FIREPASS VERSION 1.1.2a ======================= ================================================================================ GRAY-WORLD.NET / FIREPASS ========================= The FIREPASS program is part of the Gray-World.net projects. Our Team presents at the http://gray-world.net website the projects and publications, we are working on, which are related to the NACS (Network Access Control System) bypassing research field as well as to the computer and network security area. ================================================================================ ABOUT ===== FIREPASS is a tunneling tool that can encapsulate TCP or UDP based protocols within legal HTTP POST requests, therefore bypassing firewall restrictions. For now, the client and server is written in Perl, the server script running as a CGI program. To run FIREPASS you'll need the following: * A box located inside your local network, with Perl and the ability to send HTTP messages to the external network (Internet), either directly or indirectly through a HTTP proxy * A HTTPd server located on the external network (with Perl also) where you can place / run CGI scripts and establish outgoing connections (Most commercial hosting providers and some public ones allow this) FIREPASS' key feature is that you can chain several installations of the server and they never need to bind to a port; therefore, it is undetectable by most Administrators. There is only an unusual HTTP dialog between the client and server ; aswell, the HTTP messages are send fairly often. But this is configurable in the FIREPASS client with a special delay option between HTTP requests, and can be used for any non-time-critical protocols. This FIREPASS version is alpha, so there still may be some bugs... including SECURITY bugs! Please read the section "HOW IT WORKS" carefully to understand all the possible risks you may be exposed to. I do not provide any guarantees that this program works properly. HOW IT WORKS ============ TCP/UDP clients TCP/UDP services \\\ ^^^ (5)\\\(1) (3)||| \\\ ||| |----------| (2) |----------| (2) |----------| | HOST "A" | --- HTTP POST --> | Host "B" | --- HTTP POST --> | Host "C" | | | <---------------- |HTTP proxy| <---------------- | httpd | |----------| (4) |----------| (4) |----------| FIREPASS client (optional) FIREPASS server fpclient.pl /cgi-bin/fpserver.cgi (1) The TCP/UDP client connects to Host "A", where the FIREPASS client is running and listening on a TCP/UDP port as a daemon; (2) The FIREPASS client accepts the connection, reads the data, builds a connection to Host "C" directly or via a HTTP proxy and then sends the data to our HTTPd (to the default port 80/TCP) as an HTTP post request to the FIREPASS server script; If this is the first request for the current session, then the FIREPASS client attaches additional HTTP header lines that contain our redirect rule. (3) The FIREPASS server reads the data from STDIN, as specified by the CGI protocol. Then, if this is the first HTTP message for the current session it forks a Connection Manager, otherwise it transfers the data to our existing Connection Manager through a file sitting in a local directory on Host "C" . The Connection manager reads this file's data and builds a TCP/UDP connection to the target service and sends data. If there is data to be read from the target service, it reads it and transfers it to the FIREPASS server CGI script through another local file on Host "C". (4) On each run, the FIREPASS server CGI script checks a local file for incoming data and if present - sends it to the FIREPASS client as a HTTP response message. (5) The FIREPASS client receives data from the target service inside of a HTTP message, extracts it and then sends it to its client. That's it! If there is no incoming/outgoing data, FIREPASS client / server just sends empty HTTP request/response messages. INSTALL ======= Inside `` - shell commands. SERVER HOST (httpd) ------------------- * Place the FIREPASS server script 'fpserver/fpserver.cgi' and the 'fpserver/conf' directory under your target host's 'cgi-bin' directory, check the path to Perl inside of fpserver.cgi. (default /bin/perl); * Create 2 directories - 'inout' and 'log' (for example into /var/tmp) `chmod 777 inout log` or `chown : inout log && chmod 700 inout log` fpserver.cgi should be able to read/write files inside these directories; * Update FIREPASS server configuration files: conf/fpserver.conf : Configuration file; conf/fpserver.allow : Access list file. * Run fpserver.cgi with 'configure' option and path to fpserver.conf file: `./fpserver.cgi configure conf/fpserver.conf` After configure, the fpcnf.cache file will be created in the same directory as fpserver.cgi. CLIENT HOST ----------- * Check path to perl in the FIREPASS client script fpclient.pl; * Update FIREPASS client configuration files: conf/fpclient.conf : Configuration directives; conf/fpclient.rules : Redirect rules; conf/fpserver.allow : Access list file. All pathes in the '.conf' files should be absolute or relative to the script's location. -NOTE------------------------------------------------------------------------- Some HTTPds (Russian Apache for example) may modify data before it gets passed to the CGI script, this is done to support the server's default cyrillic encoding. Data flow will get corrupted because of this, and you'll need to turn off this web server "feature". For Russian Apache add next lines to httpd.conf file: CharsetDisable On ..and restart HTTPd ---------------------------------------------------------------------------- USAGE ===== Run FIREPASS client: ./fpclient.pl conf/fpclient.conf [SERVER]/cgi-bin/fpserver.cgi PLATFORMS ========= I've tested it with: * SunOS 5.8 + Perl 5.005_03; * Mandrake Linux (kernel version 2.4.19) + Perl 5.8.0; * Windows 2000 / XP + ActivePerl 5.8.0.806; If you could run FIREPASS on other platforms, let me know :) EXAMPLES ======== I've successfully used FIREPASS to tunnel the following protocols: * TELNET; not too fast ;) * HTTP; Seems to work for me. I recommend you use HTTP/1.0 + a non "Keep-Alive" connection from your favourite browser to prevent unnecessary FIREPASS traffic. * ICQ; Found some problems here... mainly during the application-level, handshake procedure when ICQ tries to establish more than 12 TCP connections at the same time. Some HTTP proxies (including one I play with) may not allow such a great number of connections from one IP. That's why the proxy will answer with a HTTP "Forbidden" message on the next connection attempt. I have found a work-around: while keeping your connection to the ICQ client alive, the FIREPASS client will attempt to build a connection through the HTTP proxy, until it gets HTTP/200 response. Actually, ICQ sometimes works and sometimes not... because of HTTP/404 "Not found" errors from login.icq.com server without any reason (from my point of view). If anyone is familiar with the ICQ protocol then please write me an email to discuss the problem. LICENSE ======= Firepass is distributed under the terms of the GNU General Public License v2.0 See the file COPYING for details. AUTHOR ====== Alex Dyatlov Project homepage: http://gray-world.net Firepass Message board is also available at http://gray-world.net/board/ Feature requests and bug reports are welcome! THANKS ====== Simon Castro French README. FIREPASS testing. English spelling mistakes checking. Hadi El-Khoury English spelling mistakes checking. Brian Otto He help me to run FIREPASS in the WIN environment and to fix spelling mistakes in this file.