Metasploit mailing list archives

Http-Tunnel Questions

From: night_rider_25 at hotmail.com (the unknown unknown)
Date: Fri, 21 Apr 2006 22:39:38 +0000

hi man you know i guess that a guy named miller wrote some tme ago a payload 
that used i.e
to connect back through http.

hey man by the way i have a question for you if ya dont mind:
when you discover a vulnerability in a remote system and try to exploit it 
using metasploit and get blocked by the firewall or ids,you have any idea 
how to bypass the ids or firewall and exploit the vuln?
please reply
thanks

From: Jerome Athias <jerome.athias at free.fr>
Reply-To: framework at metasploit.com
To: framework at metasploit.com
CC: thomas.werth at vahle.de
Subject: Re: [framework] Http-Tunnel Question
Date: Fri, 21 Apr 2006 14:20:23 +0200

Thomas Werth a ?crit :

Hi,

Actual i tested how to leak a firewall using http-tunnel. Using software
from http://www.http-tunnel.com/ makes it quite easy, additional i found
gnu http tunnel beeing open source. So i guess including this in ones
evil planes might be easy.

Blocking first one is easy by forbidding proxy end hosts, but second one
with random "tunnel end servers" seems to be impossible. Am i wrong ,
are there other tricks to stop it ( firewalling each host with personal
firewall for example ) ?

Now my question :
Would it be easy to create a http-tunnel payload , so an attack can be
connect back through firewall to outside and infiltrate a firm intranet
? Maybe with an auto-proxy setting from i.e. or similar ?

Or is size for this payload to big to fit into an overflow , so only
really spezialied hackers are able to create such hacks ?

Target of my question is :
May this vuln be exploited ( in future ) by a worm or more likley only a
vision for a good hacker with high motivation ?

Would it be possible to add such a payload into metasploit ?

greets
Thomas

Hi,

a nice little tool i recently found about this subject is "ConnectTunnel" 
by Benjamin CAILLAT.
It uses the CONNECT method to creates a tunnel through a proxy and so 
bypass a firewall (think about HTTPS)
it also includes passive FTP connection management
it works both on Windows and Linux

you could give it a try:
http://benjamin.caillat.free.fr/ressources/connect_tunnel/ConnectTunnel.zip

after that, for MSF payload i actually don't know more...

/JA

Current thread:

Http-Tunnel Question Thomas Werth (Apr 20)
- Http-Tunnel Question Jerome Athias (Apr 21)
  - Http-Tunnel Questions the unknown unknown (Apr 21)
- Http-Tunnel Question H D Moore (Apr 21)
- Http-Tunnel Question Chris Byrd (Apr 21)
  - Http-Tunnel Question Jason Haar (Apr 22)
  - Http-Tunnel Question Thomas Werth (Apr 23)