As you can see from the packet, the HTS (server) side of this communication sent a get logo package to the HTC (client) side, presumably to "fetch" the packet from the client side and a new handshake! In order to verify that we are at the Client,server end and perform Netstat-an, the results prove that our observations are correct, as follows:
client.yiming.com.51767 server.yiming.com.80 8760 0 8760 0 established
client.yiming.com.51768 server.yiming.com.80 8760 0 8760 0 established
On the server side, the Netstat-an is executed, with the following results:
server.yiming.com.80 client.yiming.com.51767 8760 0 8760 0 established
server.yiming.com.80 client.yiming.com.51768 8760 0 8760 0 established
Sure enough, the firewall on both sides of the system has played two sockets, and the general procedures are different, this is a relatively special phenomenon.
When the get action is complete, the server side sends a packet to the client side, and the content is
http/1.1 OK content-length:102400
Connection:close
Pragma:no-cache
Cache-control:no-cache, No-store, must-revalidate
expires:0
Content-type:text/html
This should be the parameter that defines the maximum value of the packet transmission.
The author realized that through this three times between HTC and Hts role, Httptunnel only really built up, the work of the following can be normally carried out, and very interesting is, since then all subsequent packets are not 80 ports often go get,put,post and so on content!! There seems to be some way to do this.
Above said, normal walk 80 port packet should be the web behavior, then the packet should be without get and other normal action content, if the data in the 80 port is always not these dongdong, then there must be a problem,
A solution to this problem is to manually check packets passing through port 80, which is easy to detect if the packet is transmitted in clear text. But this behavior can only be theoretically feasible. In fact, the operation is not possible, is there a more mature of this product? According to this idea to retrieve the data on the Internet, it was found that an intrusion detection e-gap system can really detect and shield Httptunnel channel software exists, it works in the application layer of TCP/IP, in the application layer level to detect the exact data packet, for example, detect 80-port packets, If it appears that there is always no valid data (Url,get,put, etc.) in the packet, the E-GAP system alarms and interrupts the connection behavior. (See Resources)
It should be noted that this detection method is only valid for plaintext transmission, if the data is encrypted, then there is no way. And then further, what if it's encrypted? At present, the author's grasp of the situation, Stealthwatch hardware products may be a better choice, it completely abandoned the mode of work based on the signature, but the adoption of a patent based on the Flow-base framework strategy, according to the results of several evaluation laboratories, can effectively detect all kinds of attacks, Dos, worms, viruses and even encrypted communications that have been exposed and undisclosed! However, its price is also far beyond the ordinary commercial IDs system, a complete set of facilities for 40,000 of dollars! There is no condition test for the author of the effect. (See Resources)
Summarize
In our experiment, Httptunnel also escaped the firewall shielding and intrusion detection system tracking, it is worth thinking. We can see that network security depends only on some or some means is unreliable, especially for the security requirements of the application system, while the blind dependence on the security system will often cause huge security risks.
Resources
Httptunnel Home
Http://www.nocrew.org/software/httptunnel.html
Httptunnel program Download
Ftp://ftp.nocrew.org/pub/nocrew/unix/httptunnel-3.0.5.tar.gz
Tcpdump homepage and related resources
http://www.tcpdump.org
Snort home page and related resources
http://www.snort.org
NSS report on the evaluation of IDS system
Http://www.nss.co.uk/ids/index.htm
Open Source Mounts IDS Challenge report
http://www.vnunet.com/News/1127283
Article "insertion, evasion, and denial of service:eluding network intrusion"
Http://secinf.net/info/ids/idspaper/idspaper.html
Stick Author homepage
Http://www.eurocompton.net/stick/projects8.html
E-GAP Products
Http://www.whalecommunications.com
Stealthwatch Products
Http://www.lancope.com/products
About the author
Gong, Male, 26 years old, Henan Telecom network key Equipment Senior system administrator, Director engineer, China Telecom national Trans-century talent, China Telecom Network security Group Core members, Henan Telecom network security team members. You can contact him through e-mail:yiming@security.zz.ha.cn or website http://security.zz.ha.cn!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
