Blogs
Cyber Security

Unlocking the malicious traffic within secure communication

Atul Linganwar
LinkedIn
LinkedIn

In today’s interconnected digital landscape, the need for secure communication over the internet is paramount. HTTPS, the secure version of HTTP, encrypts the data transferred between a client and a server, ensuring confidentiality and integrity of data. HTTPS can help stop the stealing of data and allow man-in-the-middle attack prevention. But it can also allow the malicious traffic directed towards an organization to hide behind the encryption. To protect an organization's infrastructure from such malicious attacks, there is a need to block malicious encrypted traffic before it enters the organization and for this one of the most important features of endpoint protection is writing a proxy server for HTTPS traffic monitoring. This article will help you to understand the implementation of proxy servers capable of monitoring and inspecting HTTPS traffic on Windows operating systems.

Benefits Of Using Proxy Servers

  • Traffic Monitoring: Using proxy servers organizations can monitor and control the access to the resources. Organizations can have the capability to restrict access to specific websites by configuring the proxy server. This can also help in network load balancing.

  • Privacy: Some proxies can hide IP addresses, which helps keep your online activities private. This is handy when visiting websites that collect user data.

  • Security: Once the proxy server receives data from the actual server, it can inspect the data for any malicious content and filter it out if detected. This significantly benefits users by protecting them from potential malicious activities.

  • Bandwidth optimization: Proxy servers can cache data, which decreases the necessity to retrieve the data repeatedly from the original servers. This not only enhances network performance but also aids in conserving bandwidth.

Different Types Of Proxy Servers

  1. Forward proxy: These are standard proxy servers that operate between endpoints and web servers. They intercept requests from browsers and relay them to the actual web servers. Similarly, they forward incoming data from web servers to the endpoints.
  2. Reverse proxy: These types of proxy servers are positioned between the internet and backend servers. They receive requests and route them to the appropriate backend servers. They are utilized for load balancing, caching, and enhancing security measures.
  3. Transparent proxy:  Transparent proxy server earn their name because users are unaware of their presence. However, the servers hosting the service can identify that the traffic is being proxied rather than directly from the user. They are simpler to configure and are commonly employed for tasks like content filtering and caching.
  4. Anonymous proxy: These proxies conceal the user's IP address from the server, ensuring complete privacy while accessing the internet. Anonymous proxies are frequently utilized to safeguard privacy and bypass geo-blocking restrictions.
  5. Distorting proxy: These proxies offer anonymity by changing the user's IP address while identifying themselves as proxy servers to the actual server. They are primarily used to access geo-restricted content.
  6. High anonymity proxy: This type of proxy server offers the highest level of anonymity by completely hiding all the information about the client/endpoint. They periodically change the IP addresses they present to the servers providing the most private and secure internet browsing.

To implement a proxy server on Windows, one needs to know socket programming, OSI networking model, windows kernel mode programming, various filtering layers of WFP callout drivers, and an understanding of various internet protocols such as TCP, UDP etc.

Let's proxy HTTPS traffic:

  • Understand TCP Handshake Process.
  • Write a WFP Network Filter Driver To Redirect Traffic.
  • Application(Proxy Server) Based On Socket Programming.

Understand TCP Handshake Process

SYN: It starts with the client sending out the first message with the SYN(Synchronize) flag set to 1. This first message also contains a sequence number called ISN(Initial Sequence Number). So the client is sending a message to the server to synchronize the communication with the given sequence number.

SYN-ACK: The server, after receiving the synchronization request from the client, if it is available to establish the connection, sends out an ACK(Acknowledgement) flag set to 1. Along with the acknowledgement of the server's willingness to establish the connection, it sends out its SYN with the server’s own ISN.

ACK: Finally, after receiving the SYN-ACK packet from the server, the client sends its ACK message back to the server. This message acknowledges the server's SYN packet and confirms the server's ISN. At this point, the handshake process is completed and the TCP/IP connection is established.

For HTTPS as the packets are encrypted, the next step is the SSL/TLS handshake

  • Choose a version of the protocol(TLS) to use: The initial step involves determining the TLS protocol version supported by both the client and server.
  • Select a cipher suite: The client transmits its list of available cipher suites for HTTPS packet encryption to the server. The server, equipped with its list of supported cipher suites, evaluates and selects the most suitable and secure one by comparing the options provided by the client.
  • Authentication of the server’s identity: During this handshake process, the server presents its authenticity certificate to the client. The client subsequently initiates authentication by verifying the server's digital certificate with the SSL Certificate Authority (CA). If the certificate is successfully authenticated, the client proceeds with further communication.
  • Session keys: Ultimately, upon completion of the handshake, the client and server generate session keys to facilitate symmetric encryption of packets for subsequent communication.

Write a WFP Network Filter Driver To Redirect Traffic

Another essential component for packet redirection is a kernel-mode network filter driver. For network drive development Windows has provided frameworks called WFP(Windows Filtering Platform) and NDIS(Network Driver Interface Specification) for network filtering among which the WFP is the latest. WFP has provided various layers for packet filtering such as ALE Layers, Transport Layers, Network Layers etc. These layers correspond to the OSI Layer and socket programming calls such as connect(), bind(), listen() etc. If you are familiar with client and server socket programming then when a client wants to establish a connection with a server, it calls connect(). This is the application layer and at the WFP side corresponding ALE Layers are present.

  • FWPM_LAYER_ALE_AUTH_CONNECT_V4/6 == TCP connect() call
  • FWPM_LAYER_ALE_AUTH_LISTEN_V4/6  == TCP listen() call
  • FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4/6 == TCP accept() call
  • FWPM_LAYER_ALE_CONNECT_REDIRECT_V4/6
  • FWPM_LAYER_ALE_BIND_REDIRECT_V4/6

The last two layers allow packet modification using which the source or destination can be changed. 

TCP packet redirection occurs at the FWPM_LAYER_ALE_CONNECT_REDIRECT_V4/6 layer. The driver has to register its callbacks at this layer and then it can modify the destination IP address and the port number on which our proxy server is running.

Application(Proxy Server) Based On Socket Programming

  • The next step is to develop an Application using OpenSSL and Socket Programming, where the application serves as a server for the client and as a client for the real server.
  • The primary obstacle in implementing this solution lies in the browser's certificate validation process during the handshake. The browser verifies the authority that issued the certificate and checks the Common Name (CN) embedded in it. While obtaining a certificate from a trusted authority is feasible, dynamically changing the CN in the certificate for each new connection poses a challenge. Leveraging OpenSSL APIs allows for the extraction of the CN from the certificate provided by the actual server. This extracted CN can then be utilized to construct a certificate presented to the client, enabling the successful completion of the handshake.
  • When the client initiates an internet connection, the network filter driver intercepts the call and redirects it to our user-mode proxy server. Subsequently, the proxy server parses the packet to extract the URL of the website requested by the client. Upon retrieving the URL, the proxy server acts as a client to establish a new connection with the actual server (website). Once the connection is established, the proxy server retrieves the data from the server and presents it to the client/browser. Throughout this process, all traffic is routed through the proxy server.
  • This sequence of actions iterates for each new connection or handshake, hence enabling the collection of traffic and data for analysis or forwarding it to clients, we enhance the security of our proxy server, ensuring it functions as a secure web proxy.

Conclusion:

In summary, a proxy server intercepts client requests to access the internet, redirects them for processing, and establishes connections with remote servers on behalf of the client. It acts as an intermediary between clients and servers, allowing for traffic inspection, filtering, and caching. By analyzing and modifying requests and responses, proxy servers can enhance security, improve performance, and facilitate content control. Additionally, they can enable anonymity and privacy by masking the client's IP address. Overall, proxy servers play a crucial role in managing network traffic and ensuring efficient and secure communication between clients and servers.

Share this post
Cyber Security
Atul Linganwar
LinkedIn
LinkedIn