Http
Tunneling
Exploit
By : Daniel Adenew (MSC)
What is Http Tunneling ?

•

HTTP Tunneling is a technique WHICH
communications using various network protocols are
encaps...
What is its Use ?
used most often as a means for communication from
network locations with restricted connectivity – most
...
How do ? Implementation Issues
The application/ host opens an HTTP connection to a mediator server,
which acts as a relay ...
The Attack Explained !!! (HTTP TUNNEL
EXPLOIT)

The httptunnel exploit consists of two
components, the client and the
serv...
The Attack Explained !!! (HTTP TUNNEL
EXPLOIT)

Httptunnel exploits the fact that most
firewalls have a proxy for http by ...
The Attack Explained !!! (HTTP TUNNEL
EXPLOIT)

use of HTTP PUT and HTTP GET
commands.
All data sent to the victim
machine...
Exploiting
Once installed on the target system, the
server component,
hts -F localhost:23 8888
htc -F 2323 -P PROXY:8000 V...
Finding the exploit
Because the exploit uses a legitimate service to transmit information
across the network and Internet,...
Recommendations
1. Ensure all servers are at the most current patch level to avoid root
compromise.
2. Disable all unneces...
Upcoming SlideShare
Loading in …5
×

Http tunneling exploit daniel adenew web

495 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
495
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Http tunneling exploit daniel adenew web

  1. 1. Http Tunneling Exploit By : Daniel Adenew (MSC)
  2. 2. What is Http Tunneling ? • HTTP Tunneling is a technique WHICH communications using various network protocols are encapsulated using the HTTP protocol,Since HTTP protocol is not Monitored or can’t be blocked by Firewall.[:(] • The HTTP protocol therefore acts as a wrapper for a channel that the network protocol being tunneled uses to communicate.[wikipedia]
  3. 3. What is its Use ? used most often as a means for communication from network locations with restricted connectivity – most often behind NATs, firewalls, or proxy servers, and most often with applications that lack native support for communication in such conditions of restricted connectivity. For blocking traffic initiated from outside the network, or blocking of all network protocols except a few is a commonly used method to lock down a network to secure it against internal and external threats.
  4. 4. How do ? Implementation Issues The application/ host opens an HTTP connection to a mediator server, which acts as a relay of communications to and from the remote host. if connection is Ok then application then communicates with the mediator server using HTTP requests BUT encapsulating the actual communications within those requests. Mediator server during communication will unwraps the actual data before forwarding it to the remote host in question.
  5. 5. The Attack Explained !!! (HTTP TUNNEL EXPLOIT) The httptunnel exploit consists of two components, the client and the server portion. htc, resides on the attacker’s and hts, resides on the victim’s server
  6. 6. The Attack Explained !!! (HTTP TUNNEL EXPLOIT) Httptunnel exploits the fact that most firewalls have a proxy for http by creating a data tunnel. To utilize the data tunnel, another service is used to send and receive data across the established connection, such as telnet.
  7. 7. The Attack Explained !!! (HTTP TUNNEL EXPLOIT) use of HTTP PUT and HTTP GET commands. All data sent to the victim machine is done through the PUT command and data is returned through the GET command.
  8. 8. Exploiting Once installed on the target system, the server component, hts -F localhost:23 8888 htc -F 2323 -P PROXY:8000 VICTIM:8888 Once a successful connection has been established, the attacker can issue commands to the VICTIM on the telnet port through the HTTP proxy data tunnel by issuing the following: telnet localhost 2323 [this was blocked by Firewall]
  9. 9. Finding the exploit Because the exploit uses a legitimate service to transmit information across the network and Internet, the protocol used does not provide an indication of an exploit occurring. The issue to watch for is whether the pattern of the protocol, in this case HTTP PUT, requests being issued from a source to a destination. The request packets may be of a smaller and less frequent nature than normal http proxy traffic to a web site. (seem not easy to find and trace!)
  10. 10. Recommendations 1. Ensure all servers are at the most current patch level to avoid root compromise. 2. Disable all unnecessary services on servers; use only secure login services, such as SSH. 3. Disable trust relationships with servers that can be accessed from firewalls, such as those in a Demilitarized Zone (DMZ). 4. Conduct regular scans of servers on the full port range (1 through 65535). 5. Review firewall logs for unusual web access patterns from systems that do not normally operate as a web client. 6. Monitor for HTTP GET requests issued from systems that do not provide web services.

×