HTTP TUNNELING

Most of the companies and enterprises use proxies and firewalls for their company’s network security. But majority firewalls and proxies block most or all other services but one – http/https. They allow traffic to destination port 80 or 443 to pass in order for their employees to surf the web. So this particular behavior of the firewall can be exploited in order to connect to remote servers with services running on different ports other than 80 or 443. Let us see how.


Consider you are an employee working in such a company and you want to use protocols like bit torrent, ftp, telnet or even access websites that are blocked by your firewall. You have a computer at your home which is connected to the internet and has no such restrictions. The firewall of your company does not block http/https traffic at your home address.


All you need to do is setup an http tunnel client at your office workstation and an http tunnel server at your home computer and keep it up and running. If your computer is behind a NAT at your home then you must forward ports 80 and 443 to your computer’s internal ip address.


The HTTP tunnel client will encrypt all packets originating from your workstation and encapsulate it with ip headers that are destined to your http tunnel server at port 80 or 443. For all the incoming packets it will strip of the ip headers, decrypt the remaining packet and send that to the kernel.


The http tunnel server running at your home needs to, for all incoming packets from the client, strip of the first ip headers, decrypt the inside packet, check for the actual destination ip/port and send the packet there. It then has to get the reply from the actual server, encrypt it and send it to the client’s ip address by encapsulating it with ip headers destined at port 80/443.


Now how this works is pretty simple. All the traffic from the client’s workstation will be tunneled so that the firewall will allow it to pass. Once the packet reaches the http tunnel server, the server then extracts the original packet and acts as a proxy server. It sends the packet to the actual server and gets its reply. It then tunnels the reply in the same way and sends back to the client’s workstation where it is ready to extract its actual reply and send it to the Operating System. All real data passing from the firewall is encrypted so as to prevent the firewall from detecting the actual traffic even if It tries to monitor.


So here we saw an example of how we can take advantage of one open port of the firewall and use it to access any server/service at any port anywhere in the internet with the help of encryption and tunneling protocols.


Post a Comment