Penetration Testing: Re: By passing surf control

[c3rb3r <c3rb3r () sympatico ca>]

Hello
Not sure about which version we are talking about but here are my 
findings on a 4.5.0.31 (several months of that ),
mounted as a sniffer 'like' (stealth mode, whatever ..)  BUT  _not a proxy_.
Using telnet (in char mode) to connect a remote web server and doing so, 
by splitting your request into several small packets, you get your site.
Sc's monitor will correctly show up the host header while its sniffer 
counterpart keeps to be blind, strange ? even more, when monitor reports 
that the forbidden site was actually granted  :)
It was even possible to fool Sc by crafting by hand a host header field 
with a permitted address while connecting a forbidden site, everything 
seems to rely on that masterpiece.  I can't remember of http/0.9 | 1.0 
(so without host:) but it may works as well, try it.
In the later scenario, many sites using virtual domains will obviously 
become unreachable though.
A last one i found around 2 years ago (don't know if it still works, 
which release it was,  but is worth to check imo), in this mode 
(sniffer) Sc was actually replying before (spoofing) the web server with 
a rst packet to my source port, the real answer was still returned to my 
host but anyway, too late
So i decided to write a small piece of perl to proxy my browser,  ignore 
the first reset packet,  and finally pass back the real data to my browser.
it worked like a charm.
I have never tried Sc as a real proxy, chances are it is "better"  in 
this configuration but nothing for sure :)
Hope this helps.
Gregory







Charles Hamby wrote:

> Have you tried checking to see if IP address obfuscation works?
>
> In case anyone's not familair with this...
>
> Using http://www.amazon.com as an example.  If I wanted to go there 
> but it was blocked, I would find out what the IP address of 
> www.amazon.com is (say using ping).
> In this case it happens to be 207.171.181.16.  I would then convert 
> each octet into hex individually.  (207 is CF, 171 is AB, 181 is B5 
> and 16 is 10)
> Then I would put CFABB510 into my calculator (Windows calculator works 
> just fine for this, by the way) and conver it to decimal again.  I 
> would come up with 3484136720
> I would open up my web browser and put in http://3484136720 and up 
> comes Amazon.com.
> Charles Hamby
>
> McNutt, Jacob wrote:
>
> > SSH tunneling/port forwarding to a proxy might work if they have 
> > access to it.  Also, we have a problem with AOL client browsers that 
> > can bypass Websense all together.
> > -----Original Message-----
> > From: Kudakwashe Chafa-Govha [mailto:KChafa-Govha () bankunitedfla com] 
> > Sent: Wednesday, February 25, 2004 3:04 PM
> > To: pen-test () securityfocus com
> > Subject: By passing surf control
> >
> > Hello Group,
> >
> >
> > Does anyone have any information on how to by pass a web content 
> > filter? We use Surf Control to monitor and filter web content. 
> > However, I have one of my users who was able to by pass this. We 
> > tried using a proxy to by pass just for testing purposes but it did 
> > not work. I am still trying to figure out what other method he used 
> > to do so. If anyone has any information , it will be greatly 
> > appreciated.
> > Thanks
> >
> > Kuda
> >
> > ************************************************************************************************** 
> >
> > The contents of this email and any attachments are confidential.
> > It is intended for the named recipient(s) only.
> > If you have received this email in error please notify the system 
> > manager or the sender immediately. Unless you are the intended 
> > recipient or his/her representative you are not authorized to, and 
> > must not, read, copy, distribute, use or retain this message or any 
> > part of it. 
> > ************************************************************************************************** 
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > ---------------------------------------------------------------------------- 
> >
> >
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > ---------------------------------------------------------------------------- 
> >
> >
> >  
>
>
> --------------------------------------------------------------------------- 
>
> ---------------------------------------------------------------------------- 

---------------------------------------------------------------------------
----------------------------------------------------------------------------