1
00:00:06,820 --> 00:00:07,653
- We're gonna talk

2
00:00:07,653 --> 00:00:10,250
about a couple methods
to scan beyond firewalls.

3
00:00:10,250 --> 00:00:13,770
Now, these methods rely upon
the fact that you have access

4
00:00:13,770 --> 00:00:16,400
to something inside the network already.

5
00:00:16,400 --> 00:00:20,620
Scanning beyond firewalls
is pretty complicated.

6
00:00:20,620 --> 00:00:21,990
So what we're talking about here

7
00:00:21,990 --> 00:00:26,320
is using applications on
the inside of firewalls

8
00:00:26,320 --> 00:00:29,460
and intrusion detection systems
in order to get your traffic

9
00:00:29,460 --> 00:00:31,800
through those perimeter defenses.

10
00:00:31,800 --> 00:00:34,270
Starting with SSH tunneling.

11
00:00:34,270 --> 00:00:37,830
So SSH, the protocol
itself provides methods

12
00:00:37,830 --> 00:00:39,950
to tunnel network traffic.

13
00:00:39,950 --> 00:00:42,200
As we see here on the screen,

14
00:00:42,200 --> 00:00:46,740
we have a VNC client talking to port 5300

15
00:00:46,740 --> 00:00:50,330
which is actually being
tunneled through an SSH client

16
00:00:50,330 --> 00:00:51,920
through an encrypted channel,

17
00:00:51,920 --> 00:00:55,380
to an SSH server on the inside,
which is then redirected

18
00:00:55,380 --> 00:00:58,930
to the actual VNC system on
the inside of the network.

19
00:00:58,930 --> 00:01:02,130
So those perimeter defenses
that I was talking about

20
00:01:02,130 --> 00:01:05,453
just a moment ago are
happening right here.

21
00:01:06,550 --> 00:01:08,220
So your firewall is in here

22
00:01:08,220 --> 00:01:10,570
and you happen to have
an SSH session going

23
00:01:10,570 --> 00:01:12,840
through that particular firewall.

24
00:01:12,840 --> 00:01:16,630
Now, the arrows on this
slide are interesting

25
00:01:16,630 --> 00:01:19,750
because you can actually
reverse proxy traffic

26
00:01:19,750 --> 00:01:21,810
through an SSH tunnel as well.

27
00:01:21,810 --> 00:01:24,410
So that if you initiate the SSH session

28
00:01:24,410 --> 00:01:28,300
from the inside out, you could then listen

29
00:01:28,300 --> 00:01:32,730
on a local port here and connect locally

30
00:01:32,730 --> 00:01:34,400
and redirect the traffic
through the firewall.

31
00:01:34,400 --> 00:01:37,320
So it's bidirectional proxying

32
00:01:37,320 --> 00:01:40,230
of traffic through an SSH session.

33
00:01:40,230 --> 00:01:41,897
This command that you see on the screen

34
00:01:41,897 --> 00:01:44,813
"SSH -L 5900:10.1.1.20:5900"

35
00:01:48,350 --> 00:01:51,560
What this will do is it
will create a local listener

36
00:01:51,560 --> 00:01:53,080
on your system.

37
00:01:53,080 --> 00:01:54,560
Any traffic that goes

38
00:01:54,560 --> 00:01:57,300
to that port locally will be redirected

39
00:01:57,300 --> 00:02:01,270
to the IP address specified in the command

40
00:02:01,270 --> 00:02:02,640
and then the destination port.

41
00:02:02,640 --> 00:02:04,920
So you can actually change ports as well.

42
00:02:04,920 --> 00:02:07,720
So you could listen on 59000

43
00:02:07,720 --> 00:02:10,880
and redirect to 5900, if you so choose.

44
00:02:10,880 --> 00:02:12,610
And then this is the destination system

45
00:02:12,610 --> 00:02:15,732
that you're actually
going to authenticate to.

46
00:02:15,732 --> 00:02:16,703
The SSH server.

47
00:02:18,320 --> 00:02:21,530
Windows, you don't often
hear about SSH in Windows.

48
00:02:21,530 --> 00:02:23,610
There is an SSH server for Windows.

49
00:02:23,610 --> 00:02:26,190
It does support this tunneling
that I'm talking about.

50
00:02:26,190 --> 00:02:29,883
That comes from a company
called Bitvise, Bitvise.

51
00:02:31,750 --> 00:02:34,900
HTTP tunneling is another
method to tunnel traffic

52
00:02:34,900 --> 00:02:36,820
through perimeter defenses.

53
00:02:36,820 --> 00:02:40,480
And we talk about it here,
because most of the time,

54
00:02:40,480 --> 00:02:42,800
if you have a demilitarized zone

55
00:02:42,800 --> 00:02:44,710
that is being protected by a firewall,

56
00:02:44,710 --> 00:02:48,590
it's going to permit HTTP
type protocols through it.

57
00:02:48,590 --> 00:02:50,810
If there's a web server
on the other side of it.

58
00:02:50,810 --> 00:02:53,830
So with an HTTP tunnel server

59
00:02:53,830 --> 00:02:55,080
that happens to be running

60
00:02:55,080 --> 00:02:59,510
in that demilitarized zone
behind your perimeter equipment,

61
00:02:59,510 --> 00:03:01,250
if you're able to get that installed

62
00:03:01,250 --> 00:03:04,320
you could tunnel traffic
through the firewall,

63
00:03:04,320 --> 00:03:08,283
inside HTTP packets through
an HTTP tunnel server.

64
00:03:09,360 --> 00:03:10,560
And this is conceptual,

65
00:03:10,560 --> 00:03:12,470
not the name of a particular product.

66
00:03:12,470 --> 00:03:16,720
There's several different
HTTP tunneling applications

67
00:03:16,720 --> 00:03:17,643
available to you.

68
00:03:19,690 --> 00:03:22,160
Here is one, Super Network Tunnel.

69
00:03:22,160 --> 00:03:24,350
This is a Windows application

70
00:03:24,350 --> 00:03:27,240
that will allow you to tunnel HTTP.

71
00:03:27,240 --> 00:03:29,230
Next up we're gonna talk
about proxy servers.

72
00:03:29,230 --> 00:03:32,470
So we talked about scanning
beyond the firewall.

73
00:03:32,470 --> 00:03:33,460
We also need to talk

74
00:03:33,460 --> 00:03:37,180
about protecting yourself
from identification

75
00:03:37,180 --> 00:03:39,290
and that's where proxy
servers can come into play.

76
00:03:39,290 --> 00:03:40,730
We're talking about proxy servers

77
00:03:40,730 --> 00:03:43,620
as a concept first, of course.

78
00:03:43,620 --> 00:03:45,180
So we have our proxy server sitting

79
00:03:45,180 --> 00:03:47,860
in the middle of a communication flow.

80
00:03:47,860 --> 00:03:51,010
And you'll notice that
the session is established

81
00:03:51,010 --> 00:03:54,420
from source A over to the proxy server.

82
00:03:54,420 --> 00:03:57,020
This is the communication
flow, back and forth.

83
00:03:57,020 --> 00:04:00,530
The proxy server's job is to
know where it's supposed to go.

84
00:04:00,530 --> 00:04:04,030
The real destination based
on the initial request,

85
00:04:04,030 --> 00:04:07,610
proxy the request over,
destination sends a response

86
00:04:07,610 --> 00:04:08,990
to the proxy server,

87
00:04:08,990 --> 00:04:13,070
which will then proxy it back to source A.

88
00:04:13,070 --> 00:04:15,660
So the proxy's job is to
receive the connection

89
00:04:15,660 --> 00:04:17,850
and broker, he's the middleman,

90
00:04:17,850 --> 00:04:21,163
the broker for this
particular communication flow.

91
00:04:22,190 --> 00:04:24,890
What are some benefits of proxy servers?

92
00:04:24,890 --> 00:04:27,340
Anonymization, if the third party,

93
00:04:27,340 --> 00:04:30,200
meaning let's look at
the previous slide here.

94
00:04:30,200 --> 00:04:33,393
So if you control the proxy server,

95
00:04:34,570 --> 00:04:36,420
destination C only knows

96
00:04:36,420 --> 00:04:38,730
that the proxy server is talking to it.

97
00:04:38,730 --> 00:04:41,920
It doesn't know who source A is,

98
00:04:41,920 --> 00:04:43,960
which is probably also you.

99
00:04:43,960 --> 00:04:46,760
Now, in one of the upcoming slides,

100
00:04:46,760 --> 00:04:48,660
we're gonna talk about proxy chaining,

101
00:04:49,500 --> 00:04:52,120
but if you control this proxy server,

102
00:04:52,120 --> 00:04:54,360
you can protect yourself from exposure.

103
00:04:54,360 --> 00:04:55,900
Let's say you turn off all logging

104
00:04:55,900 --> 00:04:58,250
on that particular proxy server.

105
00:04:58,250 --> 00:05:01,180
If destination C does happen
to get access to the proxy

106
00:05:01,180 --> 00:05:03,873
through whatever, law enforcement order.

107
00:05:04,940 --> 00:05:06,930
You could have some level of protection

108
00:05:06,930 --> 00:05:11,400
and anonymization by using a
proxy server that you control.

109
00:05:11,400 --> 00:05:13,950
Proxies can also alter data.

110
00:05:13,950 --> 00:05:18,070
So because the proxy server
is capturing the traffic,

111
00:05:18,070 --> 00:05:19,870
I will say, capturing is the wrong word,

112
00:05:19,870 --> 00:05:22,410
but is receiving the
traffic and then sending it

113
00:05:22,410 --> 00:05:23,580
to that destination host.

114
00:05:23,580 --> 00:05:26,890
It's possible for that proxy
server to actually alter data

115
00:05:26,890 --> 00:05:28,200
as it's flowing through.

116
00:05:28,200 --> 00:05:31,840
This reminds me of a
project a long time ago,

117
00:05:31,840 --> 00:05:32,780
it was like 20 years ago,

118
00:05:32,780 --> 00:05:35,271
it was called the Upside-Down-Ternet.

119
00:05:35,271 --> 00:05:38,050
And what someone did was
they ran a squid proxy server

120
00:05:38,050 --> 00:05:41,400
that would rotate every picture
in every webpage upside down

121
00:05:41,400 --> 00:05:44,524
before it sent it back to
the original requester.

122
00:05:44,524 --> 00:05:45,524
It was pretty funny.

123
00:05:46,500 --> 00:05:48,830
All right, we can also filter.

124
00:05:48,830 --> 00:05:50,970
Because we can see the real traffic

125
00:05:50,970 --> 00:05:53,680
and the real destinations,
we can block things,

126
00:05:53,680 --> 00:05:55,780
stop bad things from going through.

127
00:05:55,780 --> 00:05:58,520
Another common use is
source address overload,

128
00:05:58,520 --> 00:06:01,600
similar to network address
translation or NAT,

129
00:06:01,600 --> 00:06:04,500
where we have 200 hosts
behind one single IP

130
00:06:05,640 --> 00:06:07,490
that can be done with a proxy server.

131
00:06:08,550 --> 00:06:10,700
And finally firewalling.

132
00:06:10,700 --> 00:06:13,760
Back in the late 90s, proxy
firewalls were all the rage

133
00:06:13,760 --> 00:06:17,720
before the rise of stateful
firewalls and whatnot.

134
00:06:17,720 --> 00:06:20,650
These were unique systems
running proxy applications

135
00:06:20,650 --> 00:06:24,270
that would proxy traffic
from one host to another.

136
00:06:24,270 --> 00:06:27,670
What are the benefits
to you, the attacker?

137
00:06:27,670 --> 00:06:29,560
I mentioned that if you
control that proxy server,

138
00:06:29,560 --> 00:06:31,350
maybe you could turn off logging.

139
00:06:31,350 --> 00:06:34,440
Proxy servers can hide
the original requester.

140
00:06:34,440 --> 00:06:35,930
Going back to our picture,

141
00:06:35,930 --> 00:06:38,750
the only thing destination C knows

142
00:06:38,750 --> 00:06:41,210
is that the proxy server
made a request to it.

143
00:06:41,210 --> 00:06:43,990
So you can hide behind that.

144
00:06:43,990 --> 00:06:44,950
Who is the real source?

145
00:06:44,950 --> 00:06:47,330
We don't know, it was
behind a proxy server.

146
00:06:47,330 --> 00:06:48,163
Man in the middle,

147
00:06:48,163 --> 00:06:50,220
so we talked about being
able to alter data.

148
00:06:50,220 --> 00:06:51,430
With man in the middle,

149
00:06:51,430 --> 00:06:53,060
if you control that proxy server

150
00:06:53,060 --> 00:06:56,320
then you could alter data as well.

151
00:06:56,320 --> 00:06:59,340
Intercept data which might have

152
00:06:59,340 --> 00:07:01,673
potentially damaging information in it.

153
00:07:02,760 --> 00:07:04,303
Also internal access.

154
00:07:05,330 --> 00:07:08,170
If for whatever reason,
let's go back to our picture.

155
00:07:08,170 --> 00:07:09,390
If for whatever reason

156
00:07:09,390 --> 00:07:12,173
the network perimeter existed right here,

157
00:07:13,940 --> 00:07:15,190
then it could be possible

158
00:07:15,190 --> 00:07:19,980
for you to gain access to
resources behind the firewall.

159
00:07:19,980 --> 00:07:21,980
Maybe this proxy is in a DMZ.

160
00:07:21,980 --> 00:07:25,240
If you can attach to or
connect to that proxy

161
00:07:25,240 --> 00:07:27,550
then you could then maybe potentially,

162
00:07:27,550 --> 00:07:29,310
who knows, you gotta check,

163
00:07:29,310 --> 00:07:31,543
talk from the proxy to
the internal network.

164
00:07:34,130 --> 00:07:35,290
And finally chaining.

165
00:07:35,290 --> 00:07:37,603
I have a picture of chaining here.

166
00:07:39,290 --> 00:07:42,390
So in proxy chaining, what
you're doing is you're connecting

167
00:07:42,390 --> 00:07:45,800
to a first proxy, which
connects to a second proxy,

168
00:07:45,800 --> 00:07:47,750
which connects to a third and a fourth.

169
00:07:48,750 --> 00:07:51,680
Until the ultimate destination
over here in Brazil.

170
00:07:51,680 --> 00:07:53,260
Now, why would you wanna do this?

171
00:07:53,260 --> 00:07:56,560
The laws in, let's call this Spain,

172
00:07:56,560 --> 00:07:58,280
versus the laws in Russia,

173
00:07:58,280 --> 00:08:02,460
versus Japan versus Australia,
and ultimately Brazil.

174
00:08:02,460 --> 00:08:06,370
If Brazil needs to find out who
did this, who's it gonna be?

175
00:08:06,370 --> 00:08:07,240
It's gonna be Australia.

176
00:08:07,240 --> 00:08:08,197
So they go to Australia and say,

177
00:08:08,197 --> 00:08:11,400
"Hey, I need information
for that particular host.

178
00:08:11,400 --> 00:08:14,567
I know it came from this IP right here."

179
00:08:16,170 --> 00:08:18,680
So Australia, maybe they
have some liberal policies

180
00:08:18,680 --> 00:08:21,090
with respect to sharing
information with Brazil,

181
00:08:21,090 --> 00:08:23,080
where in Japan might not.

182
00:08:23,080 --> 00:08:25,120
So Japan could then say, "No, Brazil.

183
00:08:25,120 --> 00:08:27,540
We take privacy matters seriously.

184
00:08:27,540 --> 00:08:29,620
We're not going to
share that information."

185
00:08:29,620 --> 00:08:33,440
So by doing this proxy chaining,

186
00:08:33,440 --> 00:08:35,710
we can anonymize even further.

187
00:08:35,710 --> 00:08:38,030
Now we're gonna talk about a
couple of Windows applications

188
00:08:38,030 --> 00:08:40,780
that can be used to
manipulate proxy settings

189
00:08:40,780 --> 00:08:43,490
and Windows is, I won't call it unique,

190
00:08:43,490 --> 00:08:45,930
'cause it's like one of
three options for OSs,

191
00:08:45,930 --> 00:08:48,260
but it uses system wide proxy settings

192
00:08:48,260 --> 00:08:49,930
rather than application specific.

193
00:08:49,930 --> 00:08:54,430
So Proxifier will control
Windows proxy settings.

194
00:08:54,430 --> 00:08:56,330
The application can take it further.

195
00:08:56,330 --> 00:08:57,163
So for example,

196
00:08:57,163 --> 00:09:00,240
Chrome is gonna use the Windows
setting, whereas Firefox,

197
00:09:00,240 --> 00:09:02,900
you can override it with
a custom proxy server

198
00:09:02,900 --> 00:09:04,290
if you choose.

199
00:09:04,290 --> 00:09:06,740
Proxifier will manipulate proxy settings

200
00:09:06,740 --> 00:09:08,723
on a Windows system.

201
00:09:09,640 --> 00:09:11,840
As well, it has a list
of open proxy servers

202
00:09:11,840 --> 00:09:13,060
that you can connect to.

203
00:09:13,060 --> 00:09:14,240
There is a paid version of this,

204
00:09:14,240 --> 00:09:16,610
as well as a time limited demo.

205
00:09:16,610 --> 00:09:20,760
Proxy Switcher, similar, it
will manipulate Windows settings

206
00:09:20,760 --> 00:09:22,840
for the proxy server.

207
00:09:22,840 --> 00:09:26,010
As well, it offers a list
of available proxy servers

208
00:09:26,010 --> 00:09:28,570
that have been confirmed as operable.

209
00:09:28,570 --> 00:09:30,290
Next up is the Onion Router.

210
00:09:30,290 --> 00:09:35,150
So the purpose of Tor
is to anonymize sources

211
00:09:35,150 --> 00:09:38,450
and it does this by using relay routers.

212
00:09:38,450 --> 00:09:39,890
And any traffic has to go

213
00:09:39,890 --> 00:09:41,950
through at least three relay routers,

214
00:09:41,950 --> 00:09:44,500
before it gets sent to
the ultimate destination.

215
00:09:44,500 --> 00:09:47,270
These relay routers are
independently controlled

216
00:09:47,270 --> 00:09:48,760
and volunteer based.

217
00:09:48,760 --> 00:09:50,860
So no two relays,

218
00:09:50,860 --> 00:09:53,270
I can't say this specifically,
but the thought here

219
00:09:53,270 --> 00:09:56,900
is that no two relays are
operated by the same person.

220
00:09:56,900 --> 00:09:59,520
If someone had access to all three relays

221
00:09:59,520 --> 00:10:01,360
then they could deduce the information.

222
00:10:01,360 --> 00:10:02,610
They could figure it out.

223
00:10:02,610 --> 00:10:05,060
But by using distributed relays,

224
00:10:05,060 --> 00:10:08,640
distributed routers on the Tor project,

225
00:10:08,640 --> 00:10:13,250
the destination knows it
came from Tor exit node 66,

226
00:10:13,250 --> 00:10:17,840
66 knows it came from
something in the middle.

227
00:10:17,840 --> 00:10:20,650
The middle Tor router knows
it came from the first device.

228
00:10:20,650 --> 00:10:23,720
So you are separating the knowledge

229
00:10:23,720 --> 00:10:27,783
of the source from the receiver,
through the Onion Router.

230
00:10:30,040 --> 00:10:33,140
Some other tools for
messing with proxy servers

231
00:10:33,140 --> 00:10:35,310
and configuring proxy servers, et cetera.

232
00:10:35,310 --> 00:10:38,760
We have Burp Suite,
FastProxySwitch, ProxyCap,

233
00:10:38,760 --> 00:10:40,910
several examples for
you to take a look at.