Http-Tunnel Question

[thomas.werth at vahle.de (Thomas Werth)]

thx you (all) for your information.

Especially future look to vpn "features".

Don't know why i overlooked passivex, but for now i see this as a very
high risk. Exploiting such a vuln should be possible by a malicious
web-site prepared for ie, then tunnel back via passivex. As passiveX
uses IE with all default settings ( proxy, auth , personal firewall
rules ... )
I guess virus-scanner won't find, snort maybe fooled. I fear i'm right,
am i ?

well knowing way of exploit might be first step to secure site :-)


Chris Byrd schrieb:
> You might be interested in reading my writeup about GNU httptunnel at
> http://riosec.com/exploring-httptunnel/.
>
> Bottom line is that it is easy to detect the current implementation by
> looking for a hard coded signature (namely
> 'index\.html\?crap\=\d{10}'), but that could be easily changed by
> modifying the source.  Otherwise, you'd need to rely on statistical
> methods to detect it.
>
> Avoiding these types of attack comes down to: 1. Securing your clients
> (client permissions, desktop firewalls, etc.), 2. Authentication and
> filtering at the application gateway, 3. Good network IDS
>
> As H D Moore already mentioned, you'll also want to take a look at the
> PassiveX payload in Metasploit.  It's a killer payload that hijacks
> the victim's Internet Explorer to tunnel payload data.  Its very
> stealthy, and works even through application proxies.
>
> - Chris
>
> On 4/21/06, Thomas Werth <thomas.werth at vahle.de> wrote:
> > Hi,
> >
> > Actual i tested how to leak a firewall using http-tunnel. Using software
> > from http://www.http-tunnel.com/ makes it quite easy, additional i found
> > gnu http tunnel beeing open source. So i guess including this in ones
> > evil planes might be easy.
> >
> > Blocking first one is easy by forbidding proxy end hosts, but second one
> > with random "tunnel end servers" seems to be impossible. Am i wrong ,
> > are there other tricks to stop it ( firewalling each host with personal
> > firewall for example ) ?
> >
> > Now my question :
> > Would it be easy to create a http-tunnel payload , so an attack can be
> > connect back through firewall to outside and infiltrate a firm intranet
> > ? Maybe with an auto-proxy setting from i.e. or similar ?
> >
> > Or is size for this payload to big to fit into an overflow , so only
> > really spezialied hackers are able to create such hacks ?
> >
> > Target of my question is :
> > May this vuln be exploited ( in future ) by a worm or more likley only a
> > vision for a good hacker with high motivation ?
> >
> > Would it be possible to add such a payload into metasploit ?
> >
> > greets
> > Thomas