Hacking Out
by R. Toby Richards
From September 2005 through April 2006, I had the unpleasant experience of being bound (24/7) to a network run by someone else.
Why am I only publishing this article now? Because I don't use an alias, and had to wait until November 2009 to be sure that these admissions wouldn't get me into trouble. I'm not going to be more specific than that. I'm sure 2600 readers can do the math and figure it out.
The main problem I experienced wasn't the lack of admin privileges across the LAN and WAN. Rather, it was the content filtering.
Web sites that I wanted to view were blocked. The purpose of this article is to describe the various techniques I used to get around these blocks. None of these methods are particularly clever; however, I thought it compelling to compile a list and description of all the tricks I used during my seven months away from unfettered Internet access.
Some may find this useful for getting around content filtering. Others may find this useful for plugging security holes in their own content filtering systems. For brevity, I'm going to assume that you, the reader, has a certain level of expertise, and that you know things like what a hosts file is, where to find it, and how to edit it on your particular operating system.
Google's Cache
The primary (but not the only) method my admins used to block web sites was with a content filtering proxy.
Domains that fell into categories the organization didn't like weren't allowed. The proxy was transparent, so it filtered even with proxy settings turned off in the web browser. But guess what? Google searching was allowed.
And since Google's cached pages were in the google.com domain, I could simply click on the "Cached" link within my search results to see pages that would otherwise be blocked.
It quickly became a major pain trying to make the page I wanted to see appear in the results of a Google search.
So I learned that I could type in cache:[URL] or, for example: cache:http://www.notallowed.com into Google's search box to make caches of specific URLs appear.
Other ProxiesLooking at cached pages got old.
Sometimes Google didn't have a cache of a page that I wanted to see. Enter public proxy servers.
Of course, pages that listed proxy servers were blocked by the filter, but looking at Google's cache of those pages resolved the problem. Usually, paranoid network administrators block most ports except 80. So I'd type "proxy port 80" into Google and hit the "Cached" link.
Then I'd plug those proxy servers into my web browser's settings. When it worked, it worked great. But it didn't always work.
The hosts FileSometimes, instead of using the content filtering proxy to block pages, the IT shop would simply delete the "A Records" of domains they didn't like from their DNS server. And since port 53 wasn't allowed, I had to use the local DNS server.
I don't know if they actually thought this was a better solution, or if they were just lazy. This was actually the easiest problem to overcome. I'd simply find a web-based nslookup utility (I used kloth.net/services/nslookup.php) to find the IP address in question, and plug it into my hosts (/etc/hosts) file. Problem solved.
Archie(like) Web Services
Often, I wanted to download files.
IT had blocked EXE, ZIP, and RAR files. How annoying.
First of all, the proxy solution could fix this. But when the proxy solution wasn't working, there was an alternative. In my case, the network administrator had allowed anonymous FTP downloads.
Fortunately for me, the content filtering proxy didn't check what I was doing on ports 20 and 21. So I would use Google's cache (pages containing downloads that I was interested in were usually blocked) and hover over the link to the file that I wanted to download, noticing the file name in my browser's status bar. Then I'd go to filewatcher.com and search for that file on an FTP server somewhere. This proved extremely useful and effective.
SSL Anonymizers
Here's something I found out towards the end of my time as a non-administrator, and I wish I'd known it from the beginning.
The content filter never checked HTTPS addresses for forbidden domains. So while http://concealme.com was blocked for being an anonymizer, https://concealme.com was allowed!
When Concealme got too congested or was down, all I had to do was Google for another SSL-accessible anonymizer. Of course then, through the anonymizer, I could go wherever I wished.
Web to FTP Services
Notice that I said anonymous FTP downloads were allowed.
Frequently, I wanted to log into an FTP server with credentials, usually to upload files. This was not allowed. web2ftp.com was the solution that I used.
It provided a convenient web interface to any FTP server and even offered an edit mode, so that I could modify ASCII files without having to download them, edit them, and then upload them.
Obscurity is Your Friend
As effective as all the above techniques were, none of them was a panacea.
Webmail was an especially difficult service to maintain access to. From experience, I knew that the categories of web pages that these content filters used were not perfect.
So I found obscure services when necessary. Hotmail, Yahoo! Mail, and Gmail were all categorized as webmail services. But MyRealBox.com wasn't blocked.
Whomever maintained the domain lists for the proxy server had overlooked it because of its obscurity. If you find yourself blocked from an online service that you use, then consider trying an alternate, obscure provider.
Host Your Own Services
Another example of a commonly blocked Internet service is chat.
What did I do about it? I bought space with a cheap hosting company and uploaded a web-chat program that I had found. Resources such as Freshmeat, The PHP Resource Index, and freevbcode.com are great for finding services that you can host yourself.
But be warned: hosting your own web-based service will almost always require some knowledge of database administration and at least one web programming language, such as ASP.NET, PHP, or Perl.
Hosting my own Squid proxy server would have been a great idea and would have solved most, if not all, of my problems - especially if I had set one up on ports 80 and 443.
Unfortunately, I didn't have the foresight to set this up ahead of time.