I have done this type of tunneling out from inside a protected network a few times. I've utilized the following configuration: SSH, PPP, Linux, and httptunnel (once replaced ssh with stunnel). I did this to bypass an extremely restrictive internet filter. I could use the tunnel as a two-way path between networks and had full access to the inner network. I used SSH to compress / encrypt all the traffic. PPP was used to emulate network devices and allow me a "gateway" to the foreign network httptunnel was used to bypass the "firewall" which only allowed DNS and HTTP traffic out. The HTTP traffic was filtered... and banners were added to every page that passed through the proxy, so this got messy and involved some tweaking. If you can only get unfiltered DNS outbound... then you can utilize a DNS "tunneling" application to do things similar to how httptunnel works. This whole process is quite easy if you gain root access on an internal (protected) machine. You need to have the internal ("protected") system initiate an httptunnel to a remote ("server") system that is running a listening copy of httptunnel that then forwards the connection into ssh (using the identities and NOT password authentication so that it auto-logs in). Once SSHD on your remote system that you control gets the connection, it executes PPP that echos the PPP traffic to STDOUT and reading on STDIN and not a serial device. Now at this point, your protected ("secure") machine has PPP running and also sending stuff through STDOUT and listening on STDIN. You now have a VALID two-way tunnel that is using SSH and PPP devices. You can add an auto-reconnect feature and have crond run it when the connection fails also... because it will fail occasionally. If anyone needs help and can't figure out the details of commands that they need to run then let me know and I'll try to help. It should also be possible to use a steganography tool to "encode" data into "images" that appear valid when viewed in web browsers... instead of using httptunnel. This would add to the "secrecy" of your transmissions :) Ben Efros > > For sites which allow unrestricted outbound connections, it would > probably be impossible to detect if the trojan did nothing else > destructive to arouse suspicion. > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 11:09:11 PST