Network Ninjitsu: Bypassing Firewalls and Web Filters

by James Penguin


Picture yourself in the following situation.

You're at school/work minding your own business simply perusing the Internet and all it has to offer.  However when you try to visit your ninja clan's website, you are instead presented with a web page stating that this particular website is blocked.  Naturally you are shocked and offended by such an action.  So do something about it; sneak through like a ninja with a SSH tunnel.

A Brief Explanation

For those who have no idea what an SSH tunnel is, imagine that whenever you establish a connection to a SSH server that you are digging an underground tunnel from your location at Point A to the server's location at Point B in which a messenger carries messages back-and-forth between you and the server.  The reason that the tunnel is underground is because your connection is encrypted.  Because of this, people cannot see what is being sent back-and-forth through your connection (underground tunnel).  Now once you have established a connection, you have an entire tunnel to send data back-and-forth through.

Now the great thing about this underground tunnel is that it is big enough so that it can fit more then one messenger.  As a result, it is possible to send messengers with messages for a server at Point C through the underground tunnel, have them relayed from Point B to point C, from Point C back to Point B, and then sent through the underground tunnel back to you at Point A.

For a more detailed explanation see the Wikipedia page about Tunneling Protocols:

The Guards

Let's assume that the network that you are currently on has a server that filters web traffic, and is guarded by a firewall that does not allow inbound connections, and only allows outbound connections on ports: 21 (FTP), 80 (HTTP), and 443 (HTTPS).

How is this information useful you ask?  Well we know that we can get traffic out of three different ports, which means that you have three openings from which you can dig a tunnel.


In order to successfully sneak through the firewall/web filter you will need two things:

A SSH server listening on one of the ports that you are allowed outbound access on.  For help setting up a SSH server see:

A SSH client, either PuTTY (GUI) or Plink (command line).  This article covers the use of Plink.  You can download both PuTTY and Plink from:

A Simple Tunnel

The command for creating a tunnel with Plink is:

plink -N -P PortNumber -L SourcePort:RemoteServer:ServicePort -l UserName SSHServerAddress

For PortNumber use a port that you are outbound access on.  For SourcePort use any number between 1 and 65535, for RemoteServer use the IP address of a remote server you would like to access, and for ServicePort use the port of the service you'd like to access on the remote server.

For example to tunnel a HTTP Connection to a remote server at through a SSH server listening on port 21 and with the address the command would look like:

plink -N -P 21 -L 1337: -l YourUsername

Once you have entered your password, open up a web browser and enter into the address bar and you will be looking at the Google home page.

Note 1:  When using the above command syntax, after you have provided your correct password, the blinking cursor will drop a line.  This means that your login was successful.

Note 2:  Tunnels can be used to proxy a connection to any address on any port, however this article will focus on tunneling web pages.

Dynamic SOCKS-based Jujitsu!

While a simple tunnel may be alright for connecting to one specific server, a ninja such as yourself has many different servers to browse and it is impractical to create a tunnel for each different server that you may want to connect to.  This is where Dynamic SOCKS-based port forwarding comes into play.  Which in n0n-1337-ninj4 terms is a SSH tunnel similar to the one created in the section above, but its RemoteServer and ServicePort are dynamic, however its SourcePort remains the same.

The command for creating a dynamic tunnel is:

plink -N -P PortNumber -D SourcePort -l UserName SSHServerAddress

Creating a dynamic tunnel is a little less confusing (syntax wise) then a simple tunnel, however using it is slightly more complex.

Web Browsing Over a Dynamic Tunnel

In order to use a web browser over a dynamic tunnel, you need to be able to modify the browser's proxy settings.

In your current restricted environment you are unable to modify your school's/work's web browser (Which is Internet Explorer [boo!]) settings.  However, this isn't a problem for a ninja like yourself.  All you must do is acquire a web browser that you have full control over.  However, you can't leave any trace of using another web browser, (for it is not the ninja way) so installing a new one is out of the question.

This is where Firefox Portable (a mobile install-free version of Firefox) steps in.  Download FP from (this article covers using Firefox Portable 2.0) and extract it to a USB jump drive, or to your hard drive for later burning to a CD.

To use PF over a dynamic tunnel:

First start PF and click on "Tools" and choose "Options".  In the options windows click the button at the top labeled "Advanced", then under the "Connection" section click the button labeled "Settings...".

In the connections settings window choose the third option labeled "Manual proxy configuration:".  In the entry box next to the words "SOCKS Host" enter  In the entry box to the right of the entry box for "SOCKS Host" enter the SourcePort you used when creating your dynamic tunnel.

Make sure that SOCKS v5 is selected and then click "O.K."

PF will now send and receive all traffic over your dynamic tunnel.  However, by default PF does DNS lookups locally which can give away what you are browsing (very un-ninja-like).  To configure PF to send DNS lookups over a dynamic tunnel:

In the address bar type "about:config" and hit "Enter".  In the entry box next to the word "Filter" enter "network.proxy.socks_remote_dns".  Right-click the result and select the "Toggle" option.

Cloaking PF to Look like IE

Well, now you've got a copy of PF using a dynamic tunnel to browse the web, but PF isn't very stealthy and any passing teacher/administrator will be all over you when they see it.

As a ninja stealth is very important, so your next priority is to configure PF so that it looks like Internet Explorer.  You will need the following in order to effectively cloak your copy of PF:

Final Notes and Closing

With your new skills in Network Ninjitsu, no web filter/firewall will stand a chance.

For questions and comments you can comment me at

In case anyone cares, a RAR archive that contains: the paper, Plink, and a modified version of Portable Firefox has been uploaded to the Information Leak server.

Download (RAR - 10Mb)

All your base are belong to James Penguin