Exploring httptunnel
Home

Exploring httptunnel

Posted 2006-02-23 21:31 by Christopher

httptunnel is a GPL application for encapsulating network traffic within valid HTTP requests and responses.  This tunnel can be used to bypass firewalls, including many application proxies.  It is comprised of a server and client daemon written in C.

Installation couldn't be simpler.  It resides in the Debian package repository, so on Debian Sarge I was able to use apt to fetch and install the binaries and man pages:

~$ sudo apt-get install httptunnel

If you prefer to use the source, compilation uses the *nix "standard" ./configure; make; make install process:

~$ tar xzf httptunnel-3.3.tar.gz
~$ cd httptunnel-3.3
~/httptunnel-3.3$ ./configure
~/httptunnel-3.3$ make
~/httptunnel-3.3$ sudo make install

You then launch both sides of the tunnel using hts on the server and htc on the client.  No traffic is actually generated until the tunnel is accessed:

server:~$ sudo hts --forward-port 127.0.0.1:22 80
client:~$ sudo htc --forward-port 222 192.168.1.102:80

 Finally, you can connect to the listening port on the client to tunnel traffic to the server:

client~$ ssh 127.0.0.1 -p 222

Communication between the client and the server is done with a series of HTTP POSTs (for client->server) and GETs (for server->client).  For example:

GET /index.html?crap=1140473521 HTTP/1.1
Host: 192.168.1.102:80
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

HTTP/1.1 200 OK
Content-Length: 1024
Connection: close
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: 0
Content-Type: text/html

------data to send to client here------

 

POST /index.html?crap=1140473474 HTTP/1.1
Host: 192.168.1.102:80
Content-Length: 1024
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

------data to send to server here------

It should be easy to spot this traffic by using /index.html?crap= as a signature in an IDS.  Keep in mind that since the source code is readily available this could be easily changed by modifying the following file/line:

http.c:34:  sprintf (str + n, "/index.html?crap=%ld", time (NULL));

I also tested using httptunnel through a http application proxy server, in this case, Squid.  Proxy support in htc can be configured with the --proxy and --proxy-authorization options.

As you can see, httptunnel is simple to install and use.  It does suffer from the following drawbacks:

  1. hts can't handle multiple simutaneous tunnels.  This can be overcome by using multiple instances of hts or by tunneling a ssh tunnel
  2. There is no encryption to the tunnel.  Use ssh or other encrypted protocols in your tunnel
  3. The client can access services on the server, but not vice versa
  4. The traffic is readily identified through statistical and signature methods