.

using SSL Tunnel to bypass IDS and firewalls?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Oct 01, 2010 1:04 am

using SSL Tunnel to bypass IDS and firewalls?

I am learning some penetration testing of my own,
I got a scenario,I need to do like this

I have a access to a machine in a target network,I need to maintain the access to the target host with out getting suspected by the remote firewall administrators of the target network,So at first 2 things comes to my mind ssh and ssl tunnels,but when the admins see an out-bound ssh connection,they will get more doubts,So decided to use a ssl tunnel,

1) is there any tools available out there that can provide a tunneled ssl connection between me and that target?

2)Also i am sure if they will have some stateful firewalls ,so if they see an huge amount of out-bound traffic to a specific ip,they will get more suspicious,So how can i manage this?

3)Also they may have IDS in place,mostly a signature based 1,they may have a signature detection for ssl tunnel,how we can use our "methods" to deviate from the IDS signature,I am looking forward to modify or do some changes in the attack pattern,which needs to confuses the IDS and need to bypass it's patterns?

how can i do this?

4)what are some of the other attacks i can use against a state-full firewall?


Looking for some help?...
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Fri Oct 01, 2010 8:24 am

Re: using SSL Tunnel to bypass IDS and firewalls?

You got some interesting points, but you said that you are learning that so create first one tunnel from that machine and later begin to learn how to hide it.

I am not so advanced like you but I would to that.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Oct 01, 2010 8:43 am

Re: using SSL Tunnel to bypass IDS and firewalls?

I run an SSH server on 443, so I'm good unless they're doing app-level inspection (rare) or only white-listing specific IPs/DNS.
The day you stop learning is the day you start becoming obsolete.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Fri Oct 01, 2010 11:22 am

Re: using SSL Tunnel to bypass IDS and firewalls?

A few weeks back I was playing with a very similar scenario.

I had a firewall allowing only egress/ingress traffic to port 80 and an IDS examining all the traffic. I had compromised a web server (through an SQL injection vuln), so I needed to reach other services from outside by using tunnels. First I tried a very loose configuration in the IDS (TippingPoint), with that I could tunnel out connections with SSH, SSL (stunnel) and HTTP ( httptunnel - htc/hts) successfully. Gradually I set a more aggressive profile in the IDS, with that I could learn what rules are triggered for each tool. At the end I had the IDS dropping all the connections since it was detecting protocols to non-standard ports (remember the FW was only allowing traffic to port 80).

It was a nice exercise that gave me the chance to learn about how to achieve a good profile in the IDS and possible evasion techniques, and it can be extended in more ways.
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Oct 01, 2010 12:11 pm

Re: using SSL Tunnel to bypass IDS and firewalls?

  Code:
You got some interesting points, but you said that you are learning that so create first one tunnel from that machine and later begin to learn how to hide it.

I am not so advanced like you but I would to that.


i am asking help for making an ssl tunnel between the 2 hosts,how can i do that? tht is my real question,i know to make http and ssh tunnels,but it wont help me in that case,so only asked here..hope u will help more..

  Code:
I run an SSH server on 443, so I'm good unless they're doing app-level inspection (rare) or only white-listing specific IPs/DNS.


yes i can do tht,but even tough we can use it to evade firewalls,but it is not the good way,because admins may get suspicious of the ssh traffic..
So only asked about ssl tunnel...
hope u will understand....


  Code:
A few weeks back I was playing with a very similar scenario.

I had a firewall allowing only egress/ingress traffic to port 80 and an IDS examining all the traffic. I had compromised a web server (through an SQL injection vuln), so I needed to reach other services from outside by using tunnels. First I tried a very loose configuration in the IDS (TippingPoint), with that I could tunnel out connections with SSH, SSL (stunnel) and HTTP ( httptunnel - htc/hts) successfully. Gradually I set a more aggressive profile in the IDS, with that I could learn what rules are triggered for each tool. At the end I had the IDS dropping all the connections since it was detecting protocols to non-standard ports (remember the FW was only allowing traffic to port 80).

It was a nice exercise that gave me the chance to learn about how to achieve a good profile in the IDS and possible evasion techniques, and it can be extended in more ways.


like u said,can u tell me how u managed to made an ssl tunnels between 2 hosts ?

And don't think i am blaming u,please take this as "sportive",attackers are classified in to 2 kinds kiddies and high end attackers,like u said IDS is a good shield against kiddies ,remember it is not a big concern to the high
end attackers,Because mostly IDS are signature based and it is actually easily bypassable by the high end hackers,by deviating or differentiating the attack vector and also u said "I could learn what rules are triggered for each tool",what if they use a own crafted tool,your IDS will be blind
and also if they tunneled their connection through port 80 with a http protocol means what can u do?
again your IDS will be blind...

also want to ask u some thing,if an IDS is set directly to block the traffic,then there is a high risk that it is being detectable to the attacker,As far as i know the best way to have an IDS is to make it running on the passive mode,not on the active mode..


I also learned something from your point,white-listing applications,I have heared this,but i don't know how it is being implemented?is it being implemented by firewall or IDS?

Also i didn't got any answers for my original questions ,hope you will help.


NOTE:@mambru--?please take this as sportive,don't took it on the wrong sense,and if possible please tell me about how to make an ssl tunnel
between the 2 hosts??
Last edited by manoj9372 on Fri Oct 01, 2010 12:13 pm, edited 1 time in total.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Fri Oct 01, 2010 4:17 pm

Re: using SSL Tunnel to bypass IDS and firewalls?

I'm not meaning to be rude, but have you tried somehow to create the tunnel? As usual, Google is your friend, there's a lot of info on the net that can help you with this (http://www.stunnel.org/examples/generic_tunnel.html).

If you are experiencing a specific problem, then I could try to shed some light, don't hesitate to ask, just give some more details about what difficulties you're having.
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Sun Oct 03, 2010 7:15 am

Re: using SSL Tunnel to bypass IDS and firewalls?

After i search for a while i had found these words on a ssh tutorial

  Code:
you can configure an SSL Tunnel through the SSH connection.



but they didn't mentioned any thing about how to do it,just said the above as 1 of the alternative,..

if you know the above thing ,please help me out...
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Mon Oct 04, 2010 11:03 am

Re: using SSL Tunnel to bypass IDS and firewalls?

Where are you standing right now? Where are you failing? Did you check the link I posted? There you can find plenty of examples showing how to create SSL tunnels, those are good starting points for what you want to do. You say you  know how to create HTTP and SSH tunnels, then creating a SSL tunnel shouldn't be a big deal.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Oct 05, 2010 8:27 am

Re: using SSL Tunnel to bypass IDS and firewalls?

[quote="manoj9372"]
1) is there any tools available out there that can provide a tunneled ssl connection between me and that target?

2)Also i am sure if they will have some stateful firewalls ,so if they see an huge amount of out-bound traffic to a specific ip,they will get more suspicious,So how can i manage this?

3)Also they may have IDS in place,mostly a signature based 1,they may have a signature detection for ssl tunnel,how we can use our "methods" to deviate from the IDS signature,I am looking forward to modify or do some changes in the attack pattern,which needs to confuses the IDS and need to bypass it's patterns?

how can i do this?

4)what are some of the other attacks i can use against a state-full firewall?/quote]


1. Try out the following programs and play with them:
- SSL Tunnel: http://www.stunnel.org/
- ICMP Tunnels:
http://neverfear.org/blog/view/9/Using_ ... l_Internet
http://icmpshell.sourceforge.net/
http://phrack.org/issues.html?issue=49&id=6#article
And so forth, there's plenty of tools available. You can even install a VPN client on the target victim, and then set up a VPN server too with e.g. OpenVPN and SSL.

2. This is harder to manage, but if you relay your traffic via e.g. facebook, twitter or google then it may not look that suspicious. I remember I saw.. I think it was a botnet (for testing purposes) which was run via twitter. Quite evil, but it worked.

3. Install Snort and these "SSL filters" you're talking about. Then try to bypass them. That's what I would do, if I don't know the exact filters I would do a general bypass without making the packets look obscure since some firewalls and filters may put a red flag on them. Furthermore, using other kinds of packets such as ICMP (tunneling data through it), may be even better.

4. Spoofed (UDP) packets is just one kind of attack. You can't use that, to actually "attack" the firewall except if the SPI interface is vulnerable to certain types of obscure packets.



Best regards,
MaXe
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Wed Oct 06, 2010 3:22 am

Re: using SSL Tunnel to bypass IDS and firewalls?

Thanks sir,especially to "MaXe" and "mambru",I got some "path" about this,i will try to do some research and some practical demonstrations and i will try to understand this in better way..

Thanks once again.....

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software