Circumventing Deep Packet Inspection with Socat and Rot13 (opens in new tab)

(gist.github.com)

151 pointsjortr0n4y ago38 comments

38 comments

Not at all the main point, but tr can do rot13 and more; plus GNU Coreutils' implementation is fast:

    $ time openssl rand -base64 1000000000 | tr a-z n-za-m >/dev/null

    real    0m1.073s
    user    0m1.327s
    sys     0m0.644s
    $ time openssl rand -base64 1000000000 | rot13 >/dev/null

    real    0m19.225s
    user    0m20.101s
    sys     0m0.747s

sporksmith4y ago

Folks interested in the state of the art of this kind of DPI evasion might want to check out obs4, which is a "look-like nothing obfuscation protocol", and the default pluggable transport for connecting to tor bridges from places where tor is blocked.

obs4: https://github.com/Yawning/obfs4

obs4 in tor: https://support.torproject.org/glossary/obfs4/

MadsRC4y ago

I love this! Using a 2000+ year cipher to circumvent Deep Packet Inspection seems almost poetic.

I feel like the article missed out on mentioning one key thing: Using a deny-list doesn’t work. It’s much more viable to default block and allow the stuff you know you’ll allow. Defaulting to allow and blocking stuff you don’t want is how you end up being owned by rot13.

pdkl954y ago

http://www.ranum.com/security/computer_security/editorials/d...

"The Six Dumbest Ideas in Computer Security"

> #1) Default Permit

> #2) Enumerating Badness

MiddleMan54y ago

Reading point #4 on a site called "Hacker News" seems rather ironic.

I wonder how you might encourage deeper introspection into software infrastructure security vulnerabilities, both from closed source companies and from obscure open source projects, without "spreading breadcrumbs for the roaches"

c0balt4y ago

Thank you for sharing the post. It made my day so far, I actually want to re-read it and take notes.

throw0101a4y ago

In case someone is not aware, socat allows for TLS connections with the OPENSSL-LISTEN and OPENSSL options:

* http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_OPE...

Just create a self-signed certificate:

    openssl req -newkey rsa:2048 -nodes -keyout socat.key -x509 -days 1000 \
        -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out socat.pem

for the server and tell the client not to check ("verify=0").

belter4y ago

The method is interesting as a mental exercise and its archaeological interest. If you are a company employee be careful about trying these or any other type of tunneling or deep packet inspection circumvention methods.

Some companies mention in their employment contracts these type of circumvention activities, unless explicitly allowed, are a firing offense.

throwaway9843934y ago

At one job I tunneled out of work to my home PC, and the head security guy found out and made a big stink, and I got fired

sockpuppet_124y ago

It's interesting how the pendulum of ideas swings back and forth over history, similar problems arise and similar solutions to them resurface also. It would be great to see that on some kind go graph or timeline.

zokier4y ago

> They permit SSL to some known websites (for https), but the moment I try to create an SSL or SSH connection to an unknown server (eg. to the bastion box), their gateway instantly terminates the TCP connection!

They are clearly already whitelisting connections, but still allow unidentified connections through?! What sort of logic is that?

ranger_danger4y ago

Why block all HTTP(non-S) traffic when you can inspect its plaintext? At least I assume that was their thinking.

aaomidi4y ago

Probably to not break on unknown protocols.

annoyingnoob4y ago

This message is double rot13 encoded for your protection.

jeffrallen4y ago

Hmm, I managed to decode it with quadruple rot13... Maybe check your settings, could be insecure!

aaaaaaaaaaab4y ago

I don't get it. Why did you need SSH at all? The task was completed the moment a TCP connection was established to your server.

usr11064y ago

So once the maintainers of the deep packet inspection software read this they will add rot13 to their code.

xmcqdpt24y ago

The author only used rot13 to make a point about the failure mode of inspection. DPI is only there to stop everyday employees from bypassing security policies inadvertently, not to stop an actual attacker. An attacker could use any number of other approaches: hiding payloads in innocuous keywords, using actual encryption, steganography, what have you.

I'm not a security expert but we had those kind of measures at a previous job and AFAIK they are there so that a lazy employee (me) doesn't just skip configuring their tools to go through Artifactory out of laziness and introduce a supply chain vulnerability. If "pip install XYZ" just worked out of the box, how likely would it be that all 10k devs in your organization would bother configuring it to avoid PYPI?

xchaotic4y ago

I don’t get the scenario he tested where he has access to both sides and can freely install cyphers on the server and what not. If you have just installed vpn endpoint and send whatever packets you feel like.

1 more reply

jortr0nOP4y ago

The use of rot13 was just an amusement in this case given its vintage. Replacing rot13 with any other simple stdin/stdout transcoder should be simple to do via the socat invocation, eg base64, a sed replace command, gzip/gunzip, even an actual symmetric encryption protocol like AES, etc.

usr11064y ago

So if you contol both ends any kind of obfuscation will defeat deep packet inspection, as long as the same obfuscation is not widely used so that the inspection software can check for it.

But if you do not control both ends, let's say you want many customers or even the public to connect to your server that's not an option.

1 more reply

ocdtrekkie4y ago

This is why rolling your own crypto often works in practice if you are a smaller operator: Nobody ****ing expects it, and there's a good chance nobody cares enough to investigate manually what you did or add support to commercial products to handle it.

dvh4y ago

I once did rot13 on /lib/firmware/* (not just 13 but 0-255), piped it via 'strings' command and find longest word in English corpus (/usr/share/dict/*). I forget what I found but it's trivial to replicate.

rwmj4y ago

This was my best attempt at this:

  cd /lib/firmware
  ( find -name '*.xz' -exec xzcat {} \; ; find -type f -a \! -name '*.xz' -a -exec cat {} \; ) |
    rot13 |
    grep -aEo '\w+' |
    awk '{print length, $0 }' |
    sort -nsru |
    head -20

I didn't see anything very interesting in the top results.

Edit: The sort -u option hides words of the same length. Removing that option (and the head command) gives more results, but nothing that interesting.

spdegabrielle4y ago

So it may not be an effective security measure but at least it stops your staff from doing online banking or shopping on work devices.

spdegabrielle4y ago

Or it would if they realised their credentials are in the DPI log files.

jeffrallen4y ago

OP should use rot14, it's more secure. /s

kzrdude4y ago

double rot13 has an unfortunate meet-in-the-middle weakness but triple rot13 was invented for this very purpose. I hope he makes the upgrade.

kadoban4y ago

For anyone not in on the joke, this is a real crypto concept/weakness/attack https://en.m.wikipedia.org/wiki/Meet-in-the-middle_attack (obviously only a joke with rot13). It's most famously the reason that 3DES is a thing, instead of just double.

1 more reply

j / k navigate · click thread line to collapse

38 comments

xelxebar4y ago

Not at all the main point, but tr can do rot13 and more; plus GNU Coreutils' implementation is fast:

    $ time openssl rand -base64 1000000000 | tr a-z n-za-m >/dev/null

    real    0m1.073s
    user    0m1.327s
    sys     0m0.644s
    $ time openssl rand -base64 1000000000 | rot13 >/dev/null

    real    0m19.225s
    user    0m20.101s
    sys     0m0.747s

sporksmith4y ago

obs4: https://github.com/Yawning/obfs4

obs4 in tor: https://support.torproject.org/glossary/obfs4/

MadsRC4y ago

I love this! Using a 2000+ year cipher to circumvent Deep Packet Inspection seems almost poetic.

pdkl954y ago

http://www.ranum.com/security/computer_security/editorials/d...

"The Six Dumbest Ideas in Computer Security"

> #1) Default Permit

> #2) Enumerating Badness

MiddleMan54y ago

Reading point #4 on a site called "Hacker News" seems rather ironic.

c0balt4y ago

Thank you for sharing the post. It made my day so far, I actually want to re-read it and take notes.

throw0101a4y ago

In case someone is not aware, socat allows for TLS connections with the OPENSSL-LISTEN and OPENSSL options:

* http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_OPE...

Just create a self-signed certificate:

    openssl req -newkey rsa:2048 -nodes -keyout socat.key -x509 -days 1000 \
        -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out socat.pem

for the server and tell the client not to check ("verify=0").

belter4y ago

Some companies mention in their employment contracts these type of circumvention activities, unless explicitly allowed, are a firing offense.

throwaway9843934y ago

At one job I tunneled out of work to my home PC, and the head security guy found out and made a big stink, and I got fired

sockpuppet_124y ago

zokier4y ago

They are clearly already whitelisting connections, but still allow unidentified connections through?! What sort of logic is that?

ranger_danger4y ago

Why block all HTTP(non-S) traffic when you can inspect its plaintext? At least I assume that was their thinking.

aaomidi4y ago

Probably to not break on unknown protocols.

annoyingnoob4y ago

This message is double rot13 encoded for your protection.

jeffrallen4y ago

Hmm, I managed to decode it with quadruple rot13... Maybe check your settings, could be insecure!

aaaaaaaaaaab4y ago

I don't get it. Why did you need SSH at all? The task was completed the moment a TCP connection was established to your server.

usr11064y ago

So once the maintainers of the deep packet inspection software read this they will add rot13 to their code.

xmcqdpt24y ago

xchaotic4y ago

1 more reply

jortr0nOP4y ago

usr11064y ago

So if you contol both ends any kind of obfuscation will defeat deep packet inspection, as long as the same obfuscation is not widely used so that the inspection software can check for it.

But if you do not control both ends, let's say you want many customers or even the public to connect to your server that's not an option.

1 more reply

ocdtrekkie4y ago

dvh4y ago

rwmj4y ago

This was my best attempt at this:

  cd /lib/firmware
  ( find -name '*.xz' -exec xzcat {} \; ; find -type f -a \! -name '*.xz' -a -exec cat {} \; ) |
    rot13 |
    grep -aEo '\w+' |
    awk '{print length, $0 }' |
    sort -nsru |
    head -20

I didn't see anything very interesting in the top results.

Edit: The sort -u option hides words of the same length. Removing that option (and the head command) gives more results, but nothing that interesting.

spdegabrielle4y ago

So it may not be an effective security measure but at least it stops your staff from doing online banking or shopping on work devices.

spdegabrielle4y ago

Or it would if they realised their credentials are in the DPI log files.

jeffrallen4y ago

OP should use rot14, it's more secure. /s

kzrdude4y ago

double rot13 has an unfortunate meet-in-the-middle weakness but triple rot13 was invented for this very purpose. I hope he makes the upgrade.

kadoban4y ago

1 more reply

j / k navigate · click thread line to collapse