Unusual firewall bypassing techniques, network and computer security.

There were doors all round the hall, but they were all locked; and when Alice had been all the way down one side and up the other, trying every door, she walked sadly down the middle, wondering how she was ever to get out again.

Lewis Carroll "Alice In Wonderland"
Chinese French Russian Spanish Polish Italian
Home | Projects | Papers | Forum | Team | Links | Contributions

NACS bypassing

Active port forwarder is a software tool for secure port forwarding. It uses SSL to increase security of communication between a server and a client. Originally, it was developed to forward data point to point. However, the need for bypassing firewalls in order to connect to internally located computers influenced the further development of the project.

Cctt, "Covert Channel Tunneling Tool" - is a tool presenting several exploitation techniques allowing the creation of arbitrary data transfer channels in the data streams authorized by a network access control system.

Cooking channels - from the paper How to cook a covert channel is a set of two python scripts (CGI and client) allowing to build a communication channel over HTTP cookies.

Firepass - is a tunneling tool, allowing to bypass firewall restrictions and encapsulate data flows inside legal ones to use HTTP POST requests. TCP or UDP based protocols may be tunneled with Firepass. For now, both - client and server parts are written in Perl and the server script acts as a CGI program.

g00gle CrewBots - from the paper g00gle CrewBots is a set of two POC python scripts allowing set up communication channels over the g00gle.

MsnShell - MsnShell is a kind of covert channel tunneling tool allowing to remotely control a Linux computer protected by a firewall. MsnShell encapsulates shell commands and responses within the MSN protocol and only consist of an executable file named "MsnShell Server".

Wsh, "Web Shell" - remote UNIX/WIN shell, that works via HTTP/HTTPS. The package contains two perl scripts for server and client hosts, one C source code and one Java servlet code for the server host : the client script is for console usage and the server scripts run as CGI/Servlet scripts on the target host.

Tunneling and Covert Channels Detection

Cctde - This is a first implementation of the GW Covert Channel and Tunneling over the HTTP protocol Detection : GW implementation theoretical design paper. It is currently designed as an analysis back-end for the Snort NIDS tool and focuses on providing a way to register and disclose informations leading to the detection of unauthorized tunnels and covert channels.

NACS bypassing (Proof Of Concept)

Skeeve is a POC tool you can use to simply create an ICMP tunnel between two computers, which may be located in different networks and separated by a firewall. Skeeve utilizes ICMP packets and IP address spoofing technology to create a data channel in order to redirect TCP connections inside this channel.

HttPostNG is a funny poc to convert a text file into one or several png images and send them to a remote CGI in HTTP POST requests so that the network based "detector" has to figure if all POST images it monitors are legitimate or suspicious.

Trt-scapy is another implementation for the 0trace tool based on scapy.


etc/passwd - Honey page, that allow to collect Google search requests statistic over sensitive file names.

Current working projects

You can learn more about our current and future projects at :

Httpostng - is POC tool converting a text file into one or several png images and sending them to a remote CGI so that a detector has to figure if all POST images are legitimate or suspicious. [learn more]

Team member's sites:

GNU  GNU General Public License
 GNU Free Documentation License