1

Multitun is a tunnel that encrypts connections and sends them bulk over a web socket, which is a web standard. So firewalls that ensure the expected protocol is running on the allowed port, will just pass it through as being compliant with HTML. Is there anything a firewall or filtering system can do to detect this kind of tunnel, that adheres to standards and utilizes a protocol generally allowed through by the organization? Is detecting such a thing feasible?

HorseHair
  • 171
  • 7

1 Answers1

2

The detection of such type of tunnels is little bit difficult since they are using well known protocol which is generally allowed through the firewalls. Detection of such type of tunnels requires machine learning techniques but there is a chance of getting FPs.

Tool Fingerprinting:

There are various tool that tunnels data over well known protocols like iodine, dnscat, ptunnel. Fingerprinting these tool is an idea to detect the tunnel. Detecting these tools requires the knowledge of protocols for that refers RFCs, learn every aspect of the protocol and apply it to detect the tunnel. Now create a environment with this tool and capture the traffic using any ethereal tools(wireshark, tcpdump etc) and analyze the traffic. You will definitely find some patterns which will be unique to the tool. I'm telling this because I've detected above mentioned tools and more using this method because writing machine learning code requires more efforts.

The drawback of detecting tunnel using pattern is, you must have to check the updates when there is any for the tool but what I've seen the pattern is always same for all the tools.

ifexploit
  • 2,499
  • 1
  • 14
  • 12