire, I don't run uncenz (yet) in the Heads, and so the SSL is not decrypted, I'll save me and the readers some MBs to post/download, by removing those conversations...

It still needs to be pretty complete before I try and make a tip on:
dev1galaxy.org/
first, and then, later, on Gentoo Wiki.

This is how I dealt with the PCAP. (You need these tshark-hosts-conv tshark-streams to be able to follow the procedure.) First I ran:

$ tshark-hosts-conv.sh -r dump_170324_2133_g0n.pcap -k dump_170324_2133_g0n_SSLKEYLOGFILE.txt

And in a separate dir I ran:

$ tshark-streams.sh -r dump_170324_2133_g0n.pcap -k dump_170324_2133_g0n_SSLKEYLOGFILE.txt

While the tshark-hosts-conv.sh is grossly dirty and unprofessionally put together, even containing a few mistakes at this time, it still gets you, maybe with a little manual intervention when it tells you so, to get clear insight into who talked to your machine, when, how long, and how much was the traffick, and if it is decryptable for you.

This is the complete PCAP:

$ ls -ABRgo *n.pcap
-rw-r--r-- 1 23858692 2017-03-24 21:41 dump_170324_2133_g0n.pcap
$ ls -ABRgoh *n.pcap
-rw-r--r-- 1 23M 2017-03-24 21:41 dump_170324_2133_g0n.pcap
$

And these are relevant, gotten after the few first interactions in tshark-hosts-conv:

$ ls -ABRgo dump_170324_2133_g0n-frame-http-request-full_uri.txt  dump_170324_2133_g0n.[chP]*
-rw-r--r-- 1 2693 2017-03-24 23:04 dump_170324_2133_g0n.conv-ip
-rw-r--r-- 1  149 2017-03-24 23:04 dump_170324_2133_g0n-frame-http-request-full_uri.txt
-rw-r--r-- 1  535 2017-03-24 23:04 dump_170324_2133_g0n.hosts
-rw-r--r-- 1 9947 2017-03-24 23:04 dump_170324_2133_g0n.POST
$

$ cat dump_170324_2133_g0n-frame-http-request-full_uri.txt
25737	http://ocsp.usertrust.com/
25781	http://ocsp.int-x3.letsencrypt.org/
25793	https://secure.informaction.com/ipecho/
25809	http://93.138.21.243/
$

But all of it happened at the very end, at the time "t=0:08:00" of the screencast, this link opens it in a new tab or window at 0:7:57

$ capinfos dump_170324_2133_g0n.pcap | grep 'Number of packets'
Number of packets:   25 k
                     Number of packets = 25902
$

And all that traffic was with my host's Palemoon, to get the Heads page at Dyne, and also by Noscript.

Sometimes it looks to me that Noscript basically tracks you a little... I'm saying so because I always find these Noscript conversations, unlike with other plugins, such as uMatrix and uBlock Origin or Decentraleyes... If that was happening in the guest, I would be, or if indeed that is happening (but I have no means to know yet --read around the string "(yet)" above) in Heads itself, I am concerned... Wait! No, it's not happening (at least it didn't happen during the online of this PCAP)! Phew!... How do I know, you may ask? Because the conversations with informaction/noscript happened only in my host, i.e. after time 480s since the start of capture! See:

$ grep -E 'informaction|noscript' dump_170324_2133_g0n.hosts 
69.195.158.195	secure.informaction.com
69.195.158.197	secure.informaction.com
69.195.158.194	secure.informaction.com
69.195.158.198	secure.informaction.com
69.195.158.196	secure.informaction.com
$

and:

$ grep 69.195.158.19  dump_170324_2133_g0n.conv-ip 
69.195.158.198       <-> 192.168.1.2               18      2202      16      8074      34     10276   480.351216504         0.7056
$

where the "480.351216504" is relative start. Pls see the combined hosts + conv-ip (after my manual editing of the dump_170324_2133_g0n.non-local-hosts-ls-1 in the tshark-hosts-conv_170324_230432.log and here is the relevant part:

$ cat tshark-hosts-conv_170324_230432.log | grep -A3000 =-=-=-=-=-=- | grep -B3000 =-=-=-=-=-=-

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
...
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
81.2.237.32          <-> 192.168.1.2               16      1320      16      2416      32      3736   480.236451263         0.4748
---

69.195.158.198	secure.informaction.com
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
69.195.158.198       <-> 192.168.1.2               18      2202      16      8074      34     10276   480.351216504         0.7056
---

178.21.114.142	assata.dyne.org
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
178.21.114.142       <-> 192.168.1.2               30      3476      24     20740      54     24216   480.481691681         5.1146
---

178.255.83.1	ocsp.usertrust.com
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
178.255.83.1         <-> 192.168.1.2               10      1634      10      2414      20      4048   480.597838473         0.1235
---

23.64.15.88	a771.dscq.akamai.net
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
23.64.15.88          <-> 192.168.1.2               12      1792       8      2386      20      4178   480.721211352         4.8787
---

                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
93.138.21.243        <-> 192.168.1.2               16      1438      16     11112      32     12550   480.931342582         0.0316
---

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Anyway, continuing the running of the tshark-hosts-conv.sh command shown above, and accepting most of the offered actions (but I also deleted a few of the inconsequental, such as empty, files that those actions created), I was left with these PCAPs, the main, and the extracted from the main:

$ ls -ABgotr | grep '\.pcap'
-rw-r--r-- 1 23858692 2017-03-24 21:41 dump_170324_2133_g0n.pcap
-rw-r--r-- 1    19216 2017-03-24 23:17 dump_170324_2133_g0n_224.1.1.77.pcap
-rw-r--r-- 1  2360484 2017-03-24 23:18 dump_170324_2133_g0n_212.47.244.38.pcap
-rw-r--r-- 1  2441380 2017-03-24 23:18 dump_170324_2133_g0n_163.172.149.122.pcap
-rw-r--r-- 1  2226448 2017-03-24 23:18 dump_170324_2133_g0n_158.69.92.127.pcap
-rw-r--r-- 1 16169824 2017-03-24 23:19 dump_170324_2133_g0n_89.163.224.25.pcap
-rw-r--r-- 1     2752 2017-03-24 23:19 dump_170324_2133_g0n_224.1.3.214.pcap
-rw-r--r-- 1     1600 2017-03-24 23:19 dump_170324_2133_g0n_224.1.3.217.pcap
-rw-r--r-- 1     5000 2017-03-24 23:20 dump_170324_2133_g0n_81.2.237.32.pcap
-rw-r--r-- 1    11576 2017-03-24 23:21 dump_170324_2133_g0n_69.195.158.198.pcap
-rw-r--r-- 1    26160 2017-03-24 23:23 dump_170324_2133_g0n_178.21.114.142.pcap
-rw-r--r-- 1     4888 2017-03-24 23:23 dump_170324_2133_g0n_178.255.83.1.pcap
-rw-r--r-- 1     5016 2017-03-24 23:24 dump_170324_2133_g0n_23.64.15.88.pcap
-rw-r--r-- 1    13776 2017-03-24 23:24 dump_170324_2133_g0n_93.138.21.243.pcap
$

And I decided to remove the heavy traffic conversations:

$ tshark -r dump_170324_2133_g0n.pcap -Y \
	'!((ip.addr==212.47.244.38)||(ip.addr==163.172.149.122)||(ip.addr==158.69.92.127)||(ip.addr==89.163.224.25))' \
	-w dump_170324_2133_g0n_lite.pcap 

because those are just encrypted mumbo-jumbo, useless if you don't have the SSL-keys (see also how it looks like with Heads predecessor, this same section, number 10)... and that's:

$ mv -iv dump_170324_2133_g0n_lite.pcap dump_170324_2133_g0n.pcap

the PCAP that I publish.

---

That's the PCAP that I publish:

dump_170324_2133_g0n.pcap

It really is different, reading the network with Tor, because it all happens in three or so hops distant servers, that you can't capture all that happened throughout... But I do want to learn to control my side, completely, if I manage...

In the screencast you saw a script that I used. But I'm not posting it here. First I'll post it on the dev1galaxy.org forums, but will give you the link here (here it is:
Heads, the libre privacy distro, some basic usage
https://dev1galaxy.org/viewtopic.php?pid=1032
), and later (depends on other circumstances when I can find time) on Gentoo Wiki (and also give you the link here, sure).

---

The main files are listed in:

ls-1-14

dump_170324_2133_g0n.pcap
dump_170324_2133_g0n_SSLKEYLOGFILE.txt
Screen_170324_2133_g0n.webm

and verify to: ls-1-14.sum signed by: ls-1-14.sum.asc

The files necessary for this study in more details are listed in:

ls-1pg14

pg14/dump_170324_2133_g0n.conv-ip
pg14/dump_170324_2133_g0n-frame-http-request-full_uri.txt
pg14/dump_170324_2133_g0n.hosts
pg14/dump_170324_2133_g0n.non-local-hosts-ls-1
pg14/dump_170324_2133_g0n.POST
pg14/tshark-hosts-conv_170324_230432.log

and verify to: ls-1pg14.sum signed by: ls-1pg14.sum.asc

You might find dump_dLo.sh script from my uncenz program more useful than downloading each file separately.