Network security viewed by HTTP hidden Channels (2)

Source: Internet
Author: User
Tags ack ftp valid stealthwatch firewall
Security | The network carefully observes the intercepted Httptunnel packet, and finds that the first packet followed by a three-time handshake contains a post action that is sent by HTC (client side) to the HTS (server side). As follows: 14:55:39.128908 > 3521931836:3521931836 (0) win 8760 (DF)
0x0000 4500 002c d3cc 4000 fb06 53c9 xxxx xxxx E.,.. @... S.. f.#
0x0010 yyyy yyyy ca37 0050 d1ec 6a3c 0000 0000. f.d.7.p. J<
0x0020 6002 2238 1708 0000 0204 0000 '. ' 8 .....
14:55:39.128945 > 2946004964:2946004964 (0) Ack 3521931837 win 8760 (D F
0x0000 4500 002c cb85 4000 ff06 5810 yyyy yyyy E..,.. @... X.. F.d
0x0010 xxxx xxxx 0050 ca37 af98 77e4 d1ec 6a3d. f.#. P.7.. w...j=
0x0020 6012 2238 ef79 0000 0204 '. ' 8.y ...
14:55:39.131002 > Ack 1 win 8760 (DF)
0x0000 4500 0028 D3CD 4000 fb06 53cc xxxx xxxx E. (.. @... S.. f.#
0x0010 yyyy yyyy ca37 0050 d1ec 6a3d af98 77e5 f.d.7.p. J=.. W.
0x0020 5010 2238 0737 0000 0000-0000 0000 P. " 8.7. ...
14:55:39.132841 > Ack-Win 8760 (DF)
0x0000 4500 0028 cb86 4000 ff06, 5813 yyyy E. (.. @... X.. e.g
0x0010 xxxx xxxx 0050 ca37 af98 77e5 d1ec 6a68. f.#. P.7.. W...jh
0x0020 5010 2238 070c 0000 P. " 8...
14:55:39.132860 > 1:44 ($) Ack 1 win 8760 (DF)
0x0000 4500 0053 d3ce 4000 fb06 xxxx xxxx E. S.. @... S.. f.#
0x0010 yyyy yyyy ca37 0050 d1ec 6a3d af98 77e5 f.d.7.p. J=.. W.
0x0020 5018 2238 d23a 0000 504f 5354 202f 696e P. " 8.:.. Post./in
0x0030 6465 782e 6874 6d6c 3f63 7261 703d 3130 dex.html?crap=10
0x0040 3037 3838 3034 3836 2048 5454 502f 312e 07880486.http/1.
0x0050 310d 0a 1.

It appears to be sending client-side packets to the server side, so how does the server react? We looked down, and after the process was completed, HTC and Hts again shook hands (note, again), as follows:
14:55:39.134301 > 2851199448:2851199448 (0) win 8760 (DF)
0x0000 4500 002c D3DF 4000 fb06 53b6 xxxx xxxx E.,.. @... S.. f.#
0x0010 yyyy yyyy ca38 0050 a9f1 ... d9d8 0000. ...
0x0020 6002 2238 cf65 0000 0204 0000 '. ' 8.E .....
14:55:39.134389 > 2946060449:2946060449 (0) Ack 2851199449 win 8760 (D F
0x0000 4500 002c cb8f 4000 ff06 5806 yyyy yyyy E..,.. @... X.. e.g
0x0010 xxxx xxxx 0050 ca38 af99 50a1 a9f1. d9d9. P.8.. P.....
0x0020 6012 2238 cf19 0000 0204 '. ' 8. ...
14:55:39.136527 > Ack 1 win 8760 (DF)
0x0000 4500 0028 d3e0 4000 fb06 xxxx xxxx E. (.. @... S.. f.#
0x0010 yyyy yyyy ca38 0050 a9f1 ... d9d9 af99 ... P.
0x0020 5010 2238 e6d6 0000 0000-0000 0000 P. " 8 .....
14:55:39.137333 > 1:43 (km) ACK 1 win 8760 (DF)
0x0000 4500 0052 d3e1 4000 fb06 538e xxxx xxxx E. R.. @... S.. f.#
0x0010 yyyy yyyy ca38 0050 a9f1 ... d9d9 af99 ... P.
0x0020 5018 2238 25ce 0000 4745 5420 2f69 6e64 P. " 8%.. Get./ind
0x0030 6578 2e68 746d 6c3f 6372 6170 3d31 3030 ex.html?crap=100
0x0040 3738 3830 3438 3620 4854 5450 2f31 2e31 7880486.http/1.1
0x0050 0d0a.
14:55:39.137379 > ACK win 8718 (DF)
0x0000 4500 0028 cb90 4000 ff06, 5809 yyyy E. (.. @... X.. e.g
0x0010 xxxx xxxx 0050 ca38 af99 50a2 a9f1. da03. P.8.. P.....
0x0020 5010 220e e6d6 0000 P. " .....
14:55:39.139733 > 43:89 (+) Ack 1 win 8760 (DF)
0x0000 4500 0056 d3e2 4000 fb06 xxxx xxxx E. V.. @... S.. f.#
0x0010 yyyy yyyy ca38 0050 a9f1 ... da03 af99 ... P.
0x0020 5018 2238 e156 0000 486f 7374 3a20 3230 P. " 8.V.. host:.20
0x0030 322e 3130 322e 3232 372e 3638 3a38 300d
0x0040 0a43 6f6e 6e65 6374 696f 6e3a 2063. Connection:.clo
0x0050 7365 0d0a 0d0a se ....
14:55:39.151300 > 1:170 (169) ACK-win 8760 (DF)
0x0000 4500 00d1 cb91 4000 ff06 575f yyyy yyyy e.....@ ... W_.f.d
0x0010 xxxx xxxx 0050 ca38 af99 50a2 a9f1. Da31. P.8.. P.... 1
0x0020 5018 2238 e721 0000 4854-5450 2f31 2e31 P. " 8.!.. http/1.1
0x0030 2032 3030 204f 4b0d 0a43 6f6e 7465 6e74 200.OK. Content
0x0040 2d4c 656e 6774 683a 2031 3032 3430.
0x0050 0a43 6f6e 6e65 6374 696f 6e3a 2063. Connection:.clo
0x0060 7365 0d0a 5072 6167 6d61 3a20 6e6f se.
0x0070 6163 6865 0d0a 4361 6368 652d 436f 6e74 ache. Cache-cont
0x0080 726f 6c3a 206e 6f2d 6361 6368 652c 206e ROL:.NO-CACHE,.N
0x0090 6f2d 7374 6f72 652c 206d 7573 742d 7265 o-store,.must-re
0x00a0 7661 6c69 6461 7465 0d0a 4578 7069 7265 validate. Expire
0x00b0 733a 2030 0d0a 436f 6e74 656e 742d 5479 s:.0..content-ty
0X00C0 7065 3a20 7465 7874 2f68 746d 6c0d 0a0d pe:.text/html ...

As you can see from the packet, the HTS (server) side of this communication sent a get logo package to the HTC (client) side, presumably to "fetch" the packet from the client side and a new handshake! In order to verify that we are at the Client,server end and perform Netstat-an, the results prove that our observations are correct, as follows: 8760 0 8760 0 established 8760 0 8760 0 established

On the server side, the Netstat-an is executed, with the following results: 8760 0 8760 0 established 8760 0 8760 0 established

Sure enough, the firewall on both sides of the system has played two sockets, and the general procedures are different, this is a relatively special phenomenon.

When the get action is complete, the server side sends a packet to the client side, and the content is
http/1.1 OK content-length:102400
Cache-control:no-cache, No-store, must-revalidate

This should be the parameter that defines the maximum value of the packet transmission.

The author realized that through this three times between HTC and Hts role, Httptunnel only really built up, the work of the following can be normally carried out, and very interesting is, since then all subsequent packets are not 80 ports often go get,put,post and so on content!! There seems to be some way to do this.

Above said, normal walk 80 port packet should be the web behavior, then the packet should be without get and other normal action content, if the data in the 80 port is always not these dongdong, then there must be a problem,

A solution to this problem is to manually check packets passing through port 80, which is easy to detect if the packet is transmitted in clear text. But this behavior can only be theoretically feasible. In fact, the operation is not possible, is there a more mature of this product? According to this idea to retrieve the data on the Internet, it was found that an intrusion detection e-gap system can really detect and shield Httptunnel channel software exists, it works in the application layer of TCP/IP, in the application layer level to detect the exact data packet, for example, detect 80-port packets, If it appears that there is always no valid data (Url,get,put, etc.) in the packet, the E-GAP system alarms and interrupts the connection behavior. (See Resources)

It should be noted that this detection method is only valid for plaintext transmission, if the data is encrypted, then there is no way. And then further, what if it's encrypted? At present, the author's grasp of the situation, Stealthwatch hardware products may be a better choice, it completely abandoned the mode of work based on the signature, but the adoption of a patent based on the Flow-base framework strategy, according to the results of several evaluation laboratories, can effectively detect all kinds of attacks, Dos, worms, viruses and even encrypted communications that have been exposed and undisclosed! However, its price is also far beyond the ordinary commercial IDs system, a complete set of facilities for 40,000 of dollars! There is no condition test for the author of the effect. (See Resources)

In our experiment, Httptunnel also escaped the firewall shielding and intrusion detection system tracking, it is worth thinking. We can see that network security depends only on some or some means is unreliable, especially for the security requirements of the application system, while the blind dependence on the security system will often cause huge security risks.


Httptunnel Home
Httptunnel program Download
Tcpdump homepage and related resources
Snort home page and related resources
NSS report on the evaluation of IDS system
Open Source Mounts IDS Challenge report
Article "insertion, evasion, and denial of service:eluding network intrusion"
Stick Author homepage
E-GAP Products
Stealthwatch Products

About the author
Gong, Male, 26 years old, Henan Telecom network key Equipment Senior system administrator, Director engineer, China Telecom national Trans-century talent, China Telecom Network security Group Core members, Henan Telecom network security team members. You can contact him through or website!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.