You got some interesting points, but you said that you are learning that so create first one tunnel from that machine and later begin to learn how to hide it.
I am not so advanced like you but I would to that.
i am asking help for making an ssl tunnel between the 2 hosts,how can i do that? tht is my real question,i know to make http and ssh tunnels,but it wont help me in that case,so only asked here..hope u will help more..
I run an SSH server on 443, so I'm good unless they're doing app-level inspection (rare) or only white-listing specific IPs/DNS.
yes i can do tht,but even tough we can use it to evade firewalls,but it is not the good way,because admins may get suspicious of the ssh traffic..
So only asked about ssl tunnel...
hope u will understand....
A few weeks back I was playing with a very similar scenario.
I had a firewall allowing only egress/ingress traffic to port 80 and an IDS examining all the traffic. I had compromised a web server (through an SQL injection vuln), so I needed to reach other services from outside by using tunnels. First I tried a very loose configuration in the IDS (TippingPoint), with that I could tunnel out connections with SSH, SSL (stunnel) and HTTP ( httptunnel - htc/hts) successfully. Gradually I set a more aggressive profile in the IDS, with that I could learn what rules are triggered for each tool. At the end I had the IDS dropping all the connections since it was detecting protocols to non-standard ports (remember the FW was only allowing traffic to port 80).
It was a nice exercise that gave me the chance to learn about how to achieve a good profile in the IDS and possible evasion techniques, and it can be extended in more ways.
like u said,can u tell me how u managed to made an ssl tunnels between 2 hosts ?
And don't think i am blaming u,please take this as "sportive",attackers are classified in to 2 kinds kiddies and high end attackers,like u said IDS is a good shield against kiddies ,remember it is not a big concern to the high
end attackers,Because mostly IDS are signature based and it is actually easily bypassable by the high end hackers,by deviating or differentiating the attack vector and also u said "I could learn what rules are triggered for each tool",what if they use a own crafted tool,your IDS will be blind
and also if they tunneled their connection through port 80 with a http protocol means what can u do?
again your IDS will be blind...
also want to ask u some thing,if an IDS is set directly to block the traffic,then there is a high risk that it is being detectable to the attacker,As far as i know the best way to have an IDS is to make it running on the passive mode,not on the active mode..
I also learned something from your point,white-listing applications,I have heared this,but i don't know how it is being implemented?is it being implemented by firewall or IDS?
Also i didn't got any answers for my original questions ,hope you will help.
NOTE:@mambru--?please take this as sportive,don't took it on the wrong sense,and if possible please tell me about how to make an ssl tunnel
between the 2 hosts??