Contact
Subscribe
Safe Connect Bypass
[ How it Works | History | Links ]
{ .NET C# / Personal Idea / June 2008 }
Safe Connect is a Network Access Control (NAC) system designed to ensure all users on a network are authenticated and follow specific network policies (including but not limited to: specific anti-virus, Microsoft patches, and even P2P restrictions). It works by requiring a non-authenticated user to authenticate on a custom login portal and then install a “Policy Key Application” which scans your computer for the required network policies and updates the “Policy Enforcer” as to your authenticated condition.
This system is poorly designed and poorly implemented. Even those who have the “Policy Key Application” running are still required to sometimes install it again. And even so, some people just don’t want their privacy invaded, who knows what this application is reporting back.
Therefore, I present to you a solution: Safe Connect Bypass.
How it Works
The concept is pretty simple. Safe Connect cannot block a user who is using an up-to-date operating system that does not have a Safe Connect “Policy Key” application. In most cases, Linux is the answer.
After examining different methods to “pose” as a Linux computer (MAC address, OS fingerprint, etc.) it turned out that the browser identification string (user-agent) was the mechanism Safe Connect used to identify operating systems. Therefore, change your user-agent and Safe Connect will believe you are using anything.
There are numerous ways to fake your user-agent: use wget, Firefox Addon, PHP, Perl, or any decent programming language.
Now the steps required to bypass Safe Connect are pretty simple. However, the road is a little bumpy. Before using the Internet Safe Connect free, you first have to make a few connections. Any connection you make will give you HTTP 301 Permanent Redirect (which is so not the right status code to use) to the network’s custom login page. This is now where you need to log-in. If you pass correct credentials, you should jump freely into the internet without the need of a SafeConnect client.
History
- 1 May 2008 – Removed code and executable
- 8 December 2008 – v2.2 – Updated to iPhone 2.2 user-agent
- 11 October 2008 – v2.0 – Changed to iPhone user-agent
- 25 June 2008 – v1.3 – Announces when trying
- 23 June 2008 – v1.2 – Set to fail after 10 tries
- 18 June 2008 – v1.0 – First Release
Tried all methods recommended here, none worked.
I’m away from my college campus for the holidays. But I should be back sometime next week. Let me get a Linux user-agent that passes through my college’s Safe Connect and I will update the program to work with it.
Did you try using the User-Agent Switcher and adding your own user-agents to it? Try adding different Linux ones (they don’t have a client program for that) and trying to load your home page over and over again (don’t use the refresh button).
Try this one:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3I follow your blog for quite a long time and must tell that your posts are always valuable to readers.
I tried using useragent switcher firefox extension (with a firefox 3.5/ubuntu 9.04 useragent) but the safeconnect NAC put up a page telling me “An anomaly has been detected on your computer by the Network Access Control (NAC) system. Your computer appears to be running [Windows] but it is reporting into the NAC as [Linux].” I am sure the useragent is not wrong, because I got it from a site that indexes genuine useragents. It seems the safeconnect software has adapted to identify spoofed useragents. Any ideas on getting around it again?
Hey, I am interested in how you found out how the whole thing works! I found out how to bypass the safeconnect while experimenting, but I was wondering if bypassing safeconnect would still show the servers what applications and programs i am running. I understand that safeconnect encrypts all packets sent out, so I want to also know if by bypassing safeconnect, will my information on the internet be easily sniffed? Also, is there a way to get bittorent running? they seem to have blocked all ports =[
S.M.S.,
It sounds like they upgraded their systems! Don’t worry. In my research, I found that they simply monitored the User-Agent of the browser that was passed to their NAC web server. It appears they added an additional check.
I would monitor the network traffic (Wireshark or Firebug) and look for any transitional pages that might contain Java, Javascript, or Flash code. Those browser tricks can be easily bypassed by intercepting or blocking the scripts (Firefox -> Options -> Content).
If you can’t find anything, I can only suspect they are “Fingerprinting” your TCP Stack. Such a method would be difficult to fool, but possible to deny. See this link for more information.
Good luck! And report back what you find!
Leyne,
SafeConnect is designed to protect the network and its users from infected clients. Depending on your local IT department, the SafeConnect software that you are required to install should report back what Anti-Virus, Anti-Malware, and Anti-Whatever you have running. It can then restrict you from accessing the network if you are not properly protected. This was the intended design.
The software has the capability to restrict you from using the network if you don’t have the right software, version of windows, AIM client, whatever. In fact, it should be able to report what software you have installed and/or running. This is why I don’t trust it.
Without the software on the computer, e.g. if you bypass the OS detection and trick it into thinking you are a Linux machine, they will only be able to identify what ports you have open and possible services associated with those ports. I doubt the SafeConnect NAC is that advanced and/or cares that much to do so.
I’m not sure if SafeConnect encrypts YOUR traffic, I think it only encrypts ITS traffic (current installed software, user activity, reporting stuff, etc.). So either way, your traffic is still easily interceptable (sp?).
If you are really worried about people monitoring your internet traffic passively (without software on your computer), I recommend tunneling your traffic through some trusted VPN or SSH connection. You can host your own VPN server off your home network connection with DD-WRT or any Linux server (same with SSH).
And if you cannot access BitTorrent, I can only assume they blocked the ports/IPs of the Trackers. As the connections to the peers should appears as normal TCP traffic (assuming you enabled encryption in your BitTorrent client). Your best bet would be to SSH Tunnel ONLY the tracker connections. For example, make the tracker connections from your home ISP and all the BitTorrent traffic through your school/work ISP. Look into SSH Tunneling and Tracker Proxying.
Good Luck, and don’t be doing anything illegal!
Hi,
I have tried both the user agent and spoofing my TCP fingerprint but neither are working. Any suggestions at what they might be doing?
John: You asked me to report back, so here I am. It seems like they are fingerprinting the TCP stack, because obfuscating the TCP fingerprint got me past the NAC. OSfuscate has an option to change the fingerprint, so if this program is used, useragent switcher should also be used, to ensure that there is no discrepancy between the TCP fingerprint and the browser’s useragent.
At colleges, they usually implement safeconnect as allowing all game consoles by default. In order to bypass even the login requirements, I used sec_cloak (http://www.irongeek.com/downloads/sec_cloak.zip) to alter my TCP/IP fingerprint to that of a playstation 2, and then used Firefox’s user-agent switcher to imitate a Playstation 3, and they never even knew the difference. Hope that helps you all.
If you want to test the efficacy of a solution, but are not connected to a safeconnect network, try this: http://lcamtuf.coredump.cx/p0f-help/
Not sure why the exec was removed, but this is one of the first google results for “bypass safeconnect” so it should at least have a working solution. At colleges, they usually implement safeconnect as allowing all game consoles by default. In order to bypass even the login requirements, I used sec_cloak (http://www.irongeek.com/downloads/sec_cloak.zip) to alter my TCP/IP fingerprint to that of a playstation 2, and then used Firefox’s user-agent switcher to imitate a Playstation 3, and they never even knew the difference. Hope that helps you all.
If you want to test the efficacy of a solution, but are not connected to a safeconnect network, try this: http://lcamtuf.coredump.cx/p0f-help/
even cooler than using the user-agent of a browser on linux, you can spoof the user-agent of a game console and not even be prompted to login with credentials. i simply put “Wii” as my user-agent in firefox and was able to have completely anonymous internet. my university has taken it upon themselves to ban me from the internet for using BitTorrent, so this was my only recourse. Good luck guys!
also, when they MAC ban you, simply use a program like TMAC to change your hardware ID on the fly. it’s disgusting that universities force you to install a backdoor of sorts to gain access to the internet. SafeConnect allows them to tell what applications you’re running, and even view screenshots of your desktop in real time.
Amjad, do you have any proof of this? I’ve only done a little research on SafeConnect but I didn’t see anything like that. I’d love to have a demonstration or “feature list” from ImpulsePoint that lists real time screenshots.
wondering your thoughts about this approach….
safe connect at my school blocks all routers with NAT enabled.
I was wondering if installing dd-wrt on my wireless router and then trying to emulate a ps3 via mac address / tcp/ip foot print would be enough to circumvent having to log in… I have no experience with doing any of this as Mac address emulation used to be enough to get by the previous system…
any ideas? is this even easily done?
not sure anon, but if it works be sure to let me know what you did!