For my IT security class summer project, we have to work on different ways to circumvent security measures setup on a school/company network and to explain how these hacks can be detected and avoided.
One of the topics is (please excuse my poor translation):
Albert is connected with his laptop to the school network. He only has access to the world wide web through the school filtering proxy. This proxy is configured to only allow HTTP (TCP 80) and HTTPS (443) requests and some websites (say www.forbidden-forum.com) are filtered out. ICMP echo request/replies are allowed.
What tricks could Albert use to access www.forbidden-forum.com from the school network ? How as a network & system administrator would you detect/prevent those tricks ?
Now I don't ask for answers to that exercise here (that would defeat the whole point of me joining this course and would teach me nothing).
So far I thought of the following tricks:
- Using an ICMP tunnel. Can be detected easily by monitoring an abnormally high amount of ICMP frames.
- Share the internet connection from a cellphone. Hard to detect, especially if the admin have no administrative rights over the students computers.
- Using a VPN over the 443 TCP port. May be detected by monitoring an abnormally high amount of 443 traffic to a particular host (the VPN server), but difficult because it might be legitimate traffic. The admin could try to connect to the same host using a web browser and could however detect it is not a proper web server.
- Have an external web server that acts as a remote browser that redirects everything to www.forbidden-forum.com.
My question is actually about this last point. I think it is possible to have a software that does that but it would have to:
- connect to www.forbidden-forum.com on demand
- replace all URLs in the response document/javascript code to remap to itself such that Albert's computer never actually tries to reach www.forbidden-forum.com directly.
- be able to translate the replaced URLs to their original counterparts.
I would actually love to be able to demonstrate this PoC during the project presentation on the school guest network (which has similar restrictions) but I'd really like to avoid having to "develop" something on my own.
My developer skills are actually not that good and I wonder: is there a software that does something like that ? Perhaps an apache module or configuration ?
It's called a reverse proxy, and requires
mod_proxyloaded.The config directives are:
So for your example (plus a little extra):
Opening
http://benign.proxy.com/ffwill show the content fromhttp://www.forbidden-forum.com/andhttp://benign.proxy.com/wlwill openhttp://wikileaks.org/.Serve something completely innocuous (and believable) on
http://benign.proxy.com/. If someone tries to "check the validity" they'll see some trustworthy page.And better yet, serve the proxy over HTTPS to hide the forwarded URLs (which I'll leave as an exercise up to you).
This method can be circumvented by a so-called "bump in the wire"—a fully trusted man-in-the-middle transparent proxy.
If the user does not have full control over the client host they will be vulnerable to a bump in the wire but can manually verify key fingerprints to ensure privacy and refrain from establishing a connection if the key doesn't verify.
The user will also need to pay attention to other SSL problems (e.g., invalid certificates, sslstrip, etc).
What you are describing is basically a proxy itself; a piece of software that receives web requests from a browser, satisfies them, and passes the received data back to the browser. The whole issue with the URL rewriting is avoided by having the browser made pre-aware that it's connecting to the web via a proxy. The issue then simplifies to "how do I access such a proxy, given the network access that I have, in such a way that it can't be easily detected that I am doing so".
Apache has such a module, and people have asked about it here before; see eg How to use Apache as proxy for browser? for more details.