Punching Isp Firewalls

8/8/2019 Punching Isp Firewalls

1/6

Punching holes into firewalls

or "Why firewalls shouldn't be considered a ultimate weapon for network security"or "Secure TCP-into-HTTP tunnelling guide"

This document is located at http://sebsauvage.net/punching/index.html

This document explains how to securely tunnel any TCP-based protocol (SMTP, POP3, telnet...) in simpleHTTP requests.

It is heavily inspired from http://proxytunnel.sourceforge.net/paper.php, although it does not use thesame tools and does not cover outside to inside data flows (backward tunnels).

Introduction

Firewalls are heavily used to secure private networks (home or corporate). Usually, they are used toprotect the network from:

intrusions from outsiders misuse from insiders

In a TCP/IP environment, the typical corporate firewall configuration is to block everything (bothincoming and outgoing), and give access to the internet only through a HTTP proxy. The proxy usually hasfiltering capabilities (censors URLs and file types), and access to the proxy often requires credentials(login/password). This gives greater contol to the network administrator over what and who is going inand out of the network.

Still, this should not considered a ultimate weapon, and network administrators should not relyon the firewalls only.

Encapsulation is the basis of networking. For example, HTTP is encapsulated by TCP, TCP is encapsulated

by IP, and IP is often encapsulated in PPP or Ethernet.Encapsulating protocols in an unsual way is often reffered as tunnelling.

As soon as you let a single protocol out, tunelling allows to let anything go through this protocol, and thusthrough the firewall.

This paper demonstrates how to encapsulate any TCP-based protocol (SMTP, POP3, NNTP, telnet...) intoHTTP, thus bypassing the firewall protection/censorship (depending on your point of view)

A word of warning:

In many countries and corporate environments, bypassing a firewall is forbidden and exposesyou to sanctions, redundancy, legal proceedings and - in some countries - death penalty.You are warned.

Nevertheless, in some countries this kind of firewall/proxy bypassing is the only way to ensure free speech(such as China or United Arab Emirates where the government severly censors the internet and wherefirewall bypassing is a national sport.)

Now you known what you're doing, let's move on.

The problem

Say you want to fetch your mail from your ISP mail server. You usually simply connect to port 110 on the

Page 1 of 6Punching holes into firewalls

13/09/2010http://sebsauvage.net/punching/


2/6

POP server of your ISP.

Trouble: there is a Big Bad firewall which blocks everything.

Well... it does not exactly block everything: it lets HTTP out through a proxy.Let's encapsulate our POP3 connection into HTTP.

The tools

We need:

A computer on the internet which has unrestricted access to the internet, such as a home ADSLcomputer.

GNU HTTP Tunnel (http://www.nocrew.org/software/httptunnel.html). It encapsulates TCP intoHTTP requests.

SSH is a secure shell (http://www.openssh.com). It provides secure (and compressed) channels

between two hosts using SSL. Besides providing a shell (like telnet), it also provides file copy (scp)and TCP port forwarding (tunnelling). We will use the port forwarding feature.

Why not use GNU HTTP Tunnel alone ?

In principle, only HTTP Tunnel is necessary. But this is not desirable:

the tunnel is public: anyone can use your tunnel. Your could be held liable for what anybody hasdone with your tunnel.

the tunnel is cleartext: anyone can spy on your connection. Your passwords (SMTP, POP3, telnet...)are transmitted in clear text.

the tunnel is not protected: anyone can alter the datastream. you have to run a new instance of the HTTP Tunnel client and the server for each new tunnel you

want to set up.




3/6

This is where ssh come in. ssh provides:

authentication (only authorised users can use the tunnel) privacy (no one can spy on what's going through the tunnel) integrity (no one can tamper data going through the tunnel) easy tunnel set-up (you can create a new tunnel with a single ssh command on the client side).

These tools are available on Unix/Linux and Windows environments.

The whole chain

Let's see how this works. Here is the full chain:

Technically speaking, once this chain is established, connecting to OfficeComputer:800 is identical toconnecting to pop3server:110.The mail client will not see the difference.

On the office computer: TCP data sent to port 800 is encrypted by ssh, which forwards data to port 900. ssh stream sent to port 900 is chunked in individual HTTP requests by the HTTP Tunnel client

and sent to the home computer through the proxy. On the home computer:

the HTTP Tunnel server receives HTTP requests, decapsulates and re-assembles the ssh

stream and forwards it to port 22 (to the ssh server). the ssh server decrypts the datastream and forwards it to the pop3server on port 110.

As TCP is a bi-directionnaly datastream, once established, the TCP connection can pass data back andforth through the HTTP proxy.

The administrator of the HTTP proxy cannot see which protocol is used, which server iscontacted (except the home computer), nor the nature of transmitted data.

Setting up the tunnel

To create the tunnel as in our example above:

On the home computer (server):




4/6

Notes:

If your proxy requires authentication, add --proxy-authorization login:password to the htc

command line. sshlogin is your ssh login name on the ssh server on the Home computer.

You can set up as many additionnal tunnels as you want with:ssh -L localport:destinationServer:destinationPort sshlogin@localhost -p 900

(localport is the local port you want to map to a destination server outside the firewall

(destinationServer:destinationPort)).

Drawbacks of this solution:

it does not work for UDP-based protocols (NFS, chat...). it does not work for programs which act as server (most games, chat, peer-to-peer...) HTTP encapsulations and proxy delays can add some latency.

Good point of this solution:

Setting up the server is easy. By using ports above 1024, setting up the client does not require administratror (root) privileges. Multiple users can use the server to create multiple tunnels to any destination. Each user has its own

private tunnels. This tunnel can secure communications even if the proxy does not accept to proxy HTTPS. This tunnel does not require the HTTP proxy to accept the CONNECT command. This tunnel can work on proxies which are not capable of - or forbid - proxying of HTTPS (port 443). With Linux Live CDs like Knoppix this can be a great solution for cybercafs: Live Linux CD ensures

there is no lurking keylogger or troyan, and the tunnel ensures that the cybercaf owner, a troyanedcomputer or the government cannot sniff your passwords, spy on your data or censor websites. Iespecially think of China here.

Conlusion

As you can see, setting up such tunnels does not requires advanced skills, especially with the recent Linuxdistributions which come with pre-installed and pre-configured ssh servers.

With a little more skills, it is possible to tunnel just about everything into everything. For example, it ispossible to tunnel PPP into HTTP, providing a full IP-stack tunnelling, including ICMP (ping...), DNS andservers (backward tunnels).Opensource and commercial VPN solutions also come into mind.See references for programs and papers about firewall bypassing below.

Security is not only a matter of firewall configuration, it must be seen at a larger scale. Do not rely on thefirewall alone.

Censorship bypassing should not be only considered as a terrorist or hacker weapon, but also as tools forprivacy, free speech, democraty and human rights protection (Please read papers written by PGP-authorPhilip Zimmerman, they are very instructive).

References

sshd (start the ssh server)

hts --forward-port localhost:22 80 (start the HTTP Tunnel server)

On the office computer (client):

htc --forward-port 900 --proxy HttpProxy:3128 HomeComputer:80 (start the HTTP Tunnel client)

ssh -L 800:pop3server:113 sshlogin@localhost -p 900 (start the ssh client)

Then read your email with your mail program at localhost:800




5/6

Articles and software about tunnelling and firewall/proxy/censorship bypassing:

ProxyTunnel :http://proxytunnel.sourceforge.netTCP-into-HTTP(S) tunneling program ; requires the HTTP proxy to accept the CONNECT command.

SSH Tunnelling howto :http://proxytunnel.sourceforge.net/papers/muppet-200204.htmlInstructions for TCP-into-HTTP tunnelling using SSH and ProxyTunnel.

Bypassing internet censorship :http://www.zensur.freerk.comWays to bypass censorship, using various technics.

How to Bypass Most Firewall Restrictions and Access the Internet Privately:http://www.buzzsurf.com/surfatwork/Document on firewalls bypassing and tunnelling.

Breaking Firewalls with OpenSSH and PuTTY: http://souptonuts.sourceforge.net/sshtips.htmUsing putty and OpenSSH when the firewall allows port 22 in.

The ennemy within: Firewalls and backdoors :http://www.securityfocus.com/infocus/1701Article about firewalls and security.

GNU HTTP Tunnel :http://www.nocrew.org/software/httptunnel.htmlOpensource TCP-into-HTTP tunnelling.

PlugDaemon :http://www.taronga.com/plugdaemon/TCP port forwarder with HTTPS proxy support.

OpenSSH :http://www.openssh.comOpensource ssh client and server.

OpenSSH for Windows: http://sshwindows.sourceforge.net/

Windows version of OpenSSH. (The server only works under 2000/XP, but a 9x version is planned.) OpenVPN :http://openvpn.sourceforge.net/

Excellent, secure and flexible opensource SSL-based VPN program. Can work over UDP, TCP or even HTTP trough proxies. 1st April RFC 3093: http://ietf.org/rfc/rfc3093.txt

So-called Firewall Enhancement Protocol (FEP). DesProxy :http://desproxy.sourceforge.net

Allows to make direct TCP connections through HTTP proxy which accept the CONNECT command. Does not require externalserver as in our solution above.

TransConnect: http://transconnect.sourceforge.netUses the CONNECT proxy HTTP command to make direct connections to the internet.

CorkScrew: http://www.agroman.net/corkscrew/Tunnels SSH traffic through HTTP proxies.

HTTP Bridge: http://httpbridge.sourceforge.netA CGI-based secure HTTP proxy written in Java. Requires Tomcat.

PsiPhon: http://psiphon.civisec.org/Password-protected HTTP proxy server designed to circumvent censorship. HTTP Proxy Lib: http://httppc.sourceforge.net

A library to add TCP-into-HTTP capability to your programs. STunnel: http://stunnel.mirt.net

Generic TCP-into-SSL wrapper. STunnel: http://www.stunnel.org

Generic TCP-into-SSL wrapper. SSLProxy: http://www.obdev.at/products/ssl-proxy/

Generic TCP-into-SSL wrapper. No longuer maintained (Authors recommend STunnel instead). TLSWrap : http://tlswrap.sunsite.dk

TLS/SSL wrapper/proxy for FTP. HTTP Tunnel :http://www.http-tunnel.com

Commercial encrypted TCP-into-HTTP tunnelling service. Low-bandwith free service available. HTTP Tunnel :http://http-tunnel.sourceforge.net/

Opensource SOCKS proxy capable of tunnelling traffic through HTTP proxies. Client and server provided. Server can run

standalone (perl) or on a hosted server (php). HTTPort :http://www.htthost.com

Commercial TCP-into-HTTP tunnelling service (encrypted). BarracudaDrive :http://barracudaserver.com/examples/BarracudaDrive/index.html

Free TCP-into-HTTPS tunnelling server with HTTP proxy support (command-line java client), including a web-based file

manager, web-based chat and graphical file transfer java client. Hamachi :http://hamachi.cc/

Free and simplified UDP-based VPN solution capable of traversing NAT firewalls. Your-Freedom :http://www.your-freedom.net/

Free TCP-into-HTTP tunnelling service. Additional sevices are not free. Socks via HTTP :http://lightbox.ath.cx/socks/

A SOCKS proxy which tunnels all traffing into HTTP requests.Can also tunnel static ports.Client and server provided. Written

in Java.

Zebedee :http://www.winton.org.uk/zebedee/Opensource cross-plateform TCP/UDP-into-SSL tunnel.

Socks2HTTP :http://www.totalrc.net




6/6

Commercial Socks proxy which tunnels TCP and UDP into HTTP. SSL Explorer :http://www.sshtools.com/products/enterprise/ssl-explorer/ssl-explorer.jsp

TCP-into-HTTPS tunnelling and more. The clients only requires a Java-enabled browser. Tunnelier :http://www.bitvise.com/tunnelier.html

Commercial (free for personal use) SSH client for Windows with easy tunnelling features, graphical SFTP client, FTP-to-SFTPbridge, etc.

nph-proxy :http://www.jmarshall.com/tools/cgiproxy/Free CGI-based HTTP proxy, capable of HTTPS proxying and URL obfuscation. Perl source code provided.

For more information, see: http://directory.google.com/Top/Computers/Security/Internet/Privacy/ http://directory.google.com/Top/Computers/Security/Virtual_Private_Networks/

Tunnelling projects on SourceForge.net: http://sourceforge.net/search/?words=tunnel

This page is located at http://sebsauvage.net/punching

Last update: 2007-07-06


Documents

Punching Isp Firewalls