Security Basics mailing list archives
RE: HTTP tunneling to bypass proxy filter
From: "Hayes, Ian" <ihayes () nvcancer org>
Date: Mon, 21 Apr 2008 15:57:26 -0700
This will work, but some devices will notice it. I did something similar while doing some contract work for the Air Force. One of the first projects I worked on was figure out how to bypass the content filters they use at the bases. I set up a Linux box at home with SSHD listening on port 443. The proxy they were using was a pain, it didn't really like me trying to connect through it using SSH as a local SOCKS proxy. Eventually, I had to wrap that all up in a HTTP tunneller. I had to write an ACL to prevent access to port 443 from the outside except for the base's outside address because if my provider were able to connect to 443, they'd shut my connection down... Eventually the guys further up the food chain noticed a good amount of traffic going to a residential IP address, and looked into it. They were very puzzled because they were seeing SSH traffic over an SSL port, and made some phone calls to the base NOC where I was working. We worked on reconfiguring their proxies to reject this kind of traffic. I'm not sure of they were ultimately successful in preventing this or not. -- Ian Hayes Systems Engineer Nevada Cancer Institute Office:(702) 822-5156 email: ihayes () nvcancer org http://www.nevadacancerinstitute.org -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Brandon Louder Sent: Monday, April 21, 2008 11:05 AM To: uglyhunK; security-basics Subject: RE: HTTP tunneling to bypass proxy filter I am interested in hearing comments about this as well. I believe there are some newer web security appliances that do deep inspection at the application layer that would catch this, hopefully someone else can contribute. Another scenario in relation to your custom http tunnel client is a socks based proxy to an SSH server. If you have an internet facing SSH server and set it to listen on port 443 you should be able to tunnel your web traffic over HTTPS. For instance with putty you can do: putty -D 8080 -P 443 -ssh "ip address" And then set your web browser to use socks proxy of localhost on port 8080. All of the web traffic would then show up as https to the remote IP. If you have a web security appliance that does HTTPS decryption and deep inspection it may not work, similar as with the HTTP tunnel client. -brandon -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of uglyhunK Sent: Saturday, April 19, 2008 8:39 AM To: security-basics Subject: HTTP tunneling to bypass proxy filter Recently I was challenged by network admin to bypass corporate HTTP proxy filter. Easier option would have been to download one of many HTTP tunnel clients but that is ruled out as all the sites are blocked. I didn't want to email the installation file as there is a strict monitoring policy to using email and "leaving no traces" is one of the primary conditions. Only option left was to write my own HTTP tunneling client and being a developer I have access to JDK. Server component is written in PHP and it works like a charm; all the communication is encoded in base64 (though not the best way to obfuscate data). It took me just 10 days to successfully bypass the proxy filter and access literally all the websites except https ones. Just for the info, this is @ one of the largest American banks. So, I won the first round and now I threw a challenge @ him to identify this kinda of tunneled data and block it successfully. I'm not sure if he can do this, but, would like to know from you guys if there is any way for the admin to block me from using custom tunnel client. -uglyhunK ----------------------------------------- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------------------------------------------------------------------- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and/or privileged information protected by law. If you are not the intended recipient, you may not use, copy, or distribute this e-mail message or its attachments. If you believe you have received this e-mail message in error, please contact the sender by reply e-mail and destroy all copies of the original message
Current thread:
- HTTP tunneling to bypass proxy filter uglyhunK (Apr 21)
- RE: HTTP tunneling to bypass proxy filter Brandon Louder (Apr 21)
- RE: HTTP tunneling to bypass proxy filter Hayes, Ian (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Tsu (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Siddharth Upmanyu (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Siddharth Upmanyu (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Francisco Neira Basso (Apr 22)
- Re: HTTP tunneling to bypass proxy filter p1g (Apr 23)
- Re: HTTP tunneling to bypass proxy filter Francisco Neira Basso (Apr 22)
- <Possible follow-ups>
- RE: HTTP tunneling to bypass proxy filter uglyhunK (Apr 22)
- Re: Re: HTTP tunneling to bypass proxy filter uglyhunK (Apr 24)
- Re: Re: HTTP tunneling to bypass proxy filter Albert R. Campa (Apr 29)
- RE: Re: HTTP tunneling to bypass proxy filter uglyhunK (Apr 30)
- Re: HTTP tunneling to bypass proxy filter Patrick Debois (Apr 30)
- Re: Re: HTTP tunneling to bypass proxy filter Albert R. Campa (Apr 29)
- RE: HTTP tunneling to bypass proxy filter Brandon Louder (Apr 21)