IP TUNNELING:
 

" Bypassing Firewalls Simplified "

DOCUMENT SUMMARY

Subject:
Bypassing Firewalls

Keywords:
IP Tunneling, Protocol Tunneling, Bypassing Firewalls.

Description:
A method of protocol encapsulation can be used to access various blocked protocols or even ports. Encapsulated protocol carries any other protocol under it to bypass or exploit the protocol allowed by the firewall. Normally HTTP is always allowed, therefore, it can be used as a gateway to the blocked resources.

Tools of Trade:
desproxy [for Windows platform] but requires cygwin1.dll [ www.cygwin.com] to run
http://desproxy.sourceforge.net/

GNU Httptunnel [for Linux/Unix based platforms]
http://www.nocrew.org/software/httptunnel.html

Side Note:
It may be fun but on the other hand shows the weakness of a firewall's ability to restrict access to the resources and overall information security policy of the enterprise. It is a major concern for the System Administrators.

Quick References:
Jake Hill -- " Bypassing Firewalls: Tools and Techniques "

Desproxy Documentation -- http://desproxy.sourceforge.net/
http://desproxy.sourceforge.net/manual-en.html
 

END OF DOCUMENT SUMMARY

The primary source of protecting unwanted access and traffic (both in & outwards) is a firewall. There are various types of firewalls, but they control access at the application and transport layers of a network.
 

What is Protocol Tunneling (also IP Tunneling):

A protocol tunnel is basically encapsulation of one protocol inside the another. It is a general technique which can be used to carry a protocol to a foreign network.

Any allowed protocol can be exploited for tunneling, normally SMTP (Simple Mail Transfer Protocol, port 25 -- used to send mails) and HTTP (Hyper Text Transfer Protocol, port 80 or sometimes 8080 -- used to browse web-pages) satisfy this only condition for tunneling. Other protocols, like ICMP-ECHO (i.e. ping) may or may not be allowed on different systems.


Bypassing Firewalls:

A block using a firewall may, at its simplest, be bypassed by using a Proxy server (like http://www.anonymization.net/ Public Proxy Server). You can use it to visit sites that are blocked. These may also be used to browse the internet anonymously (i.e. hiding your IP, refer to my text on " A Chain of Proxies " )

Another effective way to this is what this text is about. A tunnel can be used to turn an application layer protocol (such as HTTP) into transport layer protocol to make it very hard for the firewall to reason about what type of traffic is passing through it. Users at sites with restrictive firewall policies can enable protocols that are blocked by tunneling them through HTTP.

The exploit -- How & Tools:

One simple thing I came up while I was working on this topic, was " desproxy ". It is a great tool to exploit the allowed protocol and to make connections to the blocked protocols (another one was GNU HTTPTunnel).

At the simplest, it makes possible the TCP/IP connections through HTTP proxies by tunneling TCP/IP traffic into HTTP. Desproxy comes with two problems, one it is not GUI (that is a command-line interface) so no clicks'n goes and secondly, it costs flexibility.

Remember that HTTP proxies are used to share an internet connection with other computers. This setup is typically used in offices and now in our homes. Our web browsers (HTTP clients) request data for web pages from HTTP proxies which are connected to the internet. This could be a reason that why other Internet applications cannot work / use internet. For example, your system administrator might block access to messenger.hotmail.com;207.46.104.20 port 1863 using a firewalls preventing the use of MSN Messenger.

Coming back to desproxy. It is a TCP tunnel, which means it can forward TCP/IP traffic via a HTTP proxy. Let's assume you want to use network application X, which doesn't support HTTP but uses TCP/IP connection (like IRC or MSN Messenger). To make X work with desproxy, you have to just follow these four simple steps.

Side Note:
There might be other software available that will do the same thing. I have used desproxy so I will stick to it throughout this text.


ONE:
Search for the default port of that application: (for example)

 

... so on


TWO:
Then search for the default server of that application (if there is one). For example,

 

... so on


TIP: You can find information relating to Ports & Server that application uses by:

1.  Read its documentation or other manuals, FAQs, or any other source of information. Google is said to be an effective tool for hackers, use it to extract information.

2. Use a tool called Port Monitor (like TCP View (freeware) from www.sysinternals.com. It shows all connections to and from your computer over the network.


THREE:
Start desproxy and use this information in following syntax:

C:\>desproxy [host] [port] [proxyserver] [proxyport] [any_port]

Host = is the server your application is connecting to
Port = is the port your application uses
Proxyserver = is your local proxy server
Proxyport = is your local proxy port (usually 80 or sometimes 8080)
Any_port = is any local port number (1-65536) of your choice. This will be used to bypass the block. Always keep this number over 1023 as lower ports may need administrator privileges.



FOUR:
Direct your application to use the " any_port " as you have specified. For example, you can configure Yahoo! Messenger to use "any_port " number (assume 1653) as follows:

Click on Edit > Preferences > Connection > Use Proxies > Enable HTTP Proxy

Put server name: 127.0.0.1 (which is a loop-back IP address, i.e. your own computer) and at server port: put 1653 or any_port you have specified.

By specifying 127.0.0.1 as server and " any_port " as port you can make a successful connection to the protocol or applications.

 

REFERENCES, RELATED WORK & NOTES:

I would strongly recommend you guys to take a look a DESPROXY documentation before using it. So you may be able to use the software at its best. I have omitted the " socks proxy " included in the original documentation of DESPROXY.

Jake Hill " Bypassing Firewalls: Tools and Techniques "

Q. Zhong. Providing secure environments for untrusted network applications: with case studies using virtualvault and trusted sendmail proxy. Technical report, HP Laboratories, 1997.

T. Choo. Vaulted vpn: Compartmented virtual private networks on trusted operating systems. Technical report, HP Laboratories, 1999.

C. Dalton and D. Clarke. Secure partitioned access to local network resources over the internet. Technical report, HP Laboratories, 1998.

C. Dalton and J. Griffin. Applying military grade security to the internet. Technical report, HP Laboratories, 1997.


GNU HTTPtunnel
http://www.nocrew.org/software/httptunnel.html.

Desproxy Documentation -- http://desproxy.sourceforge.net/
http://desproxy.sourceforge.net/manual-en.html

Cygwin
http://www.cygwin.com

My website
underdevelopment
 

END OF DOCUMENT

Any queries for further information, clarifications and corrections may be forwarded to me (smart031279@hotmail.com -- please no forwarded jokes or useless messages). One thing I would like to mention here that in preparation of this text I used Jake Hill's work and documentation that came with Desproxy.

If you face any difficulties in downloading cygwin1.dll then try this site http://www.physik.fu-berlin.de/~loison/fast_algorithms/O3/ . I found this link after a big search on google.

Before signing off I would like to thanks Adeel Salafi for asking and firing me up to work on bypassing firewalls, without his query this work was not possible.

Lastly, this information is based on my understanding and this information is * do it at your own risk *.

These programs have reported to work with desproxy.

Web Browsers

IRC Clients

Instant Messaging

Miscellaneous clients

This piece of work is dedicated to my parents

This text has been written by Sheikh M. Taimur and tested by Sheikh M. Aleigh
Designed at 800 x 600 resolution

It may be forwarded without any restrictions
4.34AM (Monday, Sept. 22, 2003)
Finalized 8.16 PM (Sept. 22, 2003)
Tested Oct. 07, 2003