Replacing SoftEther's web page [solved and with recommendation to dev team]

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
superleech
Posts: 9
Joined: Tue Jul 23, 2019 9:32 pm

Replacing SoftEther's web page [solved and with recommendation to dev team]

Post by superleech » Thu Aug 15, 2019 8:24 am

In the new version of SoftEther you can actually connect to the address and port using a web browser. SoftEther's web server will greet you with information on using SoftEther and JSON administration. I thought this was really stupid to share with the world that this port is a SoftEther server and get banned pretty fast by restrictive governments. The index.html served is embedded into this hamcore.se2 file that needs to be rebuilt. The good news is the SoftEther team implemented a way to override any file inside the hamcore.se2.

What you do is in the installation directory where your vpnserver binary exists go create a hamcore subdirectory. Everything inside this hamcore subdirectory will override any files found from within hamcore.se2.

To replace the index.html, put your new index.html into: [softether install directory]/hamcore/wwwroot/index.html

Now when you connect to your SoftEther server address and port you will be greeted with your custom index.html. I have mine empty. You can put whatever you want in there or you can auto-redirect the browser to another website.


Recommendation for the SoftEther team:

Please make sure that any incoming connection must provide their username and password or certificate before SoftEther responds over this https web server. We don't want machine learning robots to figure out which ports are SoftEther servers then shutting down connections to these servers. Staying absolutely silent until the user provides their authentication prevents detection. I also want to forward non-SoftEther TCP and UDP connections to another TCP and UDP port in a config file. This would allow me to share and serve non-SoftEther clients over the same TCP and UDP ports. Machine learning robots won't be able to distinguish a web server from an authenticated SoftEther session and would make it almost impossible to detect SoftEther.

superleech
Posts: 9
Joined: Tue Jul 23, 2019 9:32 pm

Re: Replacing SoftEther's web page [solved and with recommendation to dev team]

Post by superleech » Mon Aug 19, 2019 7:05 am

I was fine accessing the SoftEther administrative account over the Internet using the SoftEther VPN Server Manager but after I enabled adminip.txt to prevent Internet IP addresses from connecting to the administrative account the only way I could access the administrative account was over the private LAN. I connected into the private LAN using the SoftEther Client VPN Manager so I now have an internal network IP address which the DHCP IP is served by an internal DHCP server that serves the LAN. I then use the SoftEther VPN Server Manager to connect into the internal server that's running the SoftEther VPN server. This is when I couldn't connect. SoftEther VPN Server Manager hung for a few seconds then pops up an error message:
Connection to the server failed. Check network connection and make sure that address and port number of destination server are correct.
On the server side the error message had the same structure as this:
2018-10-09 20:04:04.274 On the TCP Listener (Port 443), a Client (IP address 86.49.244.0, Host name "ip-86-49-244-0.net.upcbroadband.cz", Port number 53477) has connected.
2018-10-09 20:04:04.274 For the client (IP address: 86.49.244.0, host name: "ip-86-49-244-0.net.upcbroadband.cz", port number: 53477), connection "CID-7" has been created.
2018-10-09 20:04:04.314 SSL communication for connection "CID-7" has been started. The encryption algorithm name is "AES128-SHA".
2018-10-09 20:04:04.345 Connection "CID-7" terminated by the cause "A client which is non-SoftEther VPN software has connected to the port." (code 5).
2018-10-09 20:04:04.345 Connection "CID-7" has been terminated.
The "A client which is non-SoftEther VPN software has connected to the port" was very strange because I'm using SoftEther VPN Server Manager. I did a little more digging and found on the client side the SoftEther VPN Server Manager detects if it's connect to a SoftEther VPN server by looking for one of two specific replies:

Code: Select all

static char http_detect_server_startwith[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access ";
static char http_detect_server_tag_future[] = "9C37197CA7C2428388C2E6E59B829B30";
Since the purpose of replacing the default index.html page was to be able to show any page the SoftEther VPN administrator wants, then the way to do this is in your index.html page as long as it contains the magic string "9C37197CA7C2428388C2E6E59B829B30" anywhere in the page then SoftEther VPN Server Manager will recognize that web page was the response from a SoftEther VPN server and allow the connection.

After applying the above fix, I am able to connect to the SoftEther administrative account over the private LAN and you can too.


Note to developers:

As I indicated from my other post, we really need a whole new way to stealthy detect a SoftEther server. It's only a matter of time before somebody figures out the same thing I had within the span of 2 hours to detect SoftEther sessions and shut them down. I really suggest the development team to investigate how they want to bring in a new stealth login mechanism.

Let me spell it out in simple terms:
1. The client shall authenticate to the server before the server may respond.
2. The server shall not respond to any SoftEther requests until the client's existence is confirmed.
3. If possible, forward unauthenticated sessions to the administrator's destination server and port.

This must be done to conceal the SoftEther server from detection. How you can conceal the client is by encrypting the client's login with the server's public key. Assume standard security practices such as inserting nonce values to randomize the client's payload content on every connection.

The third step fills the black hole. If a server connects to a TCP or UDP session but then disconnects, then you assume this is SoftEther. If the SoftEther server responds instead with the response from say a legitimate Apache web server or nginx, it's very difficult to determine if this content is encrypted HTML or SoftEther. If you're careful to also make sure that the first few bytes are the same encrypted block sizes as encrypted HTML then it's pretty difficult for a traffic analyzer or a machine learning analyzer to discriminate between HTML and VPN traffic. We win.

superleech
Posts: 9
Joined: Tue Jul 23, 2019 9:32 pm

Re: Replacing SoftEther's web page [solved and with recommendation to dev team]

Post by superleech » Mon Aug 19, 2019 7:20 am

The alternative if you don't want to paste the magic string is to reply with a 403 forbidden message. In the index.html page paste in exactly (CRLF for line feed):

Code: Select all

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access this restricted server.
</BODY></HTML>
Everything starting with "this restricted server" can be changed to whatever you like. Every character from "<!DOCTYPE" to before "this restricted server" is required for the SoftEther VPN Server Manager tool to detect that the responding web page came from a SoftEther VPN server before attempting to connect to it.

abakus
Posts: 3
Joined: Thu Oct 10, 2019 6:35 pm

Re: Replacing SoftEther's web page [solved and with recommendation to dev team]

Post by abakus » Thu Oct 10, 2019 7:08 pm

Good move! And then people ask: "how did they (governments) block SE servers???" In nearest future anyone could ask Shodan for "9C37197CA7C2428388C2E6E59B829B30" and get SE servers IPs. =((

Post Reply