Tuesday, January 16, 2007

Kevin Mitnik plays WoW

Okay.... I'm not going to pretend I'm not in Thrallmar running errands for gold and toys right now; but I take my deadline seriously, and haven't missed one yet. That said, I had planned to show some pics from the 'End of Beta' thing that had the GMs standing around Ogrimmar summoning crap and everyone spamming the yell channel like retards, but my screenshots got wiped when I uninstalled the beta, and forgot to back up my folder.

Shuffling thru My Documents today in an effort to look busy at work, I came across a document I had typed up detailing the steps I took to circumvent my last school's 'Locked Down LAN'. The article was typed up back in March of 2006 for the benfit of my loser guild (none of them understood a single word of it), but I worked so hard on it that I saved it. The information inside is still perfectly relevant, and I've even updated it with pictures of unsavory criminals, and added hyperlinks for the lazy.

I figure we probably have a few readers that can relate to being stuck in a situation where the only internet traffic allowed is WWW, and they're going through Thrall Withdrawl. G.I. Joe used to tell me "knowing is half the battle", and some famous dead guy once said 'knowledge is power'.

Armed with these two quotes, I will dive head first into my phone like neo and show y'all how the truly l33t among us get our groove on. This is all perfectly legal, but might upset a few people (network admins) if you're caught making them look stupid, or ---even worse--- you force them to fix holes in their 'secure' network.

Without further ado, may I present to you:

*how to bypass a corporate or school firewall*

One day, not too long ago, I found myself stuck in a LAN where the only open ports were 25 (SMTP), 21 (FTP), 53 (DNS), 80 (HTTP), and 443 (SSL).

This is a common situation. Most LANs are "locked down" for one reason or another... in schools they don't want you downloading dirty pictures on their pipe. In businesses, they don't want you screwing around on Instant Messaging apps when you should be busy in Excel or whatever. In hotels, they just hate you, and wish you would have gone to the motel across the street, so they can get back to downloading dirty pictures and screwing around on Instant Messaging apps like they were before you walked in the door.

But what if you really want to check your mail or repost an auction in World of Warcraft? What can you do in a situation like this? A little while ago, I thought I was out of luck. Then I started reading the internet (port 80 was open, after all), and realized a lot of people were in the same boat. I came across an application called SocksCap32 that can cram any application you choose into a "Sosksified Wrapper" (their words, not mine), and shoot it out into the open wild.

Well, kind of... It can override any application that doesn't normally support SOCKS, and wrap it up. SOCKS, by the way, is " ... a protocol that a proxy server can use to accept requests from client users in a company's network so that it can forward them across the Internet. Socks uses sockets to represent and keep track of individual connections. The client side of Socks is built into certain Web browsers and the server side can be added to a proxy server. "

That sounded promising, and I was on the right track.

A proxy server is used in most big corporate LANs as a way of filtering what websites get seen, or just to keep track of where the LAN's surfers are going. It can also speed up browsing in a closed LAN. If everyone visits that same page every day, a proxy can keep a copy of that page cached so that the request inside the LAN can be dealt with without having to ever even go all the way outside the LAN to the internet. A proxy server can ALSO be used to redirect a request for a webpage. If I'm sitting in Texas, but have my browser configured to relay my requests through Nigeria, then I go visit Yahoo.com, yahoo's servers see the request coming from Nigeria, instead of Texas. People get all fruity and use three or four proxies in a chain and bounce their request from Texas to Nigeria to Poland to Russia, then go to Yahoo and think they're awfully clever. The fact remains that all those bounces are still traceable, and although it would be more of a pain in the rear to track you, it's pretty much never impossible. I could pretty much care less who sees where I'm going, though. I'm going to Azeroth, not Scotty's House of Barely Legal Teens.

I looked on the internet and found lists of free 'open' proxies (no username or password required to use them) that ran on one of my few open ports... 53 was out, because I still needed to do DNS resolution, but 80 and 443 were available. I got on a public proxy, loaded it's address in the Connections Tab of Internet Explorer's options, and tried to request a page. It loaded, albeit slowly, and I thought I was almost there! I added that same proxy's info into SocksCap32, and launched WoW socksified... and nothing happened. It timed out trying to log in...


So... what happened? I'm not positive, but I believe that even though I was attached to an outside point, and shooting WoW's traffic over this port 80 link, after it got to my open proxy (in India, lol) it unpacked, and started shooting the handshake to log into WoW over the regular Blizzard port (3724). These requests may have even been met, but when the traffic returned to India to say 'ok! go ahead and log in!', India was like 'World of Whatthefuck?' and the walls came tumbling down.


At any rate, it was progress. So I needed to find a way to get the packets out of my LAN, to a box on the outside that would then shoot the packets along, and when the response came back from the WoW login servers, it would wrap them back up, and shoot them back through the unblocked port 80 on my LAN, back to my box that would be eagerly awaiting news from Blizzard on whether or not I could log in now.

I started digging around again. I came across the concept of "Tunneling HTTP Requests" again and again, and I kept seeing SocksCap32 mentioned in conjunction with this process. I came across two commercial products that seemed to do what I needed, HTTP-Tunnel and Hopster (*Hopster may be defunct since the writing of the article? can't find it anymore...-iso).

I downloaded and tried them both, and huzzah, they both worked. I launched HTTP-Tunnel (or Hopster), connected to THEIR OWN PRIVATE tunnel, and launched WoW socksified... ta daa...! I connected from inside my 'locked down' LAN. I was very pleased with this result, and many people will stop reading this right here and get to it. Grats. You have found the easy way!

That's great, but my ping was awful. I'm talking 5000ms. Walking around the Undercity was barely manageable. In the past, I used to connect to my home box using remote desktop software (across one of my open ports) and launch WoW on that box, and try to read my mail that way... Playing a full 3d game across something like TightVNC doesn't work... it takes a good five minutes to walk from the auction house in Ogrimmar to the mailbox by the bank. The lag makes you overshoot it, and then you back up too far, and then you screw up your camera so you're looking straight up into the sky... it's retarded.

This situation was *better*... but not much. I was rendering the game locally, but my packets were still taking unnecessary hops across the globe and back.

I read up some more on these two programs. It turns out they apparently throttle you down to 1-2k/s during the free demo. HTTP-Tunnel is 1.5k/sec, but you can run it forever gimped like that. Hopster's retarded demo gives you a whopping 2k/sec, but it has these pop up banners every 15 seconds or so, and then shuts off after like 5 minutes of use. Both of these companies don't actually SELL a unlocked version that I could buy, you SUBSCRIBE to their faster connection (paying for access to their own “tunnel”)... it's a couple of bucks a month, but I no longer reside in the continental United States, and therefore am hard pressed to come up with american money. Anyway, if you absolutely must use one or the other of the free versions of these two, I'd reccommend that you get HTTP-Tunnel.

I, on the other hand, was like 'yeah right, if they have a fancy tunnel, **I** can have a fancy tunnel', and set out to build my own.

I dug around on the internet again (see a pattern forming here?), and came up with my salvation: HTTPort and HTTHost. FREE software to do exactly what these guys were doing... HTTHost sits on a box of your own out in the wild, and HTTPort sits on your box inside the locked down LAN. You stretch a tunnel out from inside your locked down LAN to the box running HTTHost, and it unpacks the data at that end, send the requests along, and when it gets responses ("ok! ready for you to login!") it wraps them back up in the tunnel and sends them back through the hole in your LAN's firewall (firewall: "What's this? Traffic on port 80? That must be a webpage! Move along!"). ... BUT!


The server end of the tunnel only runs on windows. Yeah, you can run it under WINE or whatever on linux but that's just stupid. Why you would run windows programs on a linux box is just beyond me. Any extra layers of emulation are just going to slow things down. I'm not exactly dealing with supercomputers... I just so happened to have an old Dell 900 something-or-other laying around. I bought another NIC (that's an ethernet card), threw Windows 2000 on it, and made it into my router at home (Look up "Windows ICS" on google for how to do that, and what to watch out for).

I won't lie and say I feel wonderful about having a naked Windows 2000 box flapping around in the breeze as my router, but the Linksys BEFW11S4 i was using before wasn’t winning any uptime awards, so it's not like I'm sad to see it replaced. I even downloaded IPCop, and tried to build a Linux router out of the Dell, and even had it up and running before I realized that HTTHost only ran on Windows. Wow... ok, whatever, reformat...


So now I have a locked down Dell Router that's attached directly to the internet, and I've installed HTTHost as a service on that box, and bound it to a port that I know can get through my firewall here in my LAN. I've given the windows box a ridiculous password, and given HTTHost a DIFFERENT password than my root account on the windows box (HTTHost's password can easily be sniffed if someone were so inclined, but honestly... i'm checking my mail in WoW here... this isn't to hide nuclear trade documents or whatever... big deal, if they find out my HTTHost password, they can use my tunnel, too... oh noes). All that was left was to launch HTTPort from inside the LAN, enter the location, port, and password of my new Dell Router, connect (thereby 'building the tunnel'), and launch WoW Socksified.

w00t. I logged in and pooped myself. It was just a little bit, and didn't make a big mess. Keep in mind that while it might have taken you a minute or two to read this far, this was about 2 or 3 days later for me. It's not like I was slaving over a hot keyboard for 12 hours a day, but my days are slow here sometimes, and it was keeping me entertained during the daily lulls.

My Dell router at home is connected to a stupid fast pipe by most home connection standards (10Mbit connections in my area of Japan go for 20 bucks a month), but that doesn't mean that i'm getting 100ms pings all of a sudden. My pings are now in the 600ms range, which is more than fine to check mail and comb the auction house. I don't expect to be main-tanking Molten Core from where I am, and I'm certainly not going to try and run counter strike... but a lag friendly game like Yu-Gi-Oh Online or something not too intense like the mailbox in Brill is more than doable, and I'm not paying anyone for subscriptions.

Well, except Blizzard and my ISP, but duh.

To summarize:

1. Build a Windows Router. Windows 2000 Pro or Windows XP will work. Windows XP has the built in Firewall, or you gain some knowledge and read up on how to secure a naked Windows Box on the “big scary internet”… which services to disable, etc. Even if you go with XP, there are still extra steps to take to make sure it’s safe. For the most part, this box will do nothing but be a router. Don’t dial in and use it for anything else. Lock it down, and let it do it’s own thing. Put Apache or an FTP server up there, just don’t use it to browse porn sites, especially if you love clicking on pop ups.

2. Download three apps, they are all free. SocksCap32.exe, HTTHost, and HTTPort. Google is your friend.

3. Install HTTHost on the server (Windows Router). Launch it, and specify an open port that is available to you inside your LAN. 80 is recommended, as anything with an internet connection is going to allow basic "http" 99% of the time. In the event that you do decide to install an Apache webserver or (heaven forbid) IIS on this box as well, the HTTHost app even does swanky redirecting for web requests coming into the server. It shifts all the requests to port 81 transparently, so HTTHost is running on port 80, but 'so is Apache'.

In the 'Bind External To:' window, put your Windows Router's WAN IP Address (don't know it? Visit http://checkip.dyndns.org from the Windows Router box. If you don't have a static IP you can get a Dynamic Hostname from dyndns.org and put the domain name you chose in that window. That's what I did. Google for 'dyndns.org' or just go to the site to figure what that will do for you. It would be good to get a client that updates your dynamic DNS entries as well on the Windows Router box. Once you set it all up you can forget it, and it will take care of itself. THIS DYNDNS STEP IS TOTALLY OPTIONAL, BUT VERY HANDY. If you don't do it, you'll need to change the 'Bind External To:' window each time you get a new IP on the Windows Router. Read up on dyndns.org. it's handy).

4. Install HTTPort and SocksCap32 on the client (the box inside the 'locked down LAN')

5. Set up SocksCap32. Under SocksCap's settings (File > Settings), set the SOCKS Server to be your own box by entering in the first window, and 1080 as the port. Check the SOCKS Version 4 radio button down below and enter your name (or whatever) in the name field.

6. Make an entry in SocksCap32 for the game or whatever application you want to use. Do this by dragging the icon of the game (the actual icon, not a shortcut) into the SocksCap32 window, and hitting 'New Application Profile...' Then hit OK. Ta-Daa.

7. Configure HTTPort. The Tabs of this app break down as follows:

System: Check "Accept only connections from this PC"

Top Half -> empty.
"Misc options" -> User-Agent: HTTPort 3.SNFM, Bypass mode: Remote Host
Bottom Box -> The address of your Windows Router, port it's using, and password you put on it.

Port Mapping:
Top Half -> empty (there was some AOL and yahooIM crap in there, i just deleted it)

Built in SOCKS4 server: check both boxes!! This part is important as this setting means "my box that i'm on now is the beginning of the tunnel". This is why when you set up SocksCap32, you set 'your own machine' as the SOCKS server (above, in step 5)

8. Launch HTTPort (inside the locked down lan) and connect to the HTTHost box (your windows box sitting out in the wild). Launch SocksCap32 and double click the application's icon that you created within SocksCap32.

Note that you don't need to stick to World of Warcraft here... you can use this method to run IRC or whatever, but remember you will be running the app back and forth thru a pipe that is taking extra hops to your house or office or whatever and back... the speeds won't be blazingly fast. Chatting over IRC would work fine, but don't expect to be downloading anything or whatever, and I seriously wouldn't even waste my time with P2P apps or anything. That would just be silly, and probably illegal. :P

Note* This article is the documentation of my own journey to find out how something like this could be done. I do not endorse using this method to break the law or make your network admins crazy. I myself was a network admin for 6 years before coming to japan, where I now teach English. If you are a network admin, then maybe this can serve as a lesson in how your LAN can be circumvented. Take this knowledge and make your LAN better. Knowledge is power, yadda yadda yadda.

I have no intention of following up on this, posting answers to anyone’s questions. It took me about 3 days of searching the internet and actually trying to find out the info for myself. If you honestly can’t get it working with just HTTP-Tunnel and SocksCap32, then any response I would give would be over your head anyway.

Good luck out there.

(send your gold and epics to) Isobelle

No comments: