Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Bypass Corporate LAN/Firewall for Internet Connection

Hybrid View

  1. #1

    Question Bypass Corporate LAN/Firewall for Internet Connection

    My company laptop has some special software installed on my laptop that boots up together with Windows. Right before the Windows login, I have the option to log in from outside the corporate LAN (ie: from any internet connection). If I select that, I can login by VPN from anywhere.

    The thing I don't understand is that I can log in from other corporate LANs without logging into them. For example, I can visit Microsoft HQ, connect my laptop to their LAN and without logging into the Microsoft LAN I can get an internet connection and connect to my company LAN.

    How am I able to connect to the internet without logging in their LAN?
    The link budget is not a problem, we intend on splitting the bill...

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by radioraiders View Post
    My company laptop has some special software installed on my laptop that boots up together with Windows. Right before the Windows login, I have the option to log in from outside the corporate LAN (ie: from any internet connection). If I select that, I can login by VPN from anywhere.

    The thing I don't understand is that I can log in from other corporate LANs without logging into them. For example, I can visit Microsoft HQ, connect my laptop to their LAN and without logging into the Microsoft LAN I can get an internet connection and connect to my company LAN.

    How am I able to connect to the internet without logging in their LAN?
    When you say you're logging onto to the MS LAN, you mean you're connecting to it, but you're not authenticating to their servers. You're basically just getting an address from a DHCP server correct?

    But when you first turn your machine on, the only option you have is to authenticate to your own company's network via a VPN connection, and if you cannot establish that connection, you have no access to the internet? Is that correct?

    So it sounds as though you're asking how you can go about connecting to the internet without connecting to your company's VPN connection, is that correct?
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3

    Default

    Quote Originally Posted by streaker69 View Post
    When you say you're logging onto to the MS LAN, you mean you're connecting to it, but you're not authenticating to their servers. You're basically just getting an address from a DHCP server correct?
    Correct, in the "visiting MS" example, I would plug a CAT5 cable to my laptop and without logging into the MS network, get an IP address and somehow be able to get an internet connection and log into my company LAN.

    Quote Originally Posted by streaker69 View Post
    But when you first turn your machine on, the only option you have is to authenticate to your own company's network via a VPN connection, and if you cannot establish that connection, you have no access to the internet? Is that correct?
    Yes, I am asked by my machine if I am outside of my companys network. If I say "yes" I enter a token and can connect to my company LAN, even if I am connected to someone elses corporate LAN that I don´t have access to (ie: I'm not a MS employee and don't have a log in to their LAN)

    Quote Originally Posted by streaker69 View Post
    So it sounds as though you're asking how you can go about connecting to the internet without connecting to your company's VPN connection, is that correct?
    I'm asking is how am I able to plug my laptop into any corporate LAN and connect to the internet, even tho I'm not able to log into the LAN ie: I visit MS and can gain internet access without logging in the MS LAN Shouldn't I be blocked from any type of internet access if I'm not allowed to login their LAN?

    PS- This is not just from one or 2 places, this is from every major company I visit, I always am able to use their LAN to establish an internet connection even tho I don't have a login for their LAN. I have no idea how this software does it, but it always works.
    The link budget is not a problem, we intend on splitting the bill...

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by radioraiders View Post
    Correct, in the "visiting MS" example, I would plug a CAT5 cable to my laptop and without logging into the MS network, get an IP address and somehow be able to get an internet connection and log into my company LAN.

    Yes, I am asked by my machine if I am outside of my companys network. If I say "yes" I enter a token and can connect to my company LAN, even if I am connected to someone elses corporate LAN that I don´t have access to (ie: I'm not a MS employee and don't have a log in to their LAN)


    I'm asking is how am I able to plug my laptop into any corporate LAN and connect to the internet, even tho I'm not able to log into the LAN ie: I visit MS and can gain internet access without logging in the MS LAN Shouldn't I be blocked from any type of internet access if I'm not allowed to login their LAN?

    PS- This is not just from one or 2 places, this is from every major company I visit, I always am able to use their LAN to establish an internet connection even tho I don't have a login for their LAN. I have no idea how this software does it, but it always works.
    Because you're not required to authenticate to an Active Directory structure to retrieve an IP address via DHCP generally. You're technically not 'logging' onto their network, meaning you're not authenticating to their servers, your computer is just requesting an IP address and is being granted one. Then your machine can find a path to the internet and then authenticate via VPN to your own company's LAN.

    Does that make sense?
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5

    Default

    Quote Originally Posted by streaker69 View Post
    Because you're not required to authenticate to an Active Directory structure to retrieve an IP address via DHCP generally. You're technically not 'logging' onto their network, meaning you're not authenticating to their servers, your computer is just requesting an IP address and is being granted one. Then your machine can find a path to the internet and then authenticate via VPN to your own company's LAN.

    Does that make sense?
    Hmmm, kind of, yes. But when I take my private laptop to work (or any other company LAN), why am I not able to connect to the internet? Shouldn't the same apply? (ie: being granted an IP address and being able to connect to the internet?)

    How is an internet conenction established, without LAN access?
    The link budget is not a problem, we intend on splitting the bill...

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by radioraiders View Post
    Hmmm, kind of, yes. But when I take my private laptop to work (or any other company LAN), why am I not able to connect to the internet? Shouldn't the same apply? (ie: being granted an IP address and being able to connect to the internet?)

    How is an internet conenction established, without LAN access?
    You're confusing "LAN Access" with TCP/IP routing.

    TCP/IP routing gives you the very basics: IP address assignment via DHCP, the subnet mask, and the gateway to the next router.

    LAN Acces, i.e. connecting to a server, may be tied into TCP/IP in that you may use IP addressing but it also does things like authenticate you to a server(s), thus giving you access to things like shared folders, or permissions to open certain files.

    So you may be at someplace like MS HQ, and be assigned an IP address, get the gateway out to the Internet, yet because you are not authenticated to the controlling server, you cannot therefore "access the LAN" per se.
    Thorn
    Stop the TSA now! Boycott the airlines.

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    LAN != Active Directory Domain

    If your company allows credential caching (which from your description above they do) then you can login to your computer using your company's AD Domain (not LAN) credentials anywhere you go.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by radioraiders View Post
    How am I able to connect to the internet without logging in their LAN?
    Well if you're a purist like me, you might think that there's no such thing as a LAN. At it's very most basic, Ethernet is just a group of network cards that can send and receive frames to and from each other. In other to create a "LAN", all you have to do is connect a few Ethernet networks cards to a hub (or if you're fancy, a switch) and start sending frames to different MAC addresses.

    Inside an Ethernet frame, you have an "Internet Protocol" packet. Internet Protocol was brought about so that we can communicate with any machine around the world regardless of what LAN it belongs to and regardless of where it is in the world -- all we need is its IP address.

    Typically, if someone has a laptop, they don't hard-code an IP address into it. Instead, when the operating system detects that a network card has established a connection (it knows this when it detects a voltage on the line), it sends out something called a "DHCP" packet to destination MAC address FF:FF:FF:FF:FF:FF which means that everyone should receive it. The DHCP packet typically asks the following questions:

    1) What IP address will I give myself?
    2) What's the IP address of the router I will use to access the internet?
    3) What's the IP address of the DNS server I will use for looking up names?

    After it gets the answers to these questions, it has all the information it needs to access the internet. For instance, if it wants to load the google webpage, it will do the following:

    1) Perform a DNS look-up of www.google.com
    2) Send an ARP request to get the MAC address of the "default gateway" (i.e. the router that leads to the internet)
    3) Send a public internet packet to the MAC address of the default gateway

    Then it just waits for a reply and shows the Google webpage in your webbrowser. That's all there is to it. That's the internet in a nutshell, there's no need for "logging on", you just send a packet and wait for a reply.

    Now that's all lovely and simple... but of course then Microsoft had to come along and bring out all sorts of stuff like "Network Neighbourhood" and "Microsoft Network". Basically these things are "services" or "demons" that run on your computer which do such things as:

    * Tell your computer name to other computers on the LAN
    * Share files and printers with other computers on the LAN

    Most of this stuff is complete crap, but the file sharing stuff can be handy. I have all the "extra crap" turned off by default on my own machine but I do use file and printer sharing from time to time.

    Anyway, if you're talking about some sort of network that you have to "log on" to, then my guess would be that you have to supply a particular machine on the LAN with your username and password, and if that machines accepts your username and password, it will honour future requests that you make, for instance it will forward internet packets for you and send the reply back to you, or perhaps it might let you access file sharing on a particular machine. Note, however, on the vast majority of networks, there's no need for this "log on" stuff, the router just forwards every packet you throw at it.

    Another thing though is VPN, short for "Virtual Private Network"... which... takes a few minutes to explain but isn't terribly complicated. In a nutshell, the whole idea of VPN is that you can communicate with a computer on the other side of the world as if it were connected into the same hub as you. It's great for two things:
    1) Using a different Layer 3 protocol than the "Internet Protocol".
    2) Encrypting everything that gets sent and received.

    But anyway... you don't have to "log on" to a LAN, you just have to be able to send and receive frames. (On a wireless network, you have to "associate" and "authenticate" before you can send frames, but that still isn't tantamount to "logging on").
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  9. #9

    Default

    Sorry for some of my unclear posts, but I'm a bit confused myself

    To rephrase it another way: how is it possible that when I connect to a company router, that I can get an IP address and use a DoS shell to ping external IP addresses (web addresses) but not be able to access the internet on my web browser? For web access a Automatic Proxy Configuration URL normally has to be entered into the web browser.
    The link budget is not a problem, we intend on splitting the bill...

  10. #10
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by radioraiders View Post
    Sorry for some of my unclear posts, but I'm a bit confused myself

    To rephrase it another way: how is it possible that when I connect to a company router, that I can get an IP address and use a DoS shell to ping external IP addresses (web addresses) but not be able to access the internet on my web browser? For web access a Automatic Proxy Configuration URL normally has to be entered into the web browser.
    How is it possible? An educated guess is that you aren't obtaining the correct Proxy Server information. DNS may also be effected, depending on how the AD or other services are set up.

    One thing to try would be to get an IP of a popular site such as Google or Microsoft and enter the IP into the browser. e.g. Instead of entering http://www.google.com, in the browser's address bar, try entering this: http://74.125.45.103. That might tell you if the issue is with DNS or the proxy server.
    Thorn
    Stop the TSA now! Boycott the airlines.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •