Poor Man's Unbreakable Encrypted TCP Tunnel

  • Posted on: 7 March 2015
  • By: siteadm

Since it has been long time I didn't write something, I decided to find something to write about. I was planning to write about one of my findings while I was doing some penetration testing for a customer. I found an interesting vulnerability in a ColdFusion written web site of the client, it took me quite some time to successfully gain full control of the server by leveraging the bug. This portal was in use for long time and a lot of people have tested it and checked it for vulnerabilities, but it seems that all of them missed my finding. Anyway, don't get too excited as my employer didn't give me permission to talk about it at all. Not even a hint. Yes, nothing.

So as I can't talk about that project and my finding, I decided to check my stash and share one of my tools which I use for quite some time. I love this tool and I wasn't planning on releasing it, because I was thinking that in addition to strong encryption I was using, even my crypto-system would remain unknown, so I would enjoy strongest encryption possible for my privacy. But as I trust my system and the way I use and manage it, so I'll release the tool to public.

All the story started with a NAS. I know that so many good stories began with a NAS, but this one is special... I bought this NAS quite some time ago and since then I'm using it for everything! For storing my codes, family photos, documents, copies of ID cards, bills, prints, scans, statements, etc. So literally, everything!

Of course all the data in the NAS is encrypted, I just bought this particular NAS just because it had built-in encryption feature. But it is not a big deal, because once you boot it, data is decrypted, that's how user would be able to access the files in it. The encryption would be useful to stop a thief who stole your hard disks, nothing more. Because your NAS will be running 24x7 and it does have the decryption key while running.
This being said, I beleive all the NAS devices are vulnerable, there is public and private vulnerabilities for all of them. So, as I have all my data on this NAS, I would never enable remote access to it, even with SSL. Yes, I don't trust technology and yes, I'm paranoid. So I just use it on my local home network, internally, without internet.

But I wasn't able to live like that for long time. As days passed, I kept having issues with this situation. On several occasions, I needed some files in the NAS when I was outside and I wasn't able to do so, because there was no remote access available to my NAS. So I decided to take the matters into my own hands. As a person with several years of infosec experience, some experience with cryptography and ability to write codes in multiple programming languages, I should be able to solve my own communication problems.

As a paranoid person about all encryption algorithms and available implementations of them, such as SSL/SSH, I needed something really secure and hard to break, something of my own, something at least I can run safely and sleep without waking up in the middle of the night thinking about the guy with a zero day going through my NAS.

For this purpose, I remembered Vernam cipher, the only unbreakable cryptosystem known. Yes, this encryption algorithm is unbreakable, but implementation and using it for daily purposes is really hard. You need to have one time pads, manage them yourself and also they should be huge enough for all the data you want to encrypt. So for a good Vernam implementation and making it literally unbreakable, you should never reuse any OTP data. As the name suggests, it should be "one time pad". So if you are going to send/receive 1 GB of data, you need to have a unique 1GB data as key.

Therefore, I designed Vernam-Tunnel. A cross-platform, multi-thread, TCP tunnel software that uses Vernam cipher to encrypt/decrypt data. You can compile Vernam-Tunnel on all major operating systems. It should be fast enough to support multiple clients at once using threads. Only remaining issue is the "pad" or the "key". Everyone can come up with their own methods and ways of managing and using the "pad"s, but here is my way:

- Generate a huge file: You can copy all files in a drive to a single file, you can compress all files in a single file, you can randomly generate a huge file, and... Then you can encrypt it using a large key and a strong encryption algorithm. You won't need to remember the key at all, so just type a long password and encrypt your file using 7z AES, using openssl command (openssl enc -aes-256-cbc ....), using Truecrypt to create an encrypted storage, and... You can use anything you want. Just generate a huge enough file.

So for my case, when I go outside, like when I'm at work, let's say maximum amount of data transfer I would expect during the day would not exceed 1GB, so I generate a 2GB of key.

Also you can do it once a week or month. Simply buy a 256GB USB drive, encrypt the whole drive and have a copy of the encrypted file in your NAS/Computer, every day, when you want to run Vernam-Tunnel, specify the starting point with --start-pos switch. Everyday change the --start-pos on server and on your laptop outside of home. Only thing you need to take note everyday is just the "pad" starting position from the key file.

So if you keep changing the starting position of your huge pad file, you are secure. Also once in a while change the entire key file.

- Run vernam-tunnel on your device at data source network. General syntax for running vernam-tunnel:

vernamtunnel --local-port=443 --remote-host=NASServer --remote-port=443 --key-file=/media/Encrypted --start-pos=6482691749

So I restart vernam-tunnel once a day and each time I define a new start-pos. Everytime I start it, I just take note of starting position and I make sure I have my USB key with myself. Also enable port forwarding on your internet modem/router to your computer's 443 port. I usually do not enable port forwarding on my internet modem on a popular port like 443. I use high and unknown port numbers such as 18734

Then at secondary (outside, insecure) location, run your software from USB along with the key file in it:

vernamtunnel.exe --local-port=443 --remote-host=MYINTERNETIP --remote-port=18734 --key-file=F:\Encrypted --start-pos=6482691749

Now in my browser, if I navigate to https://localhost, I'll see my NAS https interface.

Here is the overall schema of my system:

Diagram 1: My terrible designing skills being demonstrated

So basically, my internet modem doesn't have any open port. I closed all services and I don't have any remote-access services running. For this NAS access project, I opened one port to forward any incoming data to vernam-tunnel running on my computer (or NAS or BeagleBoard or Raspberry, etc.). You can compile vernam tunnel to run on these devices. I managed to compile my code in NAS which is running a custom Linux (ARM).

So I've tested it with SSH, VNC, Microsoft RDP and HTTPS. Your needs may be different, but it perfectly works for my needs. I can run vernamtunnel to have remote VNC access, SSH access, HTTPS server access, etc.

Only thing I need is a jus a USB drive. It does have compiled vernam-tunnel with the key inside. Also I have a pad starting-pos, which to be honest, I'm usually lazy and I leave it blank so default is always 0 (beginning of the file).

When you are using this tool, attacker wouldn't be able to guess the protocol running on the open port of your IP. Because data input from attacker will be encrypted with pad before being sent to real server and result will be returned to attacker, again, encrypted with the pad.



To compile and use it in *nix operating systems, just do:

make clean


If you want to compile it in Linux, but run it on Windows:

apt-get install wine mingw32 mingw32-binutils mingw32-runtime

make clean

make -f Makefile.WinInLinux

If you want to compile it in Windows and run it on Windows, you need to install Mingw or Cygwin, then in msys, just type:

make clean

make -f Makefile.MinGW32

Enjoy my fellow paranoid friends...


TL;DR: https://github.com/codeandsec/VernamTunnel




Because the internet access was censored and blocked by China GFW firewall, we cannot visit google, twitter etc. directly, thus we need proxy service to bypass GFW.
My question is whether Vernam Tunnel can be deployed on a VPS to work as a proxy server, and build a encrypted tunnel between VPS server and our client PC machine, just similar to Shadowsocks ?
If yes, How to config VernamTunnel on VPS and let it work as a proxy server, and how to config on client machine?

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.