Security Basics mailing list archives
RE: HTTP tunneling to bypass proxy filter
From: "uglyhunK" <uglyhunK () hippiecluB org>
Date: Tue, 22 Apr 2008 23:07:53 +0530
I'm sure you know that tunneling is nothing new and HTTP tunneling to bypass proxy filters too has been there for a long time now. And I very well know that folks like you can detect the traffic if you come to know that something like this is happening or if you get a handle to the actual tunneling client which is being used. Given below is the communication mechanism for my client; I would like to know, how any IDS will raise an alarm.. browser <-------> cutome http <--------> corporate proxy <------------> http tunnel tunnel client filter server http://safe.org/htse rver.php The URL shown in the above depiction is harmless and is always allowed. I encrypt(custome algorithm) and tunnel all requests from the browser to this URL which decrypts the same, connects to the actual location and fetches the response. And finally, I'm lil' surprised to find that everyone is thinking about monitoring this @ the network end. Is there any way to stop this @ the user end?? why letting this possibility in the first place?? Any thoughts??????? -uglyhunK -----Original Message----- From: James, Jay [mailto:jjames () idanalytics com] Sent: Monday, April 21, 2008 8:34 PM To: uglyhunK Subject: RE: HTTP tunneling to bypass proxy filter Since this is the 'security basics' list, perhaps some of the new-ish guys here could benefit by how you did everything :) Some of the concepts of proxying, tunneling, JDK, PHP, inside vs. outside... are concepts we come up against from time to time and I certainly could have benefitted from this knowledge in my early days! If you post the code to your bypass mechanism, I would tell you how I would go about detecting it :) I do it for a living, so I better be good at it! Jcj -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of uglyhunK Sent: Saturday, April 19, 2008 6:39 AM To: security-basics Subject: HTTP tunneling to bypass proxy filter Recently I was challenged by network admin to bypass corporate HTTP proxy filter. Easier option would have been to download one of many HTTP tunnel clients but that is ruled out as all the sites are blocked. I didn't want to email the installation file as there is a strict monitoring policy to using email and "leaving no traces" is one of the primary conditions. Only option left was to write my own HTTP tunneling client and being a developer I have access to JDK. Server component is written in PHP and it works like a charm; all the communication is encoded in base64 (though not the best way to obfuscate data). It took me just 10 days to successfully bypass the proxy filter and access literally all the websites except https ones. Just for the info, this is @ one of the largest American banks. So, I won the first round and now I threw a challenge @ him to identify this kinda of tunneled data and block it successfully. I'm not sure if he can do this, but, would like to know from you guys if there is any way for the admin to block me from using custom tunnel client. -uglyhunK
Current thread:
- HTTP tunneling to bypass proxy filter uglyhunK (Apr 21)
- RE: HTTP tunneling to bypass proxy filter Brandon Louder (Apr 21)
- RE: HTTP tunneling to bypass proxy filter Hayes, Ian (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Tsu (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Siddharth Upmanyu (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Siddharth Upmanyu (Apr 22)
- Re: HTTP tunneling to bypass proxy filter Francisco Neira Basso (Apr 22)
- Re: HTTP tunneling to bypass proxy filter p1g (Apr 23)
- Re: HTTP tunneling to bypass proxy filter Francisco Neira Basso (Apr 22)
- <Possible follow-ups>
- RE: HTTP tunneling to bypass proxy filter uglyhunK (Apr 22)
- Re: Re: HTTP tunneling to bypass proxy filter uglyhunK (Apr 24)
- Re: Re: HTTP tunneling to bypass proxy filter Albert R. Campa (Apr 29)
- RE: Re: HTTP tunneling to bypass proxy filter uglyhunK (Apr 30)
- Re: HTTP tunneling to bypass proxy filter Patrick Debois (Apr 30)
- Re: Re: HTTP tunneling to bypass proxy filter Albert R. Campa (Apr 29)
- RE: HTTP tunneling to bypass proxy filter Brandon Louder (Apr 21)