Tunnel VPN over 443 and evading IDS

**theberries** · 01-26-2009, 10:37 AM

You have a VPN server setup on port 443 with the intention of getting the vpn tunnel through the firewall. However, an IDS is in place that is analyzing packets for valid https traffic (POST/GET).

To the question: Do you know of any code/patch for OpenVPN that can impersonate valid HTTPS traffic? Can you think of any other methods for which this can be accomplished?

Thanks!

**Virchanza** · 01-26-2009, 12:15 PM

When I was in college I used OpenVPN to get around the firewall. My home PC had OpenVPN running on TCP port 443. My college's firewall was pretty intense, it wouldn't even let you access SSL over port 80, which is why I had to choose 443.

Sorry to show my ignorance here, but I didn't know there was a way of checking that SSL traffic contains HTTP, not without having the decryption key. How does this IDS thing work? How can it look at SSL traffic and determine whether it contains HTTP? (I did a quick Google for it but it appears the initialism IDS is used for about 20 different things so I don't know which one I'm looking for).

**theberries** · 01-26-2009, 12:31 PM

Originally Posted by Virchanza

Sorry to show my ignorance here, but I didn't know there was a way of checking that SSL traffic contains HTTP, not without having the decryption key. How does this IDS thing work? How can it look at SSL traffic and determine whether it contains HTTP? (I did a quick Google for it but it appears the initialism IDS is used for about 20 different things so I don't know which one I'm looking for).

That's an excellent question.

AFAIK (I'm not an expert), a typical IDS is only able to look at the initialization packets of the VPN connection. Anything after that entirely encrypted and thereby hidden from the IDS. All the IDS sees is random SSL data which it's able to do nothing with (other than allow/block). Now, apparently there are some commercial grade IDSs that have the ability to do a MITM on a vpn connection. Don't ask me how because I have no idea. I would assume it's somewhat related to doing a SSL MITM with spoofed certificates.

I've yet to analyze the initialization packets of a VPN connection in wireshark but it is my understanding that they are unique and thereby able to be analyzed and subsequently blocked. Which leads back to the original question of how to "encapsulate" a VPN packet with an HTTPS header. Possible? Known tools to do just that? Necessary? Is any of the above technically accurate?

**Virchanza** · 01-26-2009, 12:52 PM

Originally Posted by theberries

Now, apparently there are some commercial grade IDSs that have the ability to do a MITM on a vpn connection.

Oh that's dirty. What I presume happens is as follows:

The client, i.e. you, has a public and private key.
The man in the middle has a public and private key.
The foreign server has a public and private key.

So you connect to the foreign server, but the man in the middle changes the foreign server's public key to its own public key so that it can decrypt the traffic coming from the client. Then, before it forwards on traffic, it re-encrypts it using the server's foreign public key. Quite sneaky indeed!

What programs are there available for doing man-in-the-middle on SSL traffic?

**theberries** · 01-26-2009, 12:55 PM

The following outlines the real possibility of MITM on SSLVPN and explains the key exchanges:

http://www.networkworld.com/community/node/31124

OpenVPN suggests the following to prevent:

http://openvpn.net/index.php/documen...owto.html#mitm

My real concern is masking the VPN traffic from a typical IDS.

**Barry** · 01-26-2009, 02:02 PM

Originally Posted by Virchanza

Oh that's dirty. What I presume happens is as follows:

The client, i.e. you, has a public and private key.
The man in the middle has a public and private key.
The foreign server has a public and private key.

So you connect to the foreign server, but the man in the middle changes the foreign server's public key to its own public key so that it can decrypt the traffic coming from the client. Then, before it forwards on traffic, it re-encrypts it using the server's foreign public key. Quite sneaky indeed!

What programs are there available for doing man-in-the-middle on SSL traffic?

I'm pretty sure cisco has some hardware that is capable of doing this.

**Thorn** · 01-26-2009, 03:13 PM

Originally Posted by Barry

I'm pretty sure cisco has some hardware that is capable of doing this.

As does one other company from the UK. The name eludes me at the moment, but we hosted their display and demo at the Wireless Village at DC15. Very slick, and very sneaky.

**compaq** · 01-26-2009, 03:51 PM

Theres a openssl program that if you sniff the handshake will allow you to decode the connection, i thinks its this ssldump, on sourceforge

If you wanted to read all the data from the remote server and its https
openssl s_client -in sslhandshake.dump, that should give you the master key, and the type of encryption, and use that to decode with
openssl enc -rsa-256 -d -keyin masterkeyfile.txt
something along those lines

**gromeo** · 01-26-2009, 04:24 PM

use cryptcat dudes... cryptcat is the real game.. then use cryptcat over ssh... let them mitm the ssh...

**killadaninja** · 01-26-2009, 04:37 PM

Thorn I thought the host's private key is only used for creating signatures in ssh-2?, or will sniffing the handshake key give us enough information to decrypt the symmetric random session key, if this is the case does it not render symmetric random session pointless? I am in no way a cryptologist so maybe you could explain

BackTrack Linux - Penetration Testing Distribution

Thread: Tunnel VPN over 443 and evading IDS

Thread Tools

Search Thread

Display

Tunnel VPN over 443 and evading IDS

Posting Permissions