I am learning some penetration testing of my own,
I got a scenario,I need to do like this

I have a access to a machine in a target network,I need to maintain the access to the target host with out getting suspected by the remote firewall administrators of the target network,So at first 2 things comes to my mind ssh and ssl tunnels,but when the admins see an out-bound ssh connection,they will get more doubts,So decided to use a ssl tunnel,

1) is there any tools available out there that can provide a tunneled ssl connection between me and that target?

2)Also i am sure if they will have some stateful firewalls ,so if they see an huge amount of out-bound traffic to a specific ip,they will get more suspicious,So how can i manage this?

3)Also they may have IDS in place,mostly a signature based 1,they may have a signature detection for ssl tunnel,how we can use our "methods" to deviate from the IDS signature,I am looking forward to modify or do some changes in the attack pattern,which needs to confuses the IDS and need to bypass it's patterns?

how can i do this?

4)what are some of the other attacks i can use against a state-full firewall?


Looking for some help?...

I run an SSH server on 443, so I'm good unless they're doing app-level inspection (rare) or only white-listing specific IPs/DNS.

i am asking help for making an ssl tunnel between the 2 hosts,how can i do that? tht is my real question,i know to make http and ssh tunnels,but it wont help me in that case,so only asked here..hope u will help more..


yes i can do tht,but even tough we can use it to evade firewalls,but it is not the good way,because admins may get suspicious of the ssh traffic..
So only asked about ssl tunnel...
hope u will understand....



like u said,can u tell me how u managed to made an ssl tunnels between 2 hosts ?

And don't think i am blaming u,please take this as "sportive",attackers are classified in to 2 kinds kiddies and high end attackers,like u said IDS is a good shield against kiddies ,remember it is not a big concern to the high
end attackers,Because mostly IDS are signature based and it is actually easily bypassable by the high end hackers,by deviating or differentiating the attack vector and also u said "I could learn what rules are triggered for each tool",what if they use a own crafted tool,your IDS will be blind
and also if they tunneled their connection through port 80 with a http protocol means what can u do?
again your IDS will be blind...

also want to ask u some thing,if an IDS is set directly to block the traffic,then there is a high risk that it is being detectable to the attacker,As far as i know the best way to have an IDS is to make it running on the passive mode,not on the active mode..


I also learned something from your point,white-listing applications,I have heared this,but i don't know how it is being implemented?is it being implemented by firewall or IDS?

Also i didn't got any answers for my original questions ,hope you will help.


NOTE:@mambru--?please take this as sportive,don't took it on the wrong sense,and if possible please tell me about how to make an ssl tunnel
between the 2 hosts??

After i search for a while i had found these words on a ssh tutorial



but they didn't mentioned any thing about how to do it,just said the above as 1 of the alternative,..

if you know the above thing ,please help me out...