Bypass Web Filtering

Table of Contents

Bypass using the IP address

Depending on the configuration and tool, use IP address instead of server name to bypass web filtering.

nslookup DOMAIN
Use the IP address instead, http://IP

Bypass using Server Name Indication (SNI)

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.

For the allowed SNI, try something that is always allowed, like Microsoft updates or CloudFlare.

Command “nslookup” on the blocked domain may leave traces. Use another computer outside the network to get the IP or use services like Search DNS (Netcraft).

Using curl

DOMAIN=proxy.golang.org # Blocked domain
IP=142.250.69.113       # nslookup $DOMAIN
ALLOWED_SNI=update.microsoft.com
URL=https://${ALLOWED_SNI}/github.com/ysmood/leakless/@v/v0.9.0.zip
curl -k --resolve ${ALLOWED_SNI}:443:${IP} $URL -H "Host: ${DOMAIN}" --output file.zip
curl -k --connect-to ${ALLOWED_SNI}:443:${IP}: -H "Host: ${DOMAIN}" $URL --output file.zip

SNI Bypass on Explicit Proxy with TLS Inspection. The client can perform a TLS handshake with the proxy containing the spoofed SNI. The proxy will then establish a connection to the provided IP address and use the spoofed SNI.

curl --proxy http://x.x.x.x:8080 -k --connect-to ${ALLOWED_SNI}:443:${IP} -H "Host: ${DOMAIN}" $URL

Using OpenSSL

DOMAIN=proxy.golang.org # Blocked domain
IP=142.250.69.113       # nslookup $DOMAIN
ALLOWED_SNI=update.microsoft.com
URL=https://${ALLOWED_SNI}/github.com/ysmood/leakless/@v/v0.9.0.zip
openssl s_client -connect ${IP}:443 -servername ${ALLOWED_SNI}

Using Burp Suite

  • Start Burp Suite.
  • Click on the Repeater tab.
  • Manually enter the request below.
  • Click on the request target settings.
    • Host: blocked-domain.com
    • Select Override SNI
    • SNI: update.microsoft.com
    • Port: 443
    • Select Use HTTPS
    • Click OK
  • Click Send
GET /forbidden-resource HTTP/2
Host: blocked-domain.com

Firefox add-on

Extension does not exist anymore 🙁

Use Firefox add-on “Escape” that manipulate the SNI (Server Name Indication).

  • Click on Options.
    • HTTPS Website: *
    • Overwritten SNI value: update.microsoft.com
    • Allow Cert. exception: true
  • Click on Save

Bypass using ECH

ECH, the standardized replacement for SNI, is now supported at CloudFlare dns service and in Firefox.

Using Firefox

Did not work for https://proxy.golang.org/github.com/ysmood/leakless/@v/v0.9.0.zip

  • Click on Settings -> General
  • In the search bar, enter Enable DNS over HTTPS
  • Select Max Protection
  • Select Cloudflare as the provider
  • Enter about:config in the URL bar.
  • Enter network.dns.echconfig and set it to true

This should fully encrypt your DNS lookups.

Bypass using Redirectors

See Redirectors.

Bypass using Domain Fronting

See Domain Fronting.

Reference