RE: HTTP tunneling to bypass proxy filter

["uglyhunK" <uglyhunK () hippiecluB org>]

I'm sure you know that tunneling is nothing new and HTTP tunneling to bypass
proxy filters too has been there for a long time now. And I very well know
that folks like you can detect the traffic if you come to know that
something like this is happening or if you get a handle to the actual
tunneling client which is being used.

Given below is the communication mechanism for my client; I would like to
know, how any IDS will raise an alarm..

  browser <-------> cutome http   <--------> corporate proxy <------------>
http tunnel
                    tunnel client             filter                                server
                                                                                    http://safe.org/htse
rver.php

 The URL shown in the above depiction is harmless and is always allowed. I
encrypt(custome algorithm) and tunnel all requests from the browser to this
URL which decrypts the same, connects to the actual location and fetches the
response.

And finally, I'm lil' surprised to find that everyone is thinking about
monitoring this @ the network end. Is there any
way to stop this @ the user end?? why letting this possibility in the first
place??

Any thoughts???????

-uglyhunK


-----Original Message-----
From: James, Jay [mailto:jjames () idanalytics com]
Sent: Monday, April 21, 2008 8:34 PM
To: uglyhunK
Subject: RE: HTTP tunneling to bypass proxy filter


Since this is the 'security basics' list, perhaps some of the new-ish
guys here could benefit by how you did everything :)

Some of the concepts of proxying, tunneling, JDK, PHP, inside vs.
outside...
are concepts we come up against from time to time and I certainly could
have benefitted from this knowledge in my early days!

If you post the code to your bypass mechanism, I would tell you how I
would go about detecting it :) I do it for a living, so I better be good
at it!




Jcj



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of uglyhunK
Sent: Saturday, April 19, 2008 6:39 AM
To: security-basics
Subject: HTTP tunneling to bypass proxy filter


Recently I was challenged by network admin to bypass corporate HTTP
proxy
filter. Easier option would have been to download one of many HTTP
tunnel
clients but that is ruled out as all the sites are blocked. I didn't
want to
email the installation file as there is a strict monitoring policy to
using
email and "leaving no traces" is one of the primary conditions.

Only option left was to write my own HTTP tunneling client and being a
developer I have access to JDK. Server component is written in PHP and
it
works like a charm; all the communication is encoded in base64 (though
not
the best way to obfuscate data). It took me just 10 days to successfully
bypass the proxy filter and access literally all the websites except
https
ones. Just for the info, this is @ one of the largest American banks.
So, I
won the first round and now I threw a challenge @ him to identify this
kinda
of tunneled data and block it successfully.

I'm not sure if he can do this, but, would like to know from you guys if
there is any way for the admin to block me from using custom tunnel
client.


-uglyhunK