Category Archives: Firewall Evasion

Bypass Online Filter Restriction

Hello again !

Disclaimer: All the material shown on this blog is for educational purposes ! We would not be held responsible for any illegal use of the material by any one !

Usually what happens is that people want to visit a website , which is legit , but some how it is listed in the document given to a naive network administrator and you want to download important stuff from it but what the hell , ITS BLOCKED !!!!!!!!  Your boss , teacher or any person whom you report to , doesn’t want hear stuff about BLOCKED SITES !! Its totally lame to them because they want results and you didn’t deliver. This is a very normal problem faced by many employees , students , etc.

First of all you would have to know a little about “Tunnel” . For that please check out my post about Tunneling because your concept of how tunneling works should be very clear. Today I would tell you how one can bypass these filters.

Tor stands for The Onion Router. This was at first created by the US Naval Research Laboratory a long time ago but then was handed over to the people for commercial use ! Though alot of funding is still coming from the US Govt, and alot of other parties. Which is a pretty good thing because TOR was initially designed for anonymity. The goal was that the users would be anonymous over the internet , thus becoming less of a target for the hackers but back then ” Drive By Malware/Exploits were not in mind or yet discovered.

In this blog I would cover the bypassing of filters so anonymity is not the main focus.Ok  how it works is that first you goto the link and download the Vidalia Bundle . Then once downloaded, install the software and all its components.

After installation run the Vidalia executable. Wait for its icon on the tray of the taskbar, to  the right, to become Green. Once that is done , goto the browser’s network option and add following values in the coinciding variables fields :

Proxy Address : 127.0.0.1

Proxy Port : 8118

Ok now save the settings and get out of the options/settings by clicking on OK !

Now your good to go ! To check whether the proxy is working or not goto : What is my IP (dot) com and see your IP Address. For cross checking whether the proxy is working or not , before adding the proxy settings to your browser goto the above mentioned website and note your IP Address and then compare it with the latter!

Enjoy ! If for instance your ISP or Administrator is smart enough to some how block the tor network, goto the TOR control panel and the click the settings button and then goto the netwok tab, it would be something like this :

If you use a proxy to access the internet , usually which is the case in Universities and Offices so this is the option to give proxy to TOR:

There are a few other techniques you could use to bypass the filters , but this one is by far the best.

Peace.

Advertisements

Food for thought !!

Hey every body !! Its been along time i posted on my blog ! I recently had an interview with some security managers of a Multi National Company ! We discussed about alot of Network Security Issues ! Although my mind was kinda rusted because i have lately been working on Web Application vulnerabilities and bypass etc ! i was asked a few questions regarding IDS bypass ! That how it can be done ! and also questions about how to secure the internal network from browser exploits and web worms.And another problem to manage thousands of computers on a remote home/corporate network.

Well there were many solutions. We discussed some of them there but then it kept me thinking. So i came up with a solution.

Back in 2007 i was working with SUNray Thin Clients !! As you can see in the picture below ! What it does is exactly what dumb terminals used to do !They get booted from a remote server and every thing is loaded from that server. The problem was the remote management of 1000s of computers accross the country ! Now with this one can easily boot remote sunray clients through Satellite , from the central server at a central location.

Now the issues that could arise are that sunray thin clients are not a very good solution in some situations , that is if some one wants to use USB or some Director level dude wants to have full controll over which applications he/she has access to , is very difficult ! And then this solution fails. But normally it is the best solution for remote management of computers.

The second problem was IDS bypass ! Well that is pretty simple , what IDS/IDP Systems do is , that it scans the payload on the application layer level to check for anomaly or checks against a DB with signatures and also has many other ways to detect. But I am going to look at the  Application Layer level portion of the above sentence. Well to bypass it one can easily encrypt the payload ! Now it can be stopped by checking the destination port and that can also be changed !

The third one was to check n mitigate web browser attacks well the solution for that is Websense module for different Hardware firewalls and proxies , which scans the webtraffic for malicious traffic. 😉 ! Feel free to comment , if there are more solutions for the problems !

Stay safe 🙂


Web Application firewall bypass !

security

Web Application security is very important nowadays ! especially due to ecommerce. Hence Web Application firewalls came into being ! which automatically filter out the malicious query string. And many high end technology giants have them installed !

But what IF ???!!!

Some one bypasses the WAF (Web Application Firewalls) , and because of the WAF, the programmers dont give much thought to filer or properly sanitize the input ! And once by passed  then its all good for the attacker !

Detecting WAF !

WAFs can easily be detected by the response one gets in the http request ! For instance some WAFs give off wierd response codes ! such as 901 ! Some give  40x  errors even thought he file exists !  Some drop the packets through FIN/RST ! so if the response is analysed one can easily determine whether the firewall is there or not or of which vendor it belongs to !

Bypassing WAF !

  • Encoding the input into hex or Unicode !
  • One can split their input strings using & and can easily bypass the WAF ! (esp the attack used for Modsecurity WAF)
  • Even WAF have vulnerabilities such as XSS ! Thus can be easily by passed !

To conclude one can say that due to the premade rules of the WAFs it becomes predictable and very easy to bypass !

 


How tunneling softwares compromise internal security

tunnelFirst off let me  explain what tunneling really is ? Well to make it simple i wont go into technical details but would say that for example you take a LAYS chips packet and put some thing  in side it , that you are usually not allowed to send and you seal it back and send it through  mail. Now the mail check post will check that its a Lays Chips packet and forward it and when it reaches your frnd ,he just unwraps it and gets the other wise forbidden object.

Now a little technical stuff ! Usually what local tunneling softwares use is HTTPs tunneling . that is , HTTPS is used as the Lays Chips packet and the data you want to tunnel is inside the https wrapped  packet.

Usually the network design is such that before the gateway firewall there is usually a proxy server. And in a firewall policy table a proxy has more rights then the normal employee. That is it is allowed to access the internet with full rights and access any remote port where as a normal employee has to go through the proxy to access the internet and for him/her there are further checks at the proxy . for example

A) Employee —-(direct external nw access not allowed)—-> X [Firewall]  X

B) Employee —– > [Proxy] ——- > [Firewall] ===>(Allowed)

In case of (B) the proxy has checks on orkut.com , youtube.com etc… so the employee cant access these websites. And Msn messenger / Yahoo messenger are blocked by the firewall.

Now that was the scenario. Now i will tell you people how it can be bypassed easily:

You download a software for instance  hopsterlogo . It has a live server which it connects to using HTTPS or port 443 ! and you can even give the Proxy ip address that you are using. Now its so simple it sends the packet to the proxy that it wants to connect to port 443 of the live server now the innocent proxy server forwards the request to that server through the firewall thus once connected , one can send any data out by just feeding it to hopster!

Usually in softwares like msn messenger ,  yahoo messenger etc ask you to give local proxy address and you just have to give your local hosts ip address or 127.0.0.1 and the software’s port number and you are good to go !

Solution:

The Network Administrator  should install such softwares to check the remote servers they connect to and block the ips on the proxy and at the firewall end. And usually there is one server with single live ip address so once blocked it cannot connect.