Metasploit mailing list archives
Http-Tunnel Question
From: thomas.werth at vahle.de (Thomas Werth)
Date: Mon, 24 Apr 2006 07:48:31 +0200
thx you (all) for your information. Especially future look to vpn "features". Don't know why i overlooked passivex, but for now i see this as a very high risk. Exploiting such a vuln should be possible by a malicious web-site prepared for ie, then tunnel back via passivex. As passiveX uses IE with all default settings ( proxy, auth , personal firewall rules ... ) I guess virus-scanner won't find, snort maybe fooled. I fear i'm right, am i ? well knowing way of exploit might be first step to secure site :-) Chris Byrd schrieb:
You might be interested in reading my writeup about GNU httptunnel at http://riosec.com/exploring-httptunnel/. Bottom line is that it is easy to detect the current implementation by looking for a hard coded signature (namely 'index\.html\?crap\=\d{10}'), but that could be easily changed by modifying the source. Otherwise, you'd need to rely on statistical methods to detect it. Avoiding these types of attack comes down to: 1. Securing your clients (client permissions, desktop firewalls, etc.), 2. Authentication and filtering at the application gateway, 3. Good network IDS As H D Moore already mentioned, you'll also want to take a look at the PassiveX payload in Metasploit. It's a killer payload that hijacks the victim's Internet Explorer to tunnel payload data. Its very stealthy, and works even through application proxies. - Chris On 4/21/06, Thomas Werth <thomas.werth at vahle.de> wrote:Hi, Actual i tested how to leak a firewall using http-tunnel. Using software from http://www.http-tunnel.com/ makes it quite easy, additional i found gnu http tunnel beeing open source. So i guess including this in ones evil planes might be easy. Blocking first one is easy by forbidding proxy end hosts, but second one with random "tunnel end servers" seems to be impossible. Am i wrong , are there other tricks to stop it ( firewalling each host with personal firewall for example ) ? Now my question : Would it be easy to create a http-tunnel payload , so an attack can be connect back through firewall to outside and infiltrate a firm intranet ? Maybe with an auto-proxy setting from i.e. or similar ? Or is size for this payload to big to fit into an overflow , so only really spezialied hackers are able to create such hacks ? Target of my question is : May this vuln be exploited ( in future ) by a worm or more likley only a vision for a good hacker with high motivation ? Would it be possible to add such a payload into metasploit ? greets Thomas
Current thread:
- Http-Tunnel Question Thomas Werth (Apr 20)
- Http-Tunnel Question Jerome Athias (Apr 21)
- Http-Tunnel Questions the unknown unknown (Apr 21)
- Http-Tunnel Question H D Moore (Apr 21)
- Http-Tunnel Question Chris Byrd (Apr 21)
- Http-Tunnel Question Jason Haar (Apr 22)
- Http-Tunnel Question Thomas Werth (Apr 23)
- Http-Tunnel Question Jerome Athias (Apr 21)