Limitations and counter restrictions for LAN users

May be now on the LAN Internet users more restrictions, such as not on some sites, can not play some games, can not be on MSN, port restrictions and so on, is generally through the proxy server software to limit, such as now talk about the most ISA Server 2004, or through the hardware firewall to filter. Here's how to break the limit and need to be explained by the limitations:

One, the simple limit certain websites, cannot visit, the network game (for example the Union public) cannot play, this kind of restriction is generally restricted to want to visit the IP address.

This kind of restriction is easy to break through, with ordinary HTTP proxy can, or socks agent is also possible. Now the Internet to find HTTP proxy is very easy to catch a lot. You can easily access the destination Web site by adding an HTTP proxy to ie.

Second, limit some of the protocols, such as not FTP, and so on, there is a limited number of network games server-side IP addresses, and these games do not support the normal HTTP proxy.

This situation can be used socks agent, with SOCKSCAP32 software, the software added to the SOCKSCAP32, through the SOCKS proxy access. General procedures can break the limit. For some games, you can consider Permeo security Driver this software. If even socks also limit, that can use socks2http, not even HTTP also limit it.

Three, based on packet filtering restrictions, or banned some keywords. Such restrictions are relatively strong, generally through the proxy server or hardware firewall to do filtering. For example: Through ISA Server 2004 prohibit MSN, do packet filtering. This kind of restriction is more difficult to break through, the ordinary agent cannot break through the limit.

Such restrictions because of the packet filtering, can filter out the keyword, so to use the encryption agent, that is, the middle of the HTTP or socks proxy data flow through encryption, such as Springboard, Ssso, flat, etc., as long as the agent encryption can break through, with these software to cooperate with SOCKSCAP32, MSN can be on the. This kind of restriction will not work.

Four, based on the port restrictions, restricted some ports, the most extreme case is limited to only 80 ports can access, but also to look at the Web page, even Outlook received, FTP restrictions. Of course, for limiting several special ports, the breakthrough principle is the same.

This limitation can be broken through the following methods:

1, to find ordinary HTTP80 port agent, 12.34.56.78:80, like this, with Socks2http, the HTTP agent to replace the socks agent, and then cooperate with SOCKSCAP32, it is easy to break through. This type of breakthrough means that the agent in the middle walk is unencrypted. All-through software also has this function.

2, with similar flat software, with SOCKSCAP32, but do the flat agent is also the best 80 port, of course, is not 80 port does not matter, because flat also support through the ordinary HTTP proxy access, not 80 ports, you need to add a 80-port HTTP proxy. This kind of breakthrough method in the middle Walk Agent encryption, network management do not know what the data is going in the middle. Agent springboard can also do, but the agent still need 80 port. For a simple 80-port limit, you can also use some port conversion technology to break the limit.

Five, some of the limitations of the comprehensive, such as limited IP, there are restrictions on keywords, such as MSN, as well as restrictions on the port.

In general, the second option in the fourth case will completely break the limit. As long as also allow the Internet, hehe, all the restrictions can be broken.

Six, there is a situation is that you can not access the Internet, did not give you access to the Internet or IP, or do IP and MAC address binding.

Two ways:

1, you should have good friends in the company, Iron Buddies, Iron Sisters are all right, to find a machine that can surf the internet, borrow a channel, install a small software can solve the problem, flat should be able to, have a key, others also can not, but also define their own port. Other software that can support this way of acting is also possible. I carried out a test, the situation is as follows: LAN environment, there is a proxy Internet server, a limited number of IP, to give access to the Internet, and another part of the IP can not be online, in the hardware firewall or proxy server to do the restrictions. I think even if the MAC address and IP binding is not used, can also break through this limit.

Set up an Internet-capable machine on the LAN, then put my machine IP set to not be able to surf the internet, and then to the Internet can install the Machine flat server program, only more than 500 K, the machine through the flat client, with SOCKSCAP32 plus some software, such as IE, testing the Internet through, fast, and the transmission of data is still encrypted, very good.

2, and network administrator do a good relationship, everything can be done, network administrator what permissions have, you can give your own IP open without any restrictions, if you do not give the network administrator trouble, do not affect the normal operation of the LAN. That's the best way.

In addition, the LAN through the firewall, there is a way, is to use Httptunnel, with this software needs to do with the service side, to run the Httptunnel server, this method on the LAN port restrictions are very effective.

Hidden channel technology is the use of some software, the firewall can not allow the protocol encapsulated in the authorized feasible protocol, so through the firewall, port conversion technology is also the disallowed port into the allowed ports, thereby breaking the firewall restrictions. This kind of technology now some software can be done, hacker often use this kind of technology.

Httptunnel,tunnel This English word means a tunnel, usually httptunnel is called the HTTP channel, its principle is to disguise the data as HTTP data form to cross the firewall, In fact, a two-way virtual data connection is created in the HTTP request to penetrate the firewall. To put it simply, that is, to set up a translator on both sides of the firewall, the original need to send or receive packets into the format of HTTP request to cheat the firewall, so it does not need another proxy server and directly penetrate the firewall. Httptunnel just started with the UNIX version, and now someone has ported it to the window platform, which includes two programs, HTC and HTS, where HTC is the client, and HTS is the server side, so let's look at how I use them. For example, opened the FTP machine IP is 192.168.1.231, my local machine's IP is 192.168.1.226, now I can not connect to the local cause of the firewall to FTP, now using the Httptunnel process is as follows:

The first step: Start the Httptunnel client on my machine (192.168.1.226). Start MS-DOS command-line and then execute the htc-f 8888 192.168.1.231:80 command, where HTC is the client program and the-f parameter indicates that all data from 192.168.1.231:80 is forwarded to the local 8888 port. This port can be arbitrarily selected, as long as the machine is not occupied.

Then we use Netstat to look at the ports that are now open on this machine and find that port 8888 is already listening.

Step two: Start the server side of the Httptunnel on the other machine and execute the command

"Hts-f localhost:21 80", this command means that the local 21 port sent out data all through the 80-port turn, and open 80 port as a listening port, and then use Neststat to look at his machine, you will find that 80 ports are now listening to the state.

The third step: on my machine with FTP to connect the local 8888 port, now connected to each other's machine.

However, what people see is 127.0.0.1 instead of 192.168.1.231 address? Because I am now connected to the local 8888 port, the firewall will certainly not respond, because I did not outsource, of course, the LAN firewall does not know. Now connected to the local 8888 port, FTP packets whether control information or data information, HTC disguised as HTTP packets and then sent over, in the firewall view, this is normal data, equivalent to deceive the firewall.

It needs to be explained that the use of this trick requires the cooperation of other machines, that is, to start a hts on his machine, the services provided by him, such as FTP, etc. to redirect to the firewall allowed 80 ports, so that you can successfully bypass the firewall! Surely someone will ask if the other side of the machine itself has WWW service, That means his 80-port is listening, will this conflict? The advantage of Httptunnel is that even if his machine had 80 ports open, now it would not be a problem, normal Web Access is still usual, redirect tunnel services are unimpeded!