June 10th, 2004, 05:57 PM
Tunneling Connections through a firewall
Is there any place with good documentation about tunneling and spoofing port connections through a firewall to the internal NAT'd network? Say for instance the firewall routes http requests to an internal ip, is there a way you can tunnel say telnet or ssh though port 80 to allow you to connect to the webserver while folling the firewall? Or have I just seen 1 too many hacker movies?
Lets say the firewall is a linux box running iptable rules, and the webserver is also running linux.
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
June 10th, 2004, 10:40 PM
If it's a Linux box, you could use httptunnel. It's a well-known program for tunneling through port 80... And it's free. They have binaries for Windows as well, in case you want to use it on a Windows machine.
Try searching on Google for "tunnel" or "tunnel http" or stuff like that if you want more info.
June 10th, 2004, 10:58 PM
Good ol' Netcat will get the job done!
nc -L -d -e xxxxxxxxx -p 80
Replace xxxxxxxx with the name of the program you want to run.
Providing you can install netcat on a box in the network ;-)
I have used this in the past against the zone alarm firewall which was configured to allow all traffic for port 80. (on my own network ofcourse!)
The sucsess of this depends on, amongst other things, the firewall configuration but you would be suprised how many firewalls allow all trafic on port 80!
In windows i use it to open cmd.exe (nc -L -d -e cmd.exe -p 80), i dont know what you would want to open in linux, depends on what you want to do i suppose.
If its your network and your just doing some testing, this is perfect! (IMHO anyway)
June 10th, 2004, 11:28 PM
if you bind nc to port 80 it is 'in front of' the webserver so any one trying to view the site will think the server is down. i would think the same would be true of anything that just captures the web traffic. but you could use AT (you need access to get it there to begin with) to schedule it to run every night at an off hour. using the -l arg which would give you access at that time and close when your done instead of -L which would just keep listening for another connection. less chance of it being noticed. the way its mostly done today is usually with sql injection, constructing sql statements to run commands or just a poorly patched and configured server that allows you to run commands on the server and viewing the results in your web browser. i guess the best illustration of this would be the antique iis 4/5 unicode exploit. long since fixed but still around.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
June 11th, 2004, 12:50 AM
The fact of the matter is that there are *many* ways to tunnel traffic through a firewall. You have all of the aforementioned along with LOKI, HPING, any of the B/O agents, etc.. Hell, even VNC *could* tunnel traffic through using Stunnel (SSH tunneling app). The bottom line is your ability to use any of these methods depends on the firewall itself (is it a piece of crap), your skills and/or the ability of the FW admin to properly create ACLs.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 15th, 2005, 04:57 PM
i can use this netcat to connect through different subnet? for example, in my college we have 2 subnets. One is wireless and another one is cable one. On the cable side we have dc++ server and the students from wireless side want to connect to the server. the Subnet are as follow
wireless - 192.168.200.1
cable - 10.0.0.1