News to the wise college kids wanting to get around "the network"

[ScottMac]

But once the Admins start seeing a bunch (as in numbers of people) of SSL VPN traffic to a given site, that site can be investigated and blocked.

Plus you lose a bit of bandwidth in overhead.

Plus you gain a bit of latency in the encrypt/decrypt.

Plus encrypted traffic doesn't fragment, so the MTU must be reduced (16-24 bytes, no big deal).

Plus "they" can always slap a bandwidth cap on SSL traffic.

Given that "they" are instituting a restrictive policy, you have to assume that they are monitoring for anomalous traffic and will investigate and take appropriate (for them) action.

It's not necessarily a perfect solution.

FWIW

Scott

 

[kamper]

I read an article a while ago about a guy who created an ICMP tunnel back to his house to get internet access from his campus library's wireless network. It was more a proof of concept than being malicious because he could simply have registered his MAC with the admins to get kosher access. But of course, without an out-of-the-box solution, very few people would be capable of such a thing and I imagine it'd be pretty easy to shut down right?

I'm not sure I completely understand all the ssl/vpn issues y'all are discussing, but how about going backwards and tunneling ssl over http? You'd generate a huge amount of traffic going to your proxy on the outside, but other than that, how would a "network security consultant" differentiate it from everything else? To what degree do monitors inspect the contents of http traffic?

 

[cmetz]

What's the chances of getting the mods to put a sticky topic in this forum - "This is not a cracking forum"?

With back to school time for all, we're gonna get the yearly deluge of questions about how to circumvent security. And let's face it, if you have to ask, you shouldn't be doing it, you're just gonna get caught and look real stupid.

 

[Fardringle]

Originally posted by: cmetz
What's the chances of getting the mods to put a sticky topic in this forum - "This is not a cracking forum"?

With back to school time for all, we're gonna get the yearly deluge of questions about how to circumvent security. And let's face it, if you have to ask, you shouldn't be doing it, you're just gonna get caught and look real stupid.

Very true. But at least they did ask here so they can merely look stupid in front of 100,000 Anandtech subscribers who (in general) can't do more than point and laugh, instead of looking stupid in front of the school board who can and will make their lives miserable (at least) and possibly kick them from school and file criminal charges for violating school policy and network security...

 

[EatSpam]

Originally posted by: spidey07

Originally posted by: randal

Originally posted by: yukichigai
Here's what I did:

1) Get accused of pingflooding someone. (yeah, old school )
2) Deny all knowledge of anything like that, inviting IT staff to run all the tests they want.
3) Wait 3 weeks while IT staff monitors or does whatever the heck else they do
4) This is the important part: also wait until they somehow accidentally remove the bandwidth cap on your connection in the process and never restore it
5) Run 3 fileservers + 2 gameservers.
6) Profit.

I have no clue what/how/why it happened that way, but somehow when they were doing whatever it is they did to verify that I wasn't a l33t h4XX0r d00d (or whatnot) they uncapped my bandwidth. Bigtime. I had something in the area of T3 speeds for the rest of the year.

So the moral is thus: your only hope is that the IT department is staffed by enough idiots that it sabotages itself.

I just got to know one of the network guys, bought him a sixpack one day and then enjoyed unlimited/uncapped/unmonitored internet for the rest of college. Gameservers, fserves, ircd leaf, you name it.

Those were good times. I could do the same now that I'm semi-admin, but eh ... not into that stuff anymore.

We have a winnar!

The best systems can usually be beaten with social engineering.

 

[stimpyman77]

EatSpam,

That is so true. Sam Adams has known to be a great truth serum.

 

[Trevante]

If you're a total n00b like me, you can setup a vnc server (to get your torrents going, check on them ever 2 hours or so) and an ftp server on your computer back home and then use your 1337 comcast connection to download from your ftp server at a blazing 40kb/s.

 

[Sphexi]

Wish I had kept up on my GSEC cert, but I let it lapse a year or two back ...no need for it in my current job, so I didn't feel like paying the fees for it.

Oh well, this is exactly the type of thing I enjoy doing anyways ...with any luck I'll work my way into the field.

 

[FatBoyXPC]

Hey spidey, I was wanting to know if you could help me out and let me optimize my connection at my university? I PMed you by the way.

 

[spidey07]

heh, I forgot about this thread.

PM answered.

 

[Fox5]

Hmm, I don't think my school really places limits on connections. Well, there's a 1mb/s speed limit on the dorm connections, but I don't think there's a max bandwidth limit, or anything done to block downloading. The real limit on the speeds is that it's a single shared internet connection, so when a few people are using it the speed bogs down to almost nothing. They do have that all computers are required to have virus scanners...which can be gotten around by just installing the auto update portion of the virus scanner and not the actual meat and potatoes.(the virus scanner the school provides continually scans your computer and can't be disabled, so the other option to not have a rediculously bogged down computer is to buy your own)
There's also a no router policy and a requirement to install software on every computer (so routers don't work), which prevents xbox live from working, but that can be gotten around with shared internet connection and a 2nd ethernet card or something in a computer.
There's also a "Don't use the wireless connection of a building you are not currently within." policy, but I don't see how they could enforce someone from a dorm connecting to an open wireless network in a building across the street.

I don't even think I understand the level of the topics that this thread was meant to address though, beyond the 3 things I just listed I don't 'see' any limitations on what we can do on our campus network.

 

[nweaver]

Originally posted by: Fox5
Hmm, I don't think my school really places limits on connections. Well, there's a 1mb/s speed limit on the dorm connections, but I don't think there's a max bandwidth limit, or anything done to block downloading. The real limit on the speeds is that it's a single shared internet connection, so when a few people are using it the speed bogs down to almost nothing. They do have that all computers are required to have virus scanners...which can be gotten around by just installing the auto update portion of the virus scanner and not the actual meat and potatoes.(the virus scanner the school provides continually scans your computer and can't be disabled, so the other option to not have a rediculously bogged down computer is to buy your own)
There's also a no router policy and a requirement to install software on every computer (so routers don't work), which prevents xbox live from working, but that can be gotten around with shared internet connection and a 2nd ethernet card or something in a computer.
There's also a "Don't use the wireless connection of a building you are not currently within." policy, but I don't see how they could enforce someone from a dorm connecting to an open wireless network in a building across the street.

I don't even think I understand the level of the topics that this thread was meant to address though, beyond the 3 things I just listed I don't 'see' any limitations on what we can do on our campus network.

Do they provide all these "software packages" for linux? Running AV on linux, with the exception of something for windows shares, is kinda pointless. If you are smart enough to build and maintain the box, you are (normally) smart enough to keep it locked down and secured.

 

[Atheus]

oooo, challenge accepted! I can't believe i missed this the first time round.

I will assume that my goal is to download things and run services without the admin's knowledge, and that penetrating the main routers is impossible (which I doubt).

1) Set up a router in front of my PC. It should be quite powerful and have traffic shaping/QOS features.

2) Poison the arp cache of my local switch and steal a bunch of IP addresses from other users on the switch. Nobody loses connectivity due to my router redirecting everything to it's original intended destination.

3) Set up a system where I can break all my packets down into small chunks, encapsulate them in https, and send them out using someone else's IP address. Choosing randomly from my list of stolen IPs each time will allow me to hide all my packets in other users' http data streams. The packets are received by an external server which recognizes all the IPs i'm using, rebuilds the packets into whatever they were supposed to be and acts as a proxy for them. Likewise in reverse, the external box might send to any of the IPs, but the packets would be marked in some way so my internal router can filter them out before they are sent the user who really owns that IP. This would all be detected by most IDSs as nothing more than normal web traffic, even if we are dealing with large amounts of data, as it will be spread out in small pieces over many source/destination IPs.

4) An anomaly-based IDS may pick up a sudden spike in overall web traffic, so just to be safe, I slowly throttle the other users while increasing my own chunk of hidden bandwidth, balancing the load so there are no spikes. This should go nicely under the radar.

 

[spidey07]

switches and routers have features to prevent ARP poisening/spoofing.

Bascially the switch, in conjunction with the router won't allow it.

Also you can enforce a "only one IP from this switch port"

interesting idea and man in the middle approach, but easily mitigated.

 

[Boscoh]

I set my TTL on your student port to 1, and your router starts dropping everything.

 

[AirGibson]

Out of curiosity, what are you going to do to justify dealing with someone using a SSL proxy? I mean, sure you can "detect a lot of SSL traffic", but you have no idea what's transpiring there. It seems like all you'd be left with is saying "Well, I don't know what's going on there, so I'm going to block that address he's communicating with."

 

[Atheus]

I could just reset the TTL to whatever I want, so that won't work. I admit it could be stopped by the one IP per switch port policy... but what about this... I gain control of all the user machines on the switch, then have _them_ filter and forward traffic for me rather than a router... the rest of the system works the same way. The victim machines could communicate to achieve the desired load balancing. Actually thats much better, there's no ARP poisoning, and I don't have to install a router and risk it being detected.

I've never actually had to do this before, since our uni had a seprate network for us (computer scientists and electronic engineers) which was unrestricted. I expect trying to restrict us would have caused some problems

 

[networkman]

Originally posted by: randal
I just got to know one of the network guys, bought him a sixpack one day and then enjoyed unlimited/uncapped/unmonitored internet for the rest of college. Gameservers, fserves, ircd leaf, you name it.

Those were good times. I could do the same now that I'm semi-admin, but eh ... not into that stuff anymore.

It's called social-engineering and it works rather well.

 

[nweaver]

they would set ttl on THEIR side, so then you would have to hack the router to reset that. Your ttl going out would work (i.e. ttl of 255 to google, decremented to 240 as it comes back, then they change that as it comes back in to ttl of 1 (on the icmp reply) and your router says "Ohh, this packet has expired" and drops it, rather then fowarding it. )

As far as the lots of SSL traffic to a single IP thing, lookup what it's reverse DNS is, if it's an ISP provider, block it and claim you thought it might be " a rootkit calling home, as there is no legit reason for a user to have that much SSL traffic to a home machine".

 

[AirGibson]

Originally posted by: nweaver

As far as the lots of SSL traffic to a single IP thing, lookup what it's reverse DNS is, if it's an ISP provider, block it and claim you thought it might be " a rootkit calling home, as there is no legit reason for a user to have that much SSL traffic to a home machine".

Yeah, but isn't that a bit of a cop-out? Who defines "a legit amount of SSL traffic" and based on what? I would personally prefer that everything I do be encrypted.

In other words, you could give that excuse for reason to do almost anything. I'm asking how you conclusively justify it above and beyond making up fake excuses or saying "well, I'm the admin" or "we don't know what it is since it's encrypted, so we're blocking it".

 

[spidey07]

Originally posted by: AirGibson

Originally posted by: nweaver

As far as the lots of SSL traffic to a single IP thing, lookup what it's reverse DNS is, if it's an ISP provider, block it and claim you thought it might be " a rootkit calling home, as there is no legit reason for a user to have that much SSL traffic to a home machine".

Yeah, but isn't that a bit of a cop-out? Who defines "a legit amount of SSL traffic" and based on what? I would personally prefer that everything I do be encrypted.

In other words, you could give that excuse for reason to do almost anything. I'm asking how you conclusively justify it above and beyond making up fake excuses or saying "well, I'm the admin" or "we don't know what it is since it's encrypted, so we're blocking it".

Persisetent SSL connections are not normal network behavior, so they are flagged and alarmed. As such automated actions can be taken - kill the connection all the way to shutting down the port and considering it malicious activity.

 

[nweaver]

I would ask "Why do you have 10 megs of SSL traffic to your home/a home machine?" and if you can't justify it, I axe it. I don't have to justify the rules, you have to justify the exceptions.

 

[AirGibson]

Originally posted by: spidey07


Persisetent SSL connections are not normal network behavior, so they are flagged and alarmed. As such automated actions can be taken - kill the connection all the way to shutting down the port and considering it malicious activity.

Originally posted by: nweaver
I would ask "Why do you have 10 megs of SSL traffic to your home/a home machine?" and if you can't justify it, I axe it. I don't have to justify the rules, you have to justify the exceptions.

I think we're talking apples and oranges. The challenge was "I dare you to get around my security." Well, they just did, right? And the traffic is encrypted in such a way that the only excuse you can give is "I don't understand what they're doing, so I'm unplugging them." You didn't for certain catch them doing anything "nasty" or prove they did anything. You simply unplugged something you didn't understand. You could literally give that excuse for anything.

That's not what I'd call a "win" anyhow since the student still downloaded however many naughty MP3s without you being able to accuse them of anything other than "too much SSL" (which obviously isn't a criminal in the least).

And then comes the nasty media spin: "Local university claims Students have no right to privacy!"

As for asking the student to "justify" it, that'd be a cinch to lie about.

 

[Atheus]

nweaver - you say my router would drop the packet, but it's _my_ router... it doesn't have to follow RFCs, it doesn't drop anything I don't want it to. I just reset the TTL and forward.

Can anyone find a flaw in the idea in my second post, where the victim machines act as routers for me and conceal my traffic among their data streams? No new router hardware, no ARP poisoning. The rest of the system works as described in my first post. c'mon spidey!

 

[nweaver]

what router would you be using that fails to follow RFC's? You would half to rewrite some code I would think (that's possible, but it would take a while).

And assuming (as some have said) that the uni requires a firewall/up to date AV, how would you infect those machines? I know that there will always be new ways, but when running a S/W firewall and A/V, it is significantly harder, unless you get them to execute code.