Re: Virus/trojan tunnel out from behind firewall?

From: Ben Efros (Ben-bugtraq@efros.com)
Date: 02/26/02


Date: Mon, 25 Feb 2002 20:32:53 -0800
From: Ben Efros <Ben-bugtraq@efros.com>
To: David Carmean <dlc@halibut.com>

I have done this type of tunneling out from inside a protected network a
few times.
I've utilized the following configuration: SSH, PPP, Linux, and httptunnel
(once replaced ssh with stunnel).

I did this to bypass an extremely restrictive internet filter. I could
use the tunnel as a two-way path between networks and had full access to
the inner network.

I used SSH to compress / encrypt all the traffic.
PPP was used to emulate network devices and allow me a "gateway" to the
foreign network
httptunnel was used to bypass the "firewall" which only allowed DNS and
HTTP traffic out.
The HTTP traffic was filtered... and banners were added to every page that
passed through the proxy, so this got messy and involved some tweaking.

If you can only get unfiltered DNS outbound... then you can utilize a DNS
"tunneling" application to do things similar to how httptunnel works.

This whole process is quite easy if you gain root access on an internal
(protected) machine. You need to have the internal ("protected") system
initiate an httptunnel to a remote ("server") system that is running a
listening copy of httptunnel that then forwards the connection into ssh
(using the identities and NOT password authentication so that it auto-logs
in). Once SSHD on your remote system that you control gets the
connection, it executes PPP that echos the PPP traffic to STDOUT and
reading on STDIN and not a serial device. Now at this point, your
protected ("secure") machine has PPP running and also sending stuff
through STDOUT and listening on STDIN.

You now have a VALID two-way tunnel that is using SSH and PPP devices.
You can add an auto-reconnect feature and have crond run it when the
connection fails also... because it will fail occasionally.

If anyone needs help and can't figure out the details of commands that
they need to run then let me know and I'll try to help.

It should also be possible to use a steganography tool to "encode" data
into "images" that appear valid when viewed in web browsers... instead of
using httptunnel. This would add to the "secrecy" of your transmissions
:)

Ben Efros

>
> For sites which allow unrestricted outbound connections, it would
> probably be impossible to detect if the trojan did nothing else
> destructive to arouse suspicion.
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Remote desktop security
    ... The only thing you get with tunneling ... Jeffrey Randow (Network MVP) ... >to use SSH when using remote desktop over the LAN. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
    ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ...
    (Firewall-Wizards)
  • Re: Security Breached
    ... I have a typical home network that looks like this: ... on both the DMZ and port forward questions. ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
    (alt.computer.security)
  • Re: Questions on some wierd /var/log entries
    ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
    (comp.os.linux.misc)
  • Re: use ipchains to block all ports > 60,000
    ... Now what version of ssh is ... Put the suggested hub between the box and the internet, ... >> By temporarily breaking the network connection and inserting a hub ... evidence of users you know not of appearing on ...
    (comp.os.linux.security)