“Only do this at home” 1min later… “imagine you are in a train”…

"do not try this at home" "no, only try this at home", lmao, I am somewhat conflicted on this

We need more technical content like this! Great job!

Students are the best people to ask about how to bypass networks.

This format of screen-sharing is soooo much better than other videos. Please maintain this format of showing everything on the screen. So helpful and so much easier to understand

"Let's get the OHP up." Smacked me right back to elementary school.

My professor 2 years ago tried to explain ssh tunneling for the same length of time as this video and failed miserably. Dr. Clegg explained in half the time and even talked about other ways of doing this while being easy to comprehend. Great video

I feel like this is how many kids get interested in computers.

04:35 UFW is actually _Uncomplicated Firewall_ . It's "only" a Python "wrapper" for iptables.

I remember using proxy tunnels way back in the early 2000s. I found a bank in France that had full internet access and proxied in to that over port 8080.

10:54 Unfortunately, this whole section here about TCP over TCP is incorrect in this case. Yes, if you're tunneling raw IP packets over TCP (and there are ways to do this with SSH, for instance using the -w option, running PPP over SSH, or with OpenVPN over TCP, as well as a million other ways), you do end up with the TCP-over-TCP meltdown you are explaining quite correctly. But, if you're using SSH's "dynamic port forwarding" mode which emulates a SOCKS proxy, there is no TCP over TCP at all going on. There's TCP running between your client software and the SSH client's SOCKS proxy emulator, TCP running between your SSH client and the remote SSH server, and also TCP running from the remote SSH server to the tunnel destination. These are all seperate TCP connections, and none of them of them running "over" each other. They're conseptually connected end to end, not over each other. There's no raw IP packets going over the SSH tnnel, and thus no TCP. Only the data beloning inside the stream as multiplexed as multiple channels in SSH. TCP retransmissions will happen on every TCP stream, but there's no redunant layer of TCP happening end-to-end over the actual tunnel, and no duplication of retransmission for that reason. That said, because everything you're doing ends up passing through a single TCP connection, that can definitely be a bottleneck, but for other reasons.

One of the very few videos I have watched more than once. Please do more high quality content.

Really nice video. This is what inspires people. And then you introduce a NGFW with SSL and SSH decryption and loose all the magic.

that's how network engineers are born.... trying to bypass censorship

Yes, TCP over TCP is bad. But there is no TCP over TCP in this case. There are just 2 TCP connections in serial. If you use ssh -w, that would create a tunnel where you are doing tcp over tcp.

4:32 Nope, it's "Uncomplicated FireWall"

I've used iodine DNS tunnel for years. It's not fast or efficient but it works. Nobody has ever noticed and none of the many environments I am familiar with monitor DNS traffic for stuff like this.

I just run a VPN server at home, and anywhere I've been (including China) I can just VPN back home and get full normal access to everything.

I did this years ago to get around my University's firewalls to play games online... :D

I'm impressed by the fact that his computer is named for a character from Mervyn Peake's Gormenghast novel. Not that your presentation wasn't interesting, Dr Clegg, but my excitement that I'd found another Peake fan eclipsed all else!

We used to do this SSH tunnel way back in 2007 to break out of the NHS network to connect to home. Was a 2nd line engineer and sick of 3rd line monitoring anything you did. Got more work done with that tunnel than without it.

I really enjoy the networking Videos! Hoping for more :)

I traveled around Turkey this month. I had a local sim card for data (Vodafone). There was one region (Antalya) where it wouldn't allow me to connect to my home wireguard peer. Also VPN provider websites had been blocked e.g. Mullvad. This wasn't the case in Istanbul, Mersin or Fethiye regions, very strange. I'm using a non-default port for wireguard, maybe I should try port 443.

Great Resource 🙌🏻🙌🏻

transmitting data as a subdomain to bypass a firewall is the most hacky janky thing I've ever heard of and I love it.

"try this at home but not anywhere else at all" ---> "so now let's imagine you're on a train or in an airport where the administrator is not giving you full access..." That escalated quickly.

Wow, this video really highlights the high quality of comp. sci. coming out of Nottingham University compared to others!

DNS tunneling was used in the SUNBURST (Solarwinds) attack last year, so not sure a normal admin would have detected that method.

So as a network engineer having to defend these issues when setting up networks like such as a "guest" network. For this, I don't use a layer 4 firewall(such as an ASA without firepower) which is what seems to be on the topic for this video. More used in this situ' is a layer 7 Firewall(such as a Palo Alto) where you can allow based on application rather than "Service Port" for "guest" network on a Palo only allow the following applications: dns, web-browsing & ssl. Another option could be adding in decryption for other networks, it doesn't really work for a guest network. Also, I would like to see what you suggest for application(L7) firewalls and to bypass these...

This was fascinating.

Him: Hey, Internet, don't use this exciting information in any way. Internet: 👍🤔😏

really liked this video, also i like richards way of explaining this stuff. :)

Yeaa.. it remember me the day our IT teacher had to explain how to bypass the school proxy server to setup our own proxy lab. Using proxy for home purposes is irrelevant these days in my option. VPN over 443 and remote sessions (can also be 443) are way more secure and reliable.

Just a quick note. We are going to try everything you are saying here

19:10 So for the web proxy protection explanation, the workaround where the exit address gets remapped to :22 only works if you have admin control over the web proxy itself right?

First! No KZbin? I'm definitely doing this... just to watch Computerphile. Just that. Honestly.

Besides the interesting topic, i like the sound effect used for the firewall at 1:53 xD

Someone I know did that a century ago. (A bit more sophisticated, it was encapsulating everything in multiple TLS streams.) IT security can break normal work so easily. A few years after he established this, someone contacted me. Asking why there was so much traffic to that address from that machine. I said it was a leftover test that seemed to be still running and I cut it down. Since then our security got much better, much more defined and more relaxed. No need to tunnel, no need to dig holes, everyone is happy and safe. Too much security is as dangerous as too less security.

Anyone else notice port 456 blocked "related to mail" (at 4:48)? Me neither. :) Almost certaionly meant to be port 465, for SMTP over implicit SSL/TLS.

The word "Disclamer" made me enthusiastic.

Thank you 🙏

I love this video. Though he left out the part about the best tool for tunneling out of a network: GCC and a copy of Stevens.

Ok. I ssh'ed into Dr. Clegg's home server. Who are all the babes you have 1TB of pictures of? BTW: Thank you very much for your time you spent with explaining this Dr.

With great power, comes great responsibility 👍

This gave me flashbacks to using 'cu' to hop around different machines on our LAN. ~.

when i was in college in the mid 2000s they tried banning bit torrent in the dorms, but they weren't very secure back then so I just tunneled out using UDP and was able to access non-throttled internet speeds too (15kbps wired in the dorms for all data, 20mbps after tunneling out) stuff is more complicated now though i think, but i thought i was a badass back then haha XD

Is the computer connected to internet and firewall not allowing you to go anywhere ? Can you advise please

I like that last point!

I would really like to know whether I can reach my server via ssh from inside a network which only lets ports 80 and 443 pass - but without having to change the port my ssh server is listening to. What would be needed for that?

Good video

Correct me if I am wrong, but I don't think ssh tunnel is TCP over TCP. ssh tunnel acts like a normal TCP proxy, only that the connection in between the ssh client and ssh server is encrypted, it does not preserve the original TCP header.

“lets get the ohp up” something i haven’t heard in a loooong time

I’m sure students do this a lot. What are the consequences? At uni for example, would they be in trouble? I noticed libraries lock well

this is better than most network course labs

A few comments on the last part - not entirely true - in modern web traffic, it's extremely difficult to differentiate between a "normal" ssl websocket traffic and a long-living tunnel. It can be done by pattern analysis, but I doubt train ISP providers monitor for that.

How will any of this work if you don't have local device admin rights and network authentication prohibits LAN devices that don't match a specific criteria i.e. MAC address?

Vpn over port 53. Can even bypass a lot of wifi paywalls iirc because they still allow DNS requests

Dr Richard Clegg looks like a magician

What about arp cache poisoning? Does that still work as a man-in-the-middle route traffic bypass?

There are also solutions like guacamole that you can run on the target machine and just serve it under a simple web service. (VNC/RDP or an ssh console)

Is it possible to block the application/ssh communication based on what ssh is sending rather than simply blocking a port?

Cheers... off to try this on my mates computer now

Love it !

I just set my home firewall to listen on 443, and forward via NAT to my ssh server. So in a nutshell, just set your ssh server to listen on port 443 instead of 22. It's not that complicated. Very secure networks will close your connection after about 30 seconds, and you'll have to create a script to re-init the ssh tunnel, and close it, over and over. Also, most networks other than maybe a work network, which still could probably be argued in court, have you agree to not access certain things via their network. If your house isn't one of those things, then technically ssh to your own home server is fair game. Where you go from home isn't technically in their jurisdiction. If their machine is only connecting to yours, then you have ground to stand on. What your machine connects to, is none of their business. But make damn sure your DNS requests are also going to and through your home machine. Most companies now have a catch all policy that includes not using their provided computers to access XYZ sites. So at that point, you may be hosed. In the end, any admin with enough time on their hands to see that you are using port 443 for different amounts of time, or triggering a disconnect time out rule, is going to have such a hard time proving the rest, plus all the extra hassle of doing so. They're probably going to just pull you aside and say, please don't keep doing this, because eventually I'm going to have to explain it to someone and force it to stop.

Reliable protocol doesnt need the loss :) - it only can accomodate to the loss - its not needed - if you have a local 10mbps link in your computer - you can set it up to send with that rate, choose any buffer (at home....ofc :) ) and tcp will be working very much without a loss on a connected switch 1gbps inter-network - local IP stack implementation will not allow that TCP connection to start getting congested at 10mbps (of course if your 1gbps inter-network wont start getting congested, or switch power ASIC capacitors wont stop being congested :)

I've never had to go much further than SOCKS over an SSH tunnel on a nonstandard port to bypass poorly-monitored outgoing firewalls. Mostly useful for large businesses with many locations, who provide internet access as a perk to their customers, where individual locations rarely have a dedicated IT staff (restaurants, bars, coffee shops, department stores, salons, spas, outpatient clinics, etc.). Use with caution, and only on the isolated guest wifi, if you're stuck in a hospital and have to get actual work done.

Yes, but have you got fork handles?

Great explanations. Also a light noise reduction would be amazing.

The U in UFW stands for Uncomplicated, not Ultimate.

Wish I could draw that fast in Visio.... Also sudo assumes the right access, ssh assumes the right RBAC in that environment

I guess blocking port 456 is a typo. SMTPs is on port 465 instead

A Stalag 17 special!

Ok mad points for the old school dot matrix printer paper.

If they are using a firewall with a whitelist, doesn't that mean that you need to have your proxy whitelisted?

Isn't ufw "uncomplicated firewall"?

"Don't try this at home" *teenagers with school computers* okay lol

Nice!

Closing port 22 is one of the first things I do when setting up a new install :)

The web proxy thing wasn't explained well. If everything is blocked how do you reach the web proxy? What exactly is it? No explanation was given at all.

Man, this seems so clever and scary to me at the same time.

4:34 UFW = Uncomplicated Firewall :)

I don't think that SSH+SOCKS run TCP inside TCP. The TCP is unpacked on your own computer and the actual data is sent directly over SSH.

Actually, "Uncomplicated FireWall" - not as exciting

The SSHawshank Redemption

my man

6:58 should have edited out that “uuum” … that would have been funny 😂

I'm just wondering why he chose port One Oh Eight Oh

4:40 UFW is Uncomplicated Fire Wall or at least that’s how I’ve seen it

There are other ways for TCP to know it is congested, change in delay or ECN (Explicit Congestion Notification).

so where is the part that you mention VPN

Did anyone get the part where he talked about how to tunnel your way out of a network that only allows you to go through a proxy?

One time at work we wanted to access some site to view various things. Turns out their firewall was only plain text, using the IP address directly worked a charm

It has become necessary (in this day and age) to change your exposed ssh port anyway in order to avoid a few thousand attempted malicious logins everyday anyway. Making ssh available on something like port 62244 keeps your auth.log from growing too large.

That's nuts!

The last element, that the attackee needs to get lucky every time, is actually a reversal of the better-accepted aphorism: A well motivated attacker will always win, because they only need to succeed once. Defenders must win all the time. Now for egress I can see some of the logi in the statement made by the blue team guy, but the solutions are relatively straightforward for me: hide in plain sight go low & slow live off the land ensure you only depend on things the target can't take away without committing self-harm (Full disclosure: I'm a red teamer, not a criminal 😁)

Now you need a part 2: "How to hack out of a system with no Networking hardware." Skynet would love that. And i know is possible(the spontaneous creation of life kind of possible(we are here so it is possible) or at least half way to that) though highly unlikely, like trough the electrical grid or with flicking the display on and off of the system at a camera connected to the internet.

TCP over UDP over TCP

It's a bit more than "cheating" in inverted commas. You manipulated the web proxy, something you typically have no access to. Better would have been to run SSH on port 443 on the twisted server.

dns tunnel pretty simple to setup , I find the ssh tunnelling frys my brain half the time

Would not work against any next gen firewall that does application traffic matching