Bypass your firewall

Disclaimer: This document is for educational purposes only. The author(me) is not responsible for any damages or losses if happened upon following this material.

Here in this document I am going to describe you a way through which one can bypass a corporate firewall and remotely access your home computer. Obviously you know what you can do if you have remote desktop(Surf internet, etc). This is highly discouraged by the employers/universities. Use it at your own risk.  Ofcourse for this method to work, You should be having a internet connection at decent speed in your home and your system should be left running while you are in your college/office. For the one who are curious enough to know how and why this works can go through the below section. Others can directly jump into “Taking advantage of the CONNECT method” section.

Details of the firewall:

The most common way the firewall is setup in most of the colleges, corporates is to have a proxy server. The proxy servers will be set up to provide access to the ports 80(HTTP) & 443(HTTPS) and all other port access are restricted. The proxy server will be having the firewall solutions installed like websense, etc which would perform the filtering based on the URL, IP and the content(Most commonly  there will be a URL & IP black list set up in the proxy server to deny access).  These firewalls have a neat hole through which one can access the public machines from inside the firewall without alarming the admin. The trick is in the way the proxy servers provide access to the port 443(HTTPS).

The tunneling mechanism:

When we request an URL through our browser,  Your browser will send the request to the proxy server using the GET method of the HTTP protocol similar to the below line.

 GET www.example.com

 ——-
 —- Request  —-
 ——–

The proxy server will parse this line and connect to example.com and forward the request. Similarly the response.

The HTTP protocol also provides a feature called CONNECT method(RFC2616) specifically to be used with proxy servers  to tunnel to a different port other than 80. This is one of the features a proxy servers can optionally provide to connect with internet machines with ports other than 80.  In fact your browsers send the CONNECT request to the proxy server when you try to hit a URL using port other than 80 (e.g HTTPS). It will be similar to the lines below

 CONNECT www.abc.com:544

 ——-
 —- Request  —-
 ——–

What happens in this case is that,  The proxy server establishes a tunnel directly from your machine and to the  machine in the internet without much care about the content you are sending.

An important point here is to note that the GET method is specifically designed to support the HTTP protocol and thus connects to port 80 of the outside machine(Thats why we dont specify any port in the GET method). So while using the GET method the proxy server has all access to the request & response(All text & HTML content) you are making and thus can filter, cache them based on the content. But in case of the CONNECT method, the CONNECT method is designed to handle all the protocols  regardless of the content,  which means a proxy server can also be used to relay non HTTP contents (e.g. SSL). Here the proxy server cannot choose to filter the data based on the content because the data flowing through this method is so generic as it supports all the protocols of all the formats (For e.g What is the criteria upon which you will be able to filter, if the data flowing through the tunnel is encrypted using SSL).

The proxy server and the HTTPS problem:

A proxy server can handle  websites based on HTTP protocol using the GET method. But the proxy server also should provide a way to handle website based on HTTPS protocol. As you know the HTTPS is the secured version of HTTP, the data is obviously encrypted and the HTTPS web servers also run on port 443. This is where the CONNECT method comes in to picture. So to support the HTTPS protocol inside a proxy server, the CONNECT method using tunneling seems to the simplest solution but as you will see below, it is not the secure solution.

A proxy server can choose not to support the CONNECT method but the problem is that,  the HTTPS protocol involves certificate exchanges from both sending & receiving ends. So when a proxy server is involved, the real sender is the proxy server. So the proxy server have to do the certificate exchanges and have to implement the entire SSL protocol.So what most of the proxy servers(notice the “most”, not all the server does this) does is to simply use the CONNECT method using tunneling.

So for the sake of supporting the HTTPS protocol, The CONNECT feature of the HTTP protocol is enabled in the proxy server for tunneling the HTTPS data. And this is the feature we are going to take advantage of.

Taking advantage of the CONNECT method:

 Now we know what the CONNECT method is. You very well know that your proxy server supports the HTTPS(443) protocol using the CONNECT method. And you also know that any machine in the world(internet) which hosts a HTTPS server can be contacted through your proxy server. And you also very well know that nothing could be traced when using the CONNECT method because the proxy server doesnt have a way to filter this data and thus allows the data to be tunnelled. So here comes the idea. Host your application on port 443 on any machine on the internet(impersonating as a real HTTPS Server) and access it from inside and that is it!! You have successfully communicated with your program on the outside machine without monitoring. Your pity proxy server thinks that he is accessing a real HTTPS server thus establishing a tunnel between your college/office machine and the machine on the internet.(Impersonation is crime!! So beware ).

There are a range of possibilities one could perform from here. You could host a proxy server in your home machine(ofcourse at port 443) and access internet without restrictions from the office machine, access shell account, connect to a game server etc, etc . Below I have described how to host the windows remote desktop server on your home machine at port 443 and remotely access it.

There are 2 softwares reqd. DynDNS and the cntlm. “DynDNS” is the software which provides DNS functionality for your dynamically changing IP address(Suppose you switch on and off your modem). It is to be used at your home machine and not in the office.  DynDNS provides you a domain name address which you can use instead of your frequently changing IP address. Just take a look at dyndns.com.  ”cntlm” is a small tunneling software between your machine at the office/college and the proxy server. This software is used with the applications which doesnt have option to specify a proxy server to communicate with the internet. For e.g Windows Remote desktop client(Which can be used only to communicate with host directly and not through a proxy). ”cntlm” is to be used at your office/college machine and not in your home. It requires no installation.  Just you can copy through your mail.

So for a successful setup these are the steps you need to follow.

In your home machine:

1) Setup windows remote desktop server at port 443. change the registry value “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber” to 443 and restart the machine. This activity hosts your remote desktop at port 443.

2) Install DynDNS(optional).

In the machine in your work place:

1) Edit cntlm.ini file to specify the proxy server IP, Your home machine IP or domain name(DynDNS), local port, user name, password for your proxy server, etc. See below

Username testuser
Domain  corp-uk
Password password  # Use hashes instead (-H)
#Workstation netbios_hostname # Should be auto-guessed

Proxy  10.217.112.41:8080
Proxy  10.217.112.42:8080

# Tunnels mapping local port to a machine behind the proxy
#
Tunnel  1045:homeip.com:443
2) start cntlm in the commandline using cntlm -c cntlm.ini -v

3) Start your remote desktop client using mstsc.exe and specify the localhost and localport which you specified in step 1. For e.g localhost:1045

4) In the cntlm window you can see whether the connection has been successfully established.

~ by nvenkatesh on December 3, 2008.