A Blog About Anime, Code, and Pr0 H4x

Network Ninjitsu: The Art of Bypassing Firewalls and Web Filters

October 6, 2011 at 12:00 PM

(Originally published in the Spring 2007 issue of 2600: The Hacker Quarterly)

[ Introduction ]

Picture yourself in the following situation. You're at school/work minding your own business simply perusing the Internet and all it has to offer. However when you try to visit your ninja clan's website, you are instead presented with a web page stating that this particular website is blocked. Naturally you are shocked and offended by such an action. So do something about it; sneak through like a ninja with a SSH tunnel.


[ A Brief Explanation ]

For those who have no idea what an SSH tunnel is, imagine that whenever you establish a connection to a SSH server that you are digging an underground tunnel from your location at Point A to the server's location at Point B in which a messenger carries messages back and forth between you and the server. The reason that the tunnel is underground, is because your connection is encrypted, because of this people cannot see what is being sent back and forth through your connection (underground tunnel). Now once you have established a connection, you have an entire tunnel to send data back and forth through.

Now the great thing about this underground tunnel is that it is big enough so that it can fit more then 1 messenger. As a result it is possible to send messengers with messages for a server at Point C through the underground tunnel, have them relayed from Point B to point C, from Point C back back to Point B, and then sent through the underground tunnel back to you at Point A.

For a more detailed explanation see the Wikipedia page about Tunneling Protocols: http://en.wikipedia.org/wiki/Tunneling_protocol


[ The Guards ]

Let's assume that the network that you are currently on has a server that filters web traffic, and is guarded by a firewall that does not allow inbound connections, and only allows outbound connections on ports: 21 (FTP), 80 (HTTP), and 443 (HTTPS). How is this information useful you ask? Well we know that we can get traffic out of 3 different ports, which means that you have 3 openings from which you can dig a tunnel.


[ Preparation ]

In order to successfully sneak through the firewall/web filter you will need 2 things:


[ A Simple Tunnel ]

The command for creating a tunnel with plink is, plink -N -P PortNumver -L SourcePort:RemoteServer:ServicePort -l UserName SSHServerAddress (without the quotes). For PortNumber use a port that you are outbound access on. For SourcePort use any number between 1 and 65535, for RemoteServer use the IP Address of a remote server you would like to access, and for ServicePort use the port of the service you'd like to access on the remote server.

For example to tunnel a HTTP Connection to a remote server at 72.14.207.99 through a SSH server listening on port 21 and with the address 123.123.123.123 the command would look like, plink -N -P 21 -L 1337:72.14.207.99:80 -l YourUsername 123.123.123.123 Once you have entered your password, open up a web browser and enter http://127.0.0.1:1337 into the address bar and you will be looking at the Google home page.

NOTE 1: When using the above command syntax, after you have provided your correct password, the blinking cursor will drop a line. This means that your login was successful.

NOTE 2: Tunnels can be used to proxy a connection to any address on any port, however this article will focus on tunneling web pages.


[ Dynamic SOCKS-based Jutsu! ]

While a simple tunnel may be alright for connecting to one specific server, a ninja such as yourself has many different servers to browse and it is impractical to create a tunnel for each different server that you may want to connect to. This is where Dynamic SOCKS-based port forwarding comes into play. Which in n0n-1337-ninj4 terms is a SSH tunnel similuar to the one created in the section above, but its RemoteServer and ServicePort are dynamic, however its SourcePort remains the same.

The command for creating a dynamic tunnel is, plink -N -P PortNumver -D SourcePort -l UserName SSHServerAddress Creating a Dynamic tunnel is a little less confusing (syntax wise) then a simple tunnel, however using it is slightly more complex.


[ Web Browsing Over a Dynamic Tunnel ]

In order to use a web browser over a dynamic tunnel, you need to be able to modify the browser's proxy settings. In your current restricted environment you are unable to modify your school's/work's web browser (Which is Internet Explorer (boo!)) settings. However, this isn't a problem for a ninja like yourself, all you must do is acquire a web browser that you have full control over. However, you can't leave any trace of using another web browser, (for it is not the ninja way) so installing a new one is out of the question. This is where Firefox Portable (a mobile install-free version of Firefox) steps in. Download FP from http://portableapps.com/apps/internet/firefox_portable (This article covers using Firefox Portable 2.0) and extract it to a USB jump drive, or to your hard drive for later burning to a CD.

To use PF over a dynamic tunnel: first start PF click on 'Tools' and choose 'Options', in the options windows click the button at the top labeled 'Advanced', under the 'Connection' section click the button labeled 'Settings...', in the connections settings window choose the third option labeled 'Manual proxy configuration:', in the entry box next to the words 'SOCKS Host' enter 127.0.0.1, in the entry box to the right of the entry box for 'SOCKS Host' enter the SourcePort you used when creating your dynamic tunnel, make sure that SOCKS v5 is selected and click OK.

PF will now send and receive all traffic over your dynamic tunnel; however by default PF does DNS lookups locally, which can give away what you are browsing. (very un-ninja-like) To configure PF to send DNS lookups over a dynamic tunnel: in the address bar type 'about:config' and hit enter, in the entry box next to the word 'Filter' enter 'network.proxy.socksremotedns', right click the result and select the 'Toggle' option.


[ Cloaking PF to look like IE ]

Well now you've got a copy of PF using a dynamic tunnel to browse the web, but PF isn't very stealthy, and any passing teacher/administrator will be all over you when they see it. As a ninja stealth is very important, so your next priority is to configure PF so that it looks like Internet Explorer. You will need the following in order to effectively cloak your copy of PF:

  • Neofox IE 6: https://addons.mozilla.org/firefox/4327/
    A theme that makes PF look like IE 6.0
  • Firesomething: https://addons.mozilla.org/firefox/31/
    An extension that allows you to change the title of the web browser.
    NOTE: you will have to modify the .xpi slightly to make it install with PF 2.0, the steps on how to do this are in the first comment of the page.
  • Internet Explorer XP Icons: http://www.bamm.gabriana.com/cgi-bin/download.pl/package/ieiconsxp.xpi
    An extension that replaces the Firefox icons with the ones used by IE. Configure Firesomething to change the browser title from "Mozilla Firefox" to "Microsoft Internet Explorer". PF should now look at least resemble IE at a passing glance, and with some tool bar and appearance tweaking on your part, no teacher/administrator will spare it a second glance.


[ Final Notes and Closing ]

With your new skills in Network Ninjitsu, no web filter/firewall will stand a chance. For questions and comments you can comment me at jamespenguin[at]gmail.com

In case anyone cares, a RAR archive that contains: the paper, plink, and a modified version of Portable Firefox has been uploaded to the Inforamtion Leak server.

Download (RAR - 10Mb)

Go to Page