Iseng-iseng download ultrasurf dan buat koneksi di windows xp (instal di vmware). Amati trafik ke port ssl dari client ultrasurf windows xp. Dapat pola data secure socket layer untuk handshake protocol "Client Hello"
Ini pola yang ditangkap dengan sniffer dan diolah oleh wireshark, yang ditampilkan adalah bytes data offset (hex dan ascii). SSL Handshake Protocol: Client Hello IP: 65.49.14.52 0000 16 03 01 00 41 01 00 00 3d 03 01 4b c6 fb 06 9e ....A...=..K.... 0010 3c c7 10 de b8 24 93 43 76 bb 4e 0a 4d de 04 5f <....$.Cv.N.M.._ 0020 2b 48 a4 ed 59 5a 22 0c 56 00 7c 00 00 16 00 04 +H..YZ".V.|..... 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 .......d.b...... 0040 00 12 00 63 01 00 ...c.. IP: 114.44.124.59 0000 16 03 01 00 41 01 00 00 3d 03 01 4b c6 fa fd 9c ....A...=..K.... 0010 8a bd 18 c4 f7 ae b9 b5 64 33 01 69 64 71 54 04 ........d3.idqT. 0020 16 c5 4c 59 3c 1a 25 bb ea 03 ec 00 00 16 00 04 ..LY<.%......... 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 .......d.b...... 0040 00 12 00 63 01 00 ...c.. IP: 118.171.70.169 0000 16 03 01 00 41 01 00 00 3d 03 01 4b c6 fd 19 75 ....A...=..K...u 0010 52 92 24 7e 16 07 0e 91 27 c0 7d b2 4f 74 ac 38 R.$~....'.}.Ot.8 0020 cc 77 00 02 7a 77 6b 6d 00 28 87 00 00 16 00 04 .w..zwkm.(...... 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 .......d.b...... 0040 00 12 00 63 01 00 ...c.. IP: 59.121.209.139 0000 16 03 01 00 41 01 00 00 3d 03 01 4b c7 03 91 f8 ....A...=..K.... 0010 b9 f9 99 c0 f1 e5 53 20 a5 af 73 69 12 50 d9 d4 ......S ..si.P.. 0020 ec c7 8e b3 c0 26 b3 b4 27 d8 3d 00 00 16 00 04 .....&..'.=..... 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 .......d.b...... 0040 00 12 00 63 01 00 ...c.. IP: 66.245.218.108 0000 16 03 01 00 41 01 00 00 3d 03 01 4b cd 6f cb 2f ....A...=..K.o./ 0010 72 e4 c2 ca 2c eb eb 25 38 a6 97 41 9a 4a 3d 6b r...,..%8..A.J=k 0020 5c 61 77 d8 3d f1 87 aa e3 d1 59 00 00 16 00 04 \aw.=.....Y..... 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 .......d.b...... 0040 00 12 00 63 01 00 ...c.. IP: 65.49.2.15 0000 16 03 01 00 41 01 00 00 3d 03 01 4b c6 f7 e6 5d ....A...=..K...] 0010 5d bc 83 49 6a 0b 30 3b 5d 4d dc b4 eb 07 a2 c8 ]..Ij.0;]M...... 0020 f4 9b 73 b9 dc d8 f3 65 b0 5a ee 00 00 16 00 04 ..s....e.Z...... 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 .......d.b...... 0040 00 12 00 63 01 00 ...c.. Generalisasi (ambil dari trafik ke ip 65.49.2.15) SSL TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) : 16 Version: TLS 1.0 (0x0301) : 0301 Length: 65 : 0041 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) : 01 Length: 61 : 00003d Version: TLS 1.0 (0x0301) : 0301 Random : 4bc6fb069e3cc710deb824934376bb4e0a4dde045f2b48a4ed595a220c56007c Session ID Length: 0 : 00 Cipher Suites Length: 22 : 0016 Cipher Suites (11 suites) : 00040005000a00090064006200030006001300120063 Compression Methods Length: 1 : 01 Compression Methods (1 method) : 00 Pola yang dipakai: 16030100410100003d0301 Masukkan ini ke iptables: iptables -A OUTPUT -p tcp --dport 443 -m string --hex-string '|16 03 01 00 41 01 00 00 3D 03 01|' --algo bm -j LOG --log-prefix "ultrasurf: " Hasil dmesg: [15671.107102] ultrasurf: IN= OUT=eth1 SRC=172.16.2.62 DST=220.136.214.27 LEN=122 TOS=0x00 PREC=0x00 TTL=64 ID=25853 DF PROTO=TCP SPT=37293 DPT=443 WINDOW=92 RES=0x00 ACK PSH URGP=0 [15679.664967] ultrasurf: IN= OUT=eth1 SRC=172.16.2.62 DST=65.49.14.13 LEN=122 TOS=0x00 PREC=0x00 TTL=64 ID=1374 DF PROTO=TCP SPT=47758 DPT=443 WINDOW=92 RES=0x00 ACK PSH URGP=0 [15693.381204] ultrasurf: IN= OUT=eth1 SRC=172.16.2.62 DST=65.49.14.12 LEN=122 TOS=0x00 PREC=0x00 TTL=64 ID=54363 DF PROTO=TCP SPT=47003 DPT=443 WINDOW=92 RES=0x00 ACK PSH URGP=0 Sudah yakin, drop paket dengan pola tadi: iptables -A OUTPUT -p tcp --dport 443 -m string --hex-string '|16 03 01 00 41 01 00 00 3D 03 01|' --algo bm -j DROP Client ultrasurf di windows hanya sampai di status "Contacting Server". Selama iptables jalan, sudah buka beberapa situs ssl, bisa masuk: webmail yahoo webmail gmail webmail hotmail https://ubuntu https://register.pandi.or.id/domain https://ib.bankmandiri.co.id https://ibank.klikbca.com # iptables -L OUTPUT -nv Chain OUTPUT (policy ACCEPT 3514K packets, 2130M bytes) pkts bytes target prot opt in out source destination 597 71946 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 STRING match "|16030100410100003d0301|" ALGO name bm TO 65535 -- Arief Yudhawarman http://awarmanf.wordpress.com -- FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id Arsip dan info milis selengkapnya di http://linux.or.id/milis
