• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

HOW TO: Bypassing content filters

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Status
Not open for further replies.

=ACID RAIN=

Member
Joined
May 19, 2003
Location
Kingwood, TX
First and foremost, please use these powers for good! While you can use this to bypass all sorts of filtering, it doesn't mean you should. I use this while at client sites that use websense, if I need to download something that websense blocks such as freeware.

Serverside:
1) First, you'll need an SSH server with web access. I use my freeBSD box. You can of course use ubuntu if you like. You could set this up at work if you are on the IT staff and it is approved, or you can set this up at home.

2) At your option, allow X11 forwarding so you can also run apps in GUI from the SSH tunnel. edit sshd_config. Find:

#X11Forwarding yes
make it:
X11Forwarding yes

3) Forward the SSH port. I have a router that allows separate external ports and internal ports to be mapped to the same service.
Outside port: 6000
Inside port: 22

If your router can't do this, then port 22 is fine. You can also change the port for SSH on the server, but I am not covering that right now.

4) Find your external IP at www.network-tools.com.

Local test client (windows):
5) Go download PuTTY on another computer on the local LAN.

6) Create a new entry, whatever you want to name it. We'll call it FRONTDOOR.
Point it to the external IP.
Make the port 6000 (or 22, depending on how you forwarded the port).
Connection Type SSH.

7) Expand the SSH tree item.
Enable compression
Preferred SSH protocol 2 (or 2 only)
(optional) X11 - Enable X11 forwarding
Tunnels - Source port 6000, Dynamic, then Add. The entry will be D6000

8) Scroll back up to Session, and save the entry again.

9) Now try opening the entry. You should pop up a terminal with login required. If so and you can log in, you have now done the same thing as logging in from anywhere else in the world. Basically you have routed the traffic to the gateway, the gateway has sent it back to your router, the router has allowed the port request, and you are logged in.

10) If you elected for X11 forwarding, now go download xming. Once you run xming, the libraries you need are loaded. Only while it is running, however.

11) Once you have xming running, in the terminal try typing xclock or firefox, and hit enter. You should have a program window on your desktop.

Remote client:
12) You can, if you want to and you own a U3 capable USB drive, go download PuTTY for U3 and Firefox for U3.

13) Set up U3-PuTTY like before. This can be run from any windows computer you plug it into.

For Firefox and U3-Firefox, the setup will be the same:
14) in Firefox, go to Tools / Options / Advanced tab, then the Network subtab. Click settings.

15) In Connection Settings, choose Manual proxy configuration. Only fill in the SOCKS Host, and use 127.0.0.1, port 6000. Set No Proxy for: localhost, 127.0.0.1, LL
where LL is optional and means Local Lan, and the value would be, for instance, 192.168.1.0/24 (example under this field, you'll see).

For true avoidance of detection, you'll need to forward DNS as well.
16) in Firefox, type about:config in the address bar. In the filter bar, type proxy.socks
At this point you should see network.proxy.socks_port as 6000. Leave it be.
Double click network_proxy.socks_remote_dns. This will change the value to true (notice it goes bold when changed from default config).

If on a U3 drive, you now have all traffic in Firefox going to the SSH tunnel and then to your remote machine. If a local install, the same applies but it is not portable.

Enjoy your browsing freedom :)
 
great article acid :) very strait to the point!

please keep in mind everyone this is NOT to bypass security implemented by your IS staff. the filters are there for a reason, not only for work performance related tasks, but from a security / Tech support point of view, filters are invaluable.


i cant tell you how many times i've had to clean countless machines till we got our filtering in place. now its on occasion when something slips through
 
Yes, this is for IT staff that need to bypass a filter to download something like crimson editor, visit a site that is blocked, etc. It is not to look at porn at work...LOL.

I've had to use this at a couple of sites, like I said. I've shown a couple of my administrators so they know how this works, both for usefulness and so they can monitor the network for SSH if they wish. Not that many users would have any clue how to do this (or what SSH is) but it's more for the sake of information in the admins' case.
 
Would wensense still report the bypass of it? I guess would my IS guy know Im bypassing it without hte networking group getting involved and seeing what/where I have done?
 
Would wensense still report the bypass of it? I guess would my IS guy know Im bypassing it without hte networking group getting involved and seeing what/where I have done?
From my understanding, no. Everything is done local on the machine and none should hit the network. This means it does not go through Websense directly, but instead through an encrypted tunnel to wherever your SSH server is. It still goes through the firewall, but it is encrypted.

I use a similar method to this, but for accessing my virtual machines at work. I run these VM's in a network setup, something we can't/won't do at work. This allows me to reproduce customer issues without screwing up my install or the OS. It also helps when new operating systems are released since we can look up to see where something is or how a program works.
 
Ahh...reminds me of the good ole days, out smarting the IT guys at school at every corner...it took them forever to catch onto CGI-PROXY. Seems other methods are much better now :p - nice guide.
 
First and foremost, please use these powers for good! While you can use this to bypass all sorts of filtering, it doesn't mean you should. I use this while at client sites that use websense, if I need to download something that websense blocks such as freeware.

Serverside:
1) First, you'll need an SSH server with web access. I use my freeBSD box. You can of course use ubuntu if you like. You could set this up at work if you are on the IT staff and it is approved, or you can set this up at home.

2) At your option, allow X11 forwarding so you can also run apps in GUI from the SSH tunnel. edit sshd_config. Find:

#X11Forwarding yes
make it:
X11Forwarding yes

3) Forward the SSH port. I have a router that allows separate external ports and internal ports to be mapped to the same service.
Outside port: 6000
Inside port: 22

If your router can't do this, then port 22 is fine. You can also change the port for SSH on the server, but I am not covering that right now.

4) Find your external IP at www.network-tools.com.

Local test client (windows):
5) Go download PuTTY on another computer on the local LAN.

6) Create a new entry, whatever you want to name it. We'll call it FRONTDOOR.
Point it to the external IP.
Make the port 6000 (or 22, depending on how you forwarded the port).
Connection Type SSH.

7) Expand the SSH tree item.
Enable compression
Preferred SSH protocol 2 (or 2 only)
(optional) X11 - Enable X11 forwarding
Tunnels - Source port 6000, Dynamic, then Add. The entry will be D6000

8) Scroll back up to Session, and save the entry again.

9) Now try opening the entry. You should pop up a terminal with login required. If so and you can log in, you have now done the same thing as logging in from anywhere else in the world. Basically you have routed the traffic to the gateway, the gateway has sent it back to your router, the router has allowed the port request, and you are logged in.

10) If you elected for X11 forwarding, now go download xming. Once you run xming, the libraries you need are loaded. Only while it is running, however.

11) Once you have xming running, in the terminal try typing xclock or firefox, and hit enter. You should have a program window on your desktop.

Remote client:
12) You can, if you want to and you own a U3 capable USB drive, go download PuTTY for U3 and Firefox for U3.

13) Set up U3-PuTTY like before. This can be run from any windows computer you plug it into.

For Firefox and U3-Firefox, the setup will be the same:
14) in Firefox, go to Tools / Options / Advanced tab, then the Network subtab. Click settings.

15) In Connection Settings, choose Manual proxy configuration. Only fill in the SOCKS Host, and use 127.0.0.1, port 6000. Set No Proxy for: localhost, 127.0.0.1, LL
where LL is optional and means Local Lan, and the value would be, for instance, 192.168.1.0/24 (example under this field, you'll see).

For true avoidance of detection, you'll need to forward DNS as well.
16) in Firefox, type about:config in the address bar. In the filter bar, type proxy.socks
At this point you should see network.proxy.socks_port as 6000. Leave it be.
Double click network_proxy.socks_remote_dns. This will change the value to true (notice it goes bold when changed from default config).

If on a U3 drive, you now have all traffic in Firefox going to the SSH tunnel and then to your remote machine. If a local install, the same applies but it is not portable.

Enjoy your browsing freedom :)

They need this in China.
 
From my understanding, no. Everything is done local on the machine and none should hit the network. This means it does not go through Websense directly, but instead through an encrypted tunnel to wherever your SSH server is. It still goes through the firewall, but it is encrypted.

I use a similar method to this, but for accessing my virtual machines at work. I run these VM's in a network setup, something we can't/won't do at work. This allows me to reproduce customer issues without screwing up my install or the OS. It also helps when new operating systems are released since we can look up to see where something is or how a program works.
It really depends these days - I am testing products in the upcoming weeks that can intercept SSH traffic and perform a Man In the Middle (MITM) attack to see the payload of the data being transmitted. I know Palo Alto Networks and maybe Websense Content Gateway have this implemented as a feature. I'm sure more are to follow.
 
It really depends these days - I am testing products in the upcoming weeks that can intercept SSH traffic and perform a Man In the Middle (MITM) attack to see the payload of the data being transmitted. I know Palo Alto Networks and maybe Websense Content Gateway have this implemented as a feature. I'm sure more are to follow.
You have my curiosity. How would someone in the middle be able to decode the traffic to see what is inside?
 
Edward, They most likely already have this in China :p

I really doubt most people have this in China. Maybe a few VERY technically oriented people but I doubt joe sixpack does.

If you read step one this requires a SSH server setup at home / work. However, if you are in China this would require you to setup a SSH server in a country that doesn't censor (or minimally censors the internet like the USA). Because if you have a SSH server setup at work and you are at home but BOTH are behind the great firewall of China the SSH box isn't going to do you much good. I happen to have access to a box that I SSH into but it is in the same state that I am in but none in other countries. I doubt many people have SSH access to boxes in other countries unless they have friends who care or are rich. How many SSH boxes do you have in countries that you don't live in?

Now I know some Chinese people use tor which has a similar concept (route encrypted traffic through the tor network). At the same time when a very powerful government is actively trying to censor you I doubt many Chinese have access to these sorts of tools except the very technically oriented and their friends.
 
Last edited:
You have my curiosity. How would someone in the middle be able to decode the traffic to see what is inside?

Honestly I am not sure yet on the SSH Decryption as of yet; It was just one of the features I've seen touted on newer firewalls. Once I get access to a system to test with I'll explain it further. Personally speaking I think it would be near impossible to do without the firewall acting as a proxy of some sort. For SSL traffic you can generally take a good guess on the content by looking at the IP header of the SSL connection (which is not encrypted, only the payload of the packet is encrypted), but that is about all you can do until you proxy the SSL traffic using a MITM technique. I'm going to take a guess and say that the Palo Alto firewall I mentioned does the same with SSH connections as well as SSL connections. For the savvy user, however, you would be able to tell when proxying is turned on as your SSH client will warn you if the Public Key of your server were to change suddenly.
 
Honestly I am not sure yet on the SSH Decryption as of yet; It was just one of the features I've seen touted on newer firewalls. Once I get access to a system to test with I'll explain it further. Personally speaking I think it would be near impossible to do without the firewall acting as a proxy of some sort. For SSL traffic you can generally take a good guess on the content by looking at the IP header of the SSL connection (which is not encrypted, only the payload of the packet is encrypted), but that is about all you can do until you proxy the SSL traffic using a MITM technique. I'm going to take a guess and say that the Palo Alto firewall I mentioned does the same with SSH connections as well as SSL connections. For the savvy user, however, you would be able to tell when proxying is turned on as your SSH client will warn you if the Public Key of your server were to change suddenly.
If you do find any information, I'd be interested. I'm majoring in computer security and anything related to this field is fascinating.

I wonder if you could run multiple SSH connections deep to get by that? Would be slower for sure and a much more complicated setup, but it would be very secure.
 
@TalRW - I didn't mean the average Joe, more the Chinese government and hacker groups therein.

@dark_15 - I'm with thid. If you have any new developments with successful MITM attacks over an SSH or SSL conversation, please share!
 
@TalRW - I didn't mean the average Joe, more the Chinese government and hacker groups therein.

Well as this guide is designed for the average joe why does it matter if the Chinese Government / hacker groups can do this. The Chinese gov controls the great firewall so they don't need to "bypass content filters" when they control it. Hacker groups, well that is fine but it is probably such a small segment of the population it doesn't matter much.
 
Status
Not open for further replies.
Back