mailing list archives
RE: HTTP tunneling to bypass proxy filter
From: "uglyhunK" <uglyhunK () hippiecluB org>
Date: Tue, 22 Apr 2008 23:07:53 +0530
I'm sure you know that tunneling is nothing new and HTTP tunneling to bypass
proxy filters too has been there for a long time now. And I very well know
that folks like you can detect the traffic if you come to know that
something like this is happening or if you get a handle to the actual
tunneling client which is being used.
Given below is the communication mechanism for my client; I would like to
know, how any IDS will raise an alarm..
browser <-------> cutome http <--------> corporate proxy <------------>
tunnel client filter server
The URL shown in the above depiction is harmless and is always allowed. I
encrypt(custome algorithm) and tunnel all requests from the browser to this
URL which decrypts the same, connects to the actual location and fetches the
And finally, I'm lil' surprised to find that everyone is thinking about
monitoring this @ the network end. Is there any
way to stop this @ the user end?? why letting this possibility in the first
From: James, Jay [mailto:jjames () idanalytics com]
Sent: Monday, April 21, 2008 8:34 PM
Subject: RE: HTTP tunneling to bypass proxy filter
Since this is the 'security basics' list, perhaps some of the new-ish
guys here could benefit by how you did everything :)
Some of the concepts of proxying, tunneling, JDK, PHP, inside vs.
are concepts we come up against from time to time and I certainly could
have benefitted from this knowledge in my early days!
If you post the code to your bypass mechanism, I would tell you how I
would go about detecting it :) I do it for a living, so I better be good
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of uglyhunK
Sent: Saturday, April 19, 2008 6:39 AM
Subject: HTTP tunneling to bypass proxy filter
Recently I was challenged by network admin to bypass corporate HTTP
filter. Easier option would have been to download one of many HTTP
clients but that is ruled out as all the sites are blocked. I didn't
email the installation file as there is a strict monitoring policy to
email and "leaving no traces" is one of the primary conditions.
Only option left was to write my own HTTP tunneling client and being a
developer I have access to JDK. Server component is written in PHP and
works like a charm; all the communication is encoded in base64 (though
the best way to obfuscate data). It took me just 10 days to successfully
bypass the proxy filter and access literally all the websites except
ones. Just for the info, this is @ one of the largest American banks.
won the first round and now I threw a challenge @ him to identify this
of tunneled data and block it successfully.
I'm not sure if he can do this, but, would like to know from you guys if
there is any way for the admin to block me from using custom tunnel