In the previous post: http://www.room362.com/blog/2012/8/11/let-me-out-of-your-net-workndashintro.html I told you about letmeoutofyour.net, but how does it work?

Things we need to accomplish on the server:

  1. Listen on all ports
  2. Answer for all hostnames and subdomains
  3. Answer for all HTTP verbs, file and folder requests

ONE: Listen on all ports

(I used Linux, so this guide is for such, modifications to other OSs is up to the reader)

First you have to get rid of all other services. That’s harder than you would first assume, because you have to admin the box some how. You could toss SSH on a really high port, or have some kind of backend management, or just remove things from running on a multi-IP’d box. It would be impossible in this post to describe every way this is done so I’ll leave it to you to research.

Once you have everything gone, install and start Apache or your favorite web server for Linux. Then run this very simple command that I stole from a commenter on the “Forcing Payloads Through Restrictive Firewalls” post:

iptables -t nat -I PREROUTING -p tcp -m state --state NEW -d 192.168.1.1 -j DNAT --to 192.168.1.1:80

Where ‘192.168.1.1’ is the IP address of your box. IPv4 NATing just allowed you to listen on every single port by forwarding them all to port 80. That simple. Don’t make the mistake I did and forget to set up alternative management before you set that rule, because if you don’t you’ll be forced to find one.

TWO: Answer for all hostnames and subdomains

This is pretty easy, DNS has the concept of a wildcard hostname. You simply put an asterisk * in the place of where you would normally put a WWW however you manage your DNS and you’re good. You will also want to add a second record, an ‘@’ is used to reference the domain without a host or subdomain. So the first records makes it answer for things like http://blah.letmeoutofyour.net and the second for http://letmeoutofyour.net/ – Pretty simple ya?

THREE: Answer for all HTTP verbs, file and folder requests

This is pretty simple as well. Apache’s mod_rewrite to the rescue. Here are the rules:

RewriteEngine on       
RewriteCond %{REQUEST_METHOD} ^(.*)        
RewriteRule .* index.html [QSA,L]        
RewriteCond %{DOCUMENT_ROOT} !-f        
RewriteRule ^(.*)$ index.html [QSA,L]

You can either apply this in an .htaccess file or directly in the site configs, up to you.

And that’s it. It all seems really simple, but took me a good amount of time putting it all together. Next up, binaries and call backs that use this to wriggle their way out of networks.

P.S.

This setup throws web scanners through a loop, and if you wanted to be REALLY nasty you could have a bit of php make the index page be an endless 302 or have w00w00t linked to a random page / folder which is generated each time it’s requested.