vanillagorilla

iTrader: (1)

Alt+tab! HA! I just tried it. That's awesome, I'm going to have to tell my friends that one.

I have something called TightVNC on my maching. It's so MIS/IT can get on here and remotley install stuff for us since they're in Michigan. It's kind of nice, but I wonder if it'll work like the way you guys described the other VNC programs.

sdbrown84

iTrader: (22)

It's a shame all companies don't endorse forums though. I'm sure it may be the sole reason for keeping the stress level down in the workplace.

jpat1023

haha, Hell yea!

Super Speed

iTrader: (8)

lol this thread makes me lol' we have limewire and torrents blocked here any advice lol'

jpat1023

'lol' you could 'lol' look at post #12 'lol'.

BLK85

iTrader: (1)

Most firewalls are hardware not software, the good ones anyway.

cyphur

iTrader: (10)

We have 3 different hardware firewalls on our network, along with IDS/IPS stuff.

There is always a way around it, just have to try hard enough. Research is your friend...

Speed

iTrader: (33)

Didn't read all the posts but I'll give you some goods

1. Find out if your network is running WCCP. You can do this in one of two ways. Ask one of your network engineers or check your proxy settings in your browser. Since you are running websense, chances are if you have nothing in the proxy settings, your network is running WCCP.
--If yes, continue
--If no, when at home, google for free open proxy servers
--put those proxy settings into your web browser (understand this is a security risk)
--If this doesn't work, continue

If your firewall admin is worth a ****, he would have limited your network to allow http traffic out from the proxy only (meaning you can't connect to the internet on port 80 from any machine other than the proxy server). This means you are going to have to bypass websense's content filtering. Thankfully this is pretty easy to do.

Next, try to connect to the website via IP address. You can find out the IP address to your target website by using the following commands at a Windows DOS prompt
-nslookup <target site>
--example: nslookup www.ls1tech.com
Name: www.ls1tech.com
Addresses: 67.15.111.196, 67.15.111.194, 67.15.111.195

If that doesn't work try this:
-ping -a <target website>
--example: ping -a www.ls1tech.com
Pinging www.ls1tech.com [67.15.111.194] with 32 bytes of data:

Again, if your firewall admin may block pings but don't worry about the request time out if you get one, you are after the IP address. You are after the IP address which looks like ###.###.###.### (ls1tech has one IP address 67.15.111.194). Plug this number into your browsers address bar and try that.
--Example: http://67.15.111.194 equals https://ls1tech.com

If your websense admin is worth a ****, he will have enabled reverse DHCP looksup which means the above wont work. However, all is not lost. There is a little cute bit of code in the Windows (and others) TCP stack that allows for the conversion on long integers to IP addresses. All it really does is convert the 4 segments of an IP address to one contiguous number representing the same thing. For this we need a quick lesson in binary. (Skip down a couple paragraphs if you don't care how it works).

Humans think of numbers in series of ten (decimal..0-9, 10-19, etc). Machines don't understand this. they know 2 numbers; 0 and 1. Off and on (there are actually other states but these are the fundamentals). This is called binary. So to work with more complex number systems, one has to convert. That IP address you see has 4 decimal numbers. Since the computer can't deal directly with decimals, it has to be converted to binary. It's really really simple once you get past the abstract. Each of those four segments represents 8 binary digits. An IP address for ls1tech actually looks like this to the computer...

01000011.00001111.01101111.11000010
This is the same binary number as
67.15.111.194 which we know from the above commands if the IP address to ls1tech.

Here is how it works:

each binary digit represents a number. It look like this

0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1

So if you wanted to represent the number 8 in binary it would look like
00001000

12 would look like
00001100

As you can see, you just put a one for the number you want and add all the numbers you put a one in for together. With 8 digits, you can count from 0 to 255 for a total of 256 possible numbers (0 is a number).

So now you see how we get
67.15.111.194
from
01000011.00001111.01101111.11000010

All we have to do to beat the websense content filter is put in a number that represents that IP address but is a literal string that websense doesn't recognize. A string is just a series of characters. This sentence is a string to the computer.

So to arrive at a number that will do that, we just need to convert the IP address to a contiguous string. This works because the computer disregards the fact that humans read IP addresses in four segments. The computer actually reads the number as

01000011000011110110111111000010

The enterprising among you will note that there are 32 digits (four segments of 8). In the above example, you seen how we counted 8 digits starting at 128 and halving down to 1. Well nothing says we have to stop at 8. If you had 11 it would look like

0 0 0 0 0 0 0 0 0 0 0
1024 512 256 128 64 32 16 8 4 2 1

and so on...

Well if you converted all 32 digits into one contiguous number the IP address would be

67.15.111.194 or
01000011.00001111.01101111.11000010 or
01000011000011110110111111000010 of contiguous numbers. Well this number, converted back to decimal is 1125085122.

To the computer, all of these numbers are the same. So stretching ALLLLLL the way back up to where we started: 1125085122 is equivalent to www.ls1tech.com

Start here if you skipped the why:

So here is what you have to do.
1. Look up the site's ip address using the above methods.
2. Open calculator and select scientific from the view menu
3. Note on the left hand side the four number systems (HEX DEC OCT BIN) and ensure DEC is selected
4. Starting from left to right, plug in each of the 4 numbers into the calculator and click the BIN radio button which will convert that number to 0's and 1's. Often, the resulting number will have less than 8 total digits so you will need to add zeros until you have 8 total digits. (example 67 is 1000011 which is 7 digits. Add a leading zero to make it 01000011).
5. Repeat this process for all numbers and paste the 8 digit binary result into one long string of 0's and 1's. You should have a total of 32 numbers.
6. Making sure you have BIN selected, paste that number into the calculator. It will strip off the leading zeros so don't worry if the total result is slightly shorter.
7. Now select DEC to convert the number to decimal. Copy this number and prepend an http:// to the front. It will look something like http://1125085122 and hit enter.

On my understanding this works because websense examines the number as a string, not a literal. Meaning it isn't smart enough to convert the actual numbers. It works by recognizing the pattern of an IP address and going from there. Since 1125085122 doesn't "look" like an IP address, it doesn't match anything in the filter database and you area allowed to proceed as you wish. As of this writing, this works on the latest version of websense.

For the techie among us, I have written a little perl script to manage all of this for you which I can post up if anyone wants it. Good luck and happy surfing!

Speed

iTrader: (33)

Also to clear up some confusion...

Websense is a peice of software, not hardware. More often that not, it runs on a Windows server box. It is not a firewall and it does not sit inline with the internet bound network traffic. It is also not, in and of itself, a proxy. It works in tandem with your proxy server to filter sites. The proxy itself is also almost never directly inline with the internet traffic until something redirects to it (pseudo inline).

A typical installation works like this:

Network and Security folks setup a network with a proxy, filter, and a firewall. The client makes a request to go to www.ls1tech.com. The browser then decides if they have a proxy to send that request to. Since we have a proxy, the IT staff has automatically configured your browser to send the traffic to your corporate proxy server. The browser puts together the request with some extra information for the proxy and sends it over. All the proxy does is make the request on behalf of the client.

Since the proxy has been configured to push all requests through a content filter like websense, it strips out the target address and sends it over to the content filter who looks through it's database and decides if the site is allowed. The content filter then logs the site visit along with some identifiable information about the client and returns a pass or fail back to the proxy. The proxy reads the decision and either goes out on the internet to get the page for the client or returns the infamous "websense has blocked this page" message.

If it passed, the proxy server grabs page for the client and sends it back to the client in a seamless transaction. Since we have a firewall, we only allow the proxy server to go directly to the internet and stop all other machines from getting out.

The reason I say it is pseudo-inline is you can configure the firewall to allow a client directly out to the internet and remove the proxy settings from the client browser. If you have WCCP running, this becomes more complex as the gateway router is going to force your traffic over to the proxy anyway. I'm not sure if v2 has anything that allows client bypass.

Also, RDP and VNC to your home machine will only work if your gateway firewall allows those ports outbound. If your firewall admin is allowing that, the are probably allowing most if not all outbound traffic and should have their head examined. I really really really wouldn't recommend using VNC wide open as it's one of the first vectors I look for when pen testing . Obtaining a password hash is scary easy to do. If you want to use it, insure it is patched religiously and you use a local firewall that only allows an inbound connection to that port from your work's internet ip address.

Consider this if your IT guys are using VNC to manage the desktops....

If you are running VNC, they can log in and see anything and everything you are doing and there is little indication this is happening. Further, if you want to know the password they are using to authenticate look in the registry for a key similar to HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default. It will have a password hash. There are tons of decrypters for it online and it falls in a microsecond. More scary, the default security settings on many instances of windows allows that key to be read by any authenticated user regardless of privilege level.

Secondly, with all the more secure options for remote management, using VNC should only be an option on older systems without a native service that have been isolated with a acls and a firewall.

jpat1023

VNC is just an example, it is given that the internet is full of different RDP programs...
Plus, people aren't hacking into NSA servers, they just need a quick, easy way around a content filter, vnc accomplishes this with little to no hassle. Unlike converting sites to ip address, converting that to binary, and then converting that to a base ten number and plugging it into the the web browser....

Speed

iTrader: (33)

It's pretty easy actually as far as circumventing security controls goes. Infact, one could embed a script into firefox to do it automatically.

Plus, if their firewall admin lets anything like vnc out from general client machines out directly, they aren't much of a firewall admin! That be the case, an even easier, faster, and more secure way would be to put a proxy server on their home machine and configure the proxy port to 5800 or 5900. Then put it behind their home firewall and configure the firewall and proxy to only allow inbound connections on that port to only from their work IP. Even a step further, you could password protect the proxy.

Ultimately, anyone can do what ever they are comfortable with. You just have to weigh the risks of having a home network compromised to the risks of learning how to do it securely. They may not hacking into NSA networks, but it might be a good idea to help them keep their 13yr old neighbor's kid out of their machine too.

jpat1023

haha, vnc uses ports 5800 and 5900, 5900 if you are using the vnc client and 5800 if you are using the java app...and it is password protected...and it sits behind your home firewall, which you can filter incoming ip's with...and port forward to the home machine of your choice, or have it on all your home machines and use different ports for different boxes...etc, etc...it is very customizable...

Anyways, I don't really care what you use, but your knowledge of vnc is very limited, so I thought that should be corrected...

Speed

iTrader: (33)

Ahh this is why I love message boards...

You didn't correct anything. You just regurgitated everything I said. But if you believe in security by obscurity, I pity any organization you control security for. However, I'm guessing you at around the helpdesk, maybe desktop support level. So let me give you some tough love...

You can't change the headers in VNC so you can't hide it from a port map by changing ports. Further, changing the port won't stop anyone from using any of the dozens of exploits out there for it after they discover it using kiddie tools. My favorite is the malformed packet privilege escalation exploit. But since you are a VNC expert, you could probably tell us how to keep it secure using isolation and compensating controls. Because you're not, you can restate exactly what I said previously in a vain attempt to make yourself look smarter than you are. Also, the java client you are referring to is just an embedded version of the stand alone client except it is now exposed to vulnerabilities native to the browser as well. But I guess you knew that too? To correct you, the VNC server doesn't listen for the HTTP connections on port 5800 only. It listens on 5800+n connections.

After the initial negotiation, the port will go high and out of range of the open port this breaking the connection because your firewall configuration doesn't allow 5801/2/3/4/5 etc. If you are trying to use a statefull configuration, you open yourself up to other vulnerabilities.

http://www.realvnc.com/javavncviewer.html

But this is irrelevant because we are worried about securing the server side since that is what is installed on someone's home PC. And by doing exactly what I said above, you can provide some level of security. By using my alternative suggestion, you will obtain a faster and more secure solution. Anyone smart enough to setup a NAT even on a linksys 'router' should be smart enough to setup a little proxy box listening on whatever port they choose (read carefully, the ports actually open on the firewall). That's because what firewall admin is going to allow the general client population directly out any random high port?

As it's obvious your security knowledge is very limited, I highly recommend you not give anyone advice until you become better educated. There are a number of books out there or perhaps once you have networking fundamentals down, you could hit one of the SANS classes. 504 is a good class to show you all the reasons your solution is unsafe. I also truly hope no one follows your advice of sticking some version of VNC on their home machine in the hopes to bypass their corporations web filter. Good luck with your career and have a nice day.

Speed

iTrader: (33)

I apologize, I just read your profile. I see you are a 20 year old college kid looking for a financial degree. And you are the "assistant IT director/sales rep" for a food services company? I just had a flashback of last weeks episode of the office... lol

Learn to read between the lines on these pieces of software you are supposedly an expert on. If you seriously want to understand information security, www.giac.org and www.sans.org are good places to start. Read the gold cert papers and if you can understand them, you have a good start...

jpat1023

Do you feel better now?

I gave a simple answer to people that have a simple understanding of computers, I wasn't planning on an IT professor examing my answer or else I would have gave an essay, like you.....btw, I love when people try to E-bully, haha, you had to go read my profile...hahaha

Speed

iTrader: (33)

I do, thanks..

On topic of the thread, if anyone is interested in a firefox script that can do the conversion for you, let me know and I'll write it.

It's a little clunky but if you are familiar perl and want something a little less quick and dirty than the calculator solution above, try this...

use Socket;

print "Enter a host name: ";
$useraddress = <>; #grabs host name in from user ie www.ls1tech.com
chomp ($useraddress); #removes the trailing newline

($host, $aliases, $type, $number, @ips) = gethostbyname("$useraddress"); #splits up returned record
($a,$b,$c,$d) = unpack('C4',$ips[0]); #grabs the first IP
$abin = sprintf("%b", $a); #converts the first octet to binary
$bbin = sprintf("%b", $b); #converts the second octet to binary
$cbin = sprintf("%b", $c); #converts the third octet to binary
$dbin = sprintf("%b", $d); #converts the fourth octet to binary

$abin = "00000000$abin"; #appends stripped leading zeros
$abin = substr($abin, length($abin) -8); #grabs valid 8 bit octet
$bbin = "00000000$bbin"; #appends stripped leading zeros
$bbin = substr($bbin, length($bbin) -8); #grabs valid 8 bit octet
$cbin = "00000000$cbin"; #appends stripped leading zeros
$cbin = substr($cbin, length($cbin) -8); #grabs valid 8 bit octet
$dbin = "00000000$dbin"; #appends stripped leading zeros
$dbin = substr($dbin, length($dbin) -8); #grabs valid 8 bit octet

$bin = "$abin$bbin$cbin$dbin"; #creates 32 bit binary ip string
$dec = oct( "0b$bin" ); #converts back to decimal
print "Use the following url: http://$dec"; #outputs bypass url to user #replace http with https for secure sites
exit;



EDITED: to add code comments
Also, this might not work on sites that perform host name checks since the host name it sees you trying to come in on is the long integer vs the url.

Brandon Boomhauer

iTrader: (10)

Speed, great information, thanks for sharing that. How do I go about using that code in firefox?

Reject

iTrader: (24)

Revenge of the Nerds!!!


i keeed i keeeed lol
love this comp tech stuff

02sierraz71_5.3

iTrader: (2)

the easiest thing is to use someone elses logon that has access, if they ask tell em they didnt log off. Most upper managers are clueless, I mean completely ignorant when it comes to network security yet they have all the privalges
Happy hacking

cyphur

iTrader: (10)

Speed, great rundown of information. Just keep it informational and cordial! Not everyone is an "expert" in the areas they claim expertise in.

When I have some more time I'll have to take a look at that script.