Académique Documents
Professionnel Documents
Culture Documents
Introduction
Firewalls are heavily used to secure private networks (home or corporate). Usually, they are used to
protect the network from:
In a TCP/IP environment, the typical corporate firewall configuration is to block everything (both
incoming and outgoing), and give access to the internet only through a HTTP proxy. The proxy usually has
filtering capabilities (censors URLs and file types), and access to the proxy often requires credentials
(login/password). This gives greater contol to the network administrator over what and who is going in
and out of the network.
Still, this should not considered a ultimate weapon, and network administrators should not rely
on the firewalls only.
Encapsulation is the basis of networking. For example, HTTP is encapsulated by TCP, TCP is encapsulated
by IP, and IP is often encapsulated in PPP or Ethernet.
Encapsulating protocols in an unsual way is often reffered as tunnelling.
As soon as you let a single protocol out, tunelling allows to let anything go through this protocol, and thus
through the firewall.
This paper demonstrates how to encapsulate any TCP-based protocol (SMTP, POP3, NNTP, telnet...) into
HTTP, thus bypassing the firewall protection/censorship (depending on your point of view)
A word of warning:
In many countries and corporate environments, bypassing a firewall is forbidden and exposes
you to sanctions, redundancy, legal proceedings and - in some countries - death penalty.
You are warned.
Nevertheless, in some countries this kind of firewall/proxy bypassing is the only way to ensure free speech
(such as China or United Arab Emirates where the government severly censors the internet and where
firewall bypassing is a national sport.)
The problem
Say you want to fetch your mail from your ISP mail server. You usually simply connect to port 110 on the
http://sebsauvage.net/punching/ 13/09/2010
Punching holes into firewalls Page 2 of 6
Well... it does not exactly block everything: it lets HTTP out through a proxy.
Let's encapsulate our POP3 connection into HTTP.
The tools
We need:
A computer on the internet which has unrestricted access to the internet, such as a home ADSL
computer.
GNU HTTP Tunnel (http://www.nocrew.org/software/httptunnel.html). It encapsulates TCP into
HTTP requests.
SSH is a secure shell (http://www.openssh.com). It provides secure (and compressed) channels
between two hosts using SSL. Besides providing a shell (like telnet), it also provides file copy (scp)
and TCP port forwarding (tunnelling). We will use the port forwarding feature.
the tunnel is public: anyone can use your tunnel. Your could be held liable for what anybody has
done with your tunnel.
the tunnel is cleartext: anyone can spy on your connection. Your passwords (SMTP, POP3, telnet...)
are transmitted in clear text.
the tunnel is not protected: anyone can alter the datastream.
you have to run a new instance of the HTTP Tunnel client and the server for each new tunnel you
want to set up.
http://sebsauvage.net/punching/ 13/09/2010
Punching holes into firewalls Page 3 of 6
As TCP is a bi-directionnaly datastream, once established, the TCP connection can pass data back and
forth through the HTTP proxy.
The administrator of the HTTP proxy cannot see which protocol is used, which server is
contacted (except the home computer), nor the nature of transmitted data.
http://sebsauvage.net/punching/ 13/09/2010
Punching holes into firewalls Page 4 of 6
Notes:
Conlusion
As you can see, setting up such tunnels does not requires advanced skills, especially with the recent Linux
distributions which come with pre-installed and pre-configured ssh servers.
With a little more skills, it is possible to tunnel just about everything into everything. For example, it is
possible to tunnel PPP into HTTP, providing a full IP-stack tunnelling, including ICMP (ping...), DNS and
servers (backward tunnels).
Opensource and commercial VPN solutions also come into mind.
See references for programs and papers about firewall bypassing below.
Security is not only a matter of firewall configuration, it must be seen at a larger scale. Do not rely on the
firewall alone.
Censorship bypassing should not be only considered as a terrorist or hacker weapon, but also as tools for
privacy, free speech, democraty and human rights protection (Please read papers written by PGP-author
Philip Zimmerman, they are very instructive).
References
http://sebsauvage.net/punching/ 13/09/2010
Punching holes into firewalls Page 5 of 6
ProxyTunnel : http://proxytunnel.sourceforge.net
TCP-into-HTTP(S) tunneling program ; requires the HTTP proxy to accept the CONNECT command.
SSH Tunnelling howto : http://proxytunnel.sourceforge.net/papers/muppet-200204.html
Instructions for TCP-into-HTTP tunnelling using SSH and ProxyTunnel.
Bypassing internet censorship : http://www.zensur.freerk.com
Ways to bypass censorship, using various technics.
How to Bypass Most Firewall Restrictions and Access the Internet Privately :
http://www.buzzsurf.com/surfatwork/
Document on firewalls bypassing and tunnelling.
Breaking Firewalls with OpenSSH and PuTTY : http://souptonuts.sourceforge.net/sshtips.htm
Using putty and OpenSSH when the firewall allows port 22 in.
The ennemy within: Firewalls and backdoors : http://www.securityfocus.com/infocus/1701
Article about firewalls and security.
GNU HTTP Tunnel : http://www.nocrew.org/software/httptunnel.html
Opensource TCP-into-HTTP tunnelling.
PlugDaemon : http://www.taronga.com/plugdaemon/
TCP port forwarder with HTTPS proxy support.
OpenSSH : http://www.openssh.com
Opensource ssh client and server.
OpenSSH for Windows: http://sshwindows.sourceforge.net/
Windows version of OpenSSH. (The server only works under 2000/XP, but a 9x version is planned.)
OpenVPN : http://openvpn.sourceforge.net/
Excellent, secure and flexible opensource SSL-based VPN program. Can work over UDP, TCP or even HTTP trough proxies.
1st April RFC 3093: http://ietf.org/rfc/rfc3093.txt
So-called Firewall Enhancement Protocol (FEP).
DesProxy : http://desproxy.sourceforge.net
Allows to make direct TCP connections through HTTP proxy which accept the CONNECT command. Does not require external
server as in our solution above.
TransConnect: http://transconnect.sourceforge.net
Uses the CONNECT proxy HTTP command to make direct connections to the internet.
CorkScrew: http://www.agroman.net/corkscrew/
Tunnels SSH traffic through HTTP proxies.
HTTP Bridge: http://httpbridge.sourceforge.net
A CGI-based secure HTTP proxy written in Java. Requires Tomcat.
PsiPhon: http://psiphon.civisec.org/
Password-protected HTTP proxy server designed to circumvent censorship.
HTTP Proxy Lib: http://httppc.sourceforge.net
A library to add TCP-into-HTTP capability to your programs.
STunnel: http://stunnel.mirt.net
Generic TCP-into-SSL wrapper.
STunnel: http://www.stunnel.org
Generic TCP-into-SSL wrapper.
SSLProxy: http://www.obdev.at/products/ssl-proxy/
Generic TCP-into-SSL wrapper. No longuer maintained (Authors recommend STunnel instead).
TLSWrap : http://tlswrap.sunsite.dk
TLS/SSL wrapper/proxy for FTP.
HTTP Tunnel : http://www.http-tunnel.com
Commercial encrypted TCP-into-HTTP tunnelling service. Low-bandwith free service available.
HTTP Tunnel : http://http-tunnel.sourceforge.net/
Opensource SOCKS proxy capable of tunnelling traffic through HTTP proxies. Client and server provided. Server can run
standalone (perl) or on a hosted server (php).
HTTPort : http://www.htthost.com
Commercial TCP-into-HTTP tunnelling service (encrypted).
BarracudaDrive : http://barracudaserver.com/examples/BarracudaDrive/index.html
Free TCP-into-HTTPS tunnelling server with HTTP proxy support (command-line java client), including a web-based file
manager, web-based chat and graphical file transfer java client.
Hamachi : http://hamachi.cc/
Free and simplified UDP-based VPN solution capable of traversing NAT firewalls.
Your-Freedom : http://www.your-freedom.net/
Free TCP-into-HTTP tunnelling service. Additional sevices are not free.
Socks via HTTP : http://lightbox.ath.cx/socks/
A SOCKS proxy which tunnels all traffing into HTTP requests. Can also tunnel static ports. Client and server provided. Written
in Java.
Zebedee : http://www.winton.org.uk/zebedee/
Opensource cross-plateform TCP/UDP-into-SSL tunnel.
Socks2HTTP : http://www.totalrc.net
http://sebsauvage.net/punching/ 13/09/2010
Punching holes into firewalls Page 6 of 6
Commercial Socks proxy which tunnels TCP and UDP into HTTP.
SSL Explorer : http://www.sshtools.com/products/enterprise/ssl-explorer/ssl-explorer.jsp
TCP-into-HTTPS tunnelling and more. The clients only requires a Java-enabled browser.
Tunnelier : http://www.bitvise.com/tunnelier.html
Commercial (free for personal use) SSH client for Windows with easy tunnelling features, graphical SFTP client, FTP-to-SFTP
bridge, etc.
nph-proxy : http://www.jmarshall.com/tools/cgiproxy/
Free CGI-based HTTP proxy, capable of HTTPS proxying and URL obfuscation. Perl source code provided.
For more information, see:
http://directory.google.com/Top/Computers/Security/Internet/Privacy/
http://directory.google.com/Top/Computers/Security/Virtual_Private_Networks/
Tunnelling projects on SourceForge.net: http://sourceforge.net/search/?words=tunnel
http://sebsauvage.net/punching/ 13/09/2010