Results 1 to 10 of 20

Thread: Tunnel VPN over 443 and evading IDS

Hybrid View

  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    194

    Default Tunnel VPN over 443 and evading IDS

    You have a VPN server setup on port 443 with the intention of getting the vpn tunnel through the firewall. However, an IDS is in place that is analyzing packets for valid https traffic (POST/GET).

    To the question: Do you know of any code/patch for OpenVPN that can impersonate valid HTTPS traffic? Can you think of any other methods for which this can be accomplished?

    Thanks!

  2. #2
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    When I was in college I used OpenVPN to get around the firewall. My home PC had OpenVPN running on TCP port 443. My college's firewall was pretty intense, it wouldn't even let you access SSL over port 80, which is why I had to choose 443.

    Sorry to show my ignorance here, but I didn't know there was a way of checking that SSL traffic contains HTTP, not without having the decryption key. How does this IDS thing work? How can it look at SSL traffic and determine whether it contains HTTP? (I did a quick Google for it but it appears the initialism IDS is used for about 20 different things so I don't know which one I'm looking for).
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  3. #3
    Member
    Join Date
    Jan 2008
    Posts
    194

    Default

    Quote Originally Posted by Virchanza View Post
    Sorry to show my ignorance here, but I didn't know there was a way of checking that SSL traffic contains HTTP, not without having the decryption key. How does this IDS thing work? How can it look at SSL traffic and determine whether it contains HTTP? (I did a quick Google for it but it appears the initialism IDS is used for about 20 different things so I don't know which one I'm looking for).
    That's an excellent question.

    AFAIK (I'm not an expert), a typical IDS is only able to look at the initialization packets of the VPN connection. Anything after that entirely encrypted and thereby hidden from the IDS. All the IDS sees is random SSL data which it's able to do nothing with (other than allow/block). Now, apparently there are some commercial grade IDSs that have the ability to do a MITM on a vpn connection. Don't ask me how because I have no idea. I would assume it's somewhat related to doing a SSL MITM with spoofed certificates.

    I've yet to analyze the initialization packets of a VPN connection in wireshark but it is my understanding that they are unique and thereby able to be analyzed and subsequently blocked. Which leads back to the original question of how to "encapsulate" a VPN packet with an HTTPS header. Possible? Known tools to do just that? Necessary? Is any of the above technically accurate?

  4. #4
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by theberries View Post
    Now, apparently there are some commercial grade IDSs that have the ability to do a MITM on a vpn connection.
    Oh that's dirty. What I presume happens is as follows:

    The client, i.e. you, has a public and private key.
    The man in the middle has a public and private key.
    The foreign server has a public and private key.

    So you connect to the foreign server, but the man in the middle changes the foreign server's public key to its own public key so that it can decrypt the traffic coming from the client. Then, before it forwards on traffic, it re-encrypts it using the server's foreign public key. Quite sneaky indeed!

    What programs are there available for doing man-in-the-middle on SSL traffic?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  5. #5
    Member
    Join Date
    Jan 2008
    Posts
    194

    Default

    The following outlines the real possibility of MITM on SSLVPN and explains the key exchanges:

    http://www.networkworld.com/community/node/31124

    OpenVPN suggests the following to prevent:

    http://openvpn.net/index.php/documen...owto.html#mitm

    My real concern is masking the VPN traffic from a typical IDS.

  6. #6
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by theberries View Post
    The following outlines the real possibility of MITM on SSLVPN and explains the key exchanges:

    http://www.networkworld.com/community/node/31124
    I do my internet banking over SSL without any kind of authentification certificate... One day I'll log in to find my entire balance transferred to Ahasamabooboo Imyrianketago.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  7. #7
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by Virchanza View Post
    Oh that's dirty. What I presume happens is as follows:

    The client, i.e. you, has a public and private key.
    The man in the middle has a public and private key.
    The foreign server has a public and private key.

    So you connect to the foreign server, but the man in the middle changes the foreign server's public key to its own public key so that it can decrypt the traffic coming from the client. Then, before it forwards on traffic, it re-encrypts it using the server's foreign public key. Quite sneaky indeed!

    What programs are there available for doing man-in-the-middle on SSL traffic?

    I'm pretty sure cisco has some hardware that is capable of doing this.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  8. #8
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Barry View Post
    I'm pretty sure cisco has some hardware that is capable of doing this.
    As does one other company from the UK. The name eludes me at the moment, but we hosted their display and demo at the Wireless Village at DC15. Very slick, and very sneaky.
    Thorn
    Stop the TSA now! Boycott the airlines.

  9. #9

    Default

    Quote Originally Posted by theberries View Post
    You have a VPN server setup on port 443 with the intention of getting the vpn tunnel through the firewall. However, an IDS is in place that is analyzing packets for valid https traffic (POST/GET).

    To the question: Do you know of any code/patch for OpenVPN that can impersonate valid HTTPS traffic? Can you think of any other methods for which this can be accomplished?

    Thanks!
    Have you tried to send your OpenVPN traffic through stunnel? I think stunnel will work with get/post type traffic (although it has been years since I used it and I don't have any captures around from it to look at)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •