Comments on: Safe Connect Bypass

By: NtwkAdmin

NtwkAdmin — Tue, 29 Jun 2010 18:46:08 +0000

I realize why people want to get around authenticating and having their machine scanned but one should look at what the Universities are ultimately after. We want to ensure that the network is safe from virus, worms, etc. and a well known way to help combat that is by having fully patched operating systems and anti virus programs. This means that my University is only using Safe Connect (in the past Clean Access) to ensure that users going out on our network have up to date anti virus and all security related Windows Updates installed. We are auditing whether firewalls are turned on but not enforcing that they be turned on at this time. As far as I can see, it does not show us anything about web traffic or screen shots showing the client computer. From what the tech’s told us, Safe Connect looks at what your operating system is doing, TCP Stack, User Agent string and services. This means that you can fool some of those attributes but if you have Windows Updates turned on and it discovers this, it will say there is an anomaly because it knows that Linux machines should not have the Windows Update service running. To address NAT routers, this is something I do not necessarily agree with because I wanted to run multiple machines and my Xbox in college but having multiple devices uses more bandwidth. If everyone starts plugging in more than 1 device, the network will slow down and the Help desk will get calls from students wondering why the internet is so slow. DUH, it’s because there are so many extra devices plugged in sucking up the bandwidth so not allowing this helps with the bandwidth issue. That’s all I know at this point.

By: CONTRA>

CONTRA> — Wed, 27 Jan 2010 23:53:45 +0000

not sure anon, but if it works be sure to let me know what you did!

By: anon

anon — Thu, 10 Dec 2009 22:26:36 +0000

wondering your thoughts about this approach….

safe connect at my school blocks all routers with NAT enabled.

I was wondering if installing dd-wrt on my wireless router and then trying to emulate a ps3 via mac address / tcp/ip foot print would be enough to circumvent having to log in… I have no experience with doing any of this as Mac address emulation used to be enough to get by the previous system…

any ideas? is this even easily done?

By: CONTRA>

CONTRA> — Tue, 17 Nov 2009 19:12:56 +0000

Amjad, do you have any proof of this? I’ve only done a little research on SafeConnect but I didn’t see anything like that. I’d love to have a demonstration or “feature list” from ImpulsePoint that lists real time screenshots.

By: Amjad Makhlouf

Amjad Makhlouf — Mon, 16 Nov 2009 13:17:52 +0000

also, when they MAC ban you, simply use a program like TMAC to change your hardware ID on the fly. it’s disgusting that universities force you to install a backdoor of sorts to gain access to the internet. SafeConnect allows them to tell what applications you’re running, and even view screenshots of your desktop in real time.

By: Amjad Makhlouf

Amjad Makhlouf — Mon, 16 Nov 2009 13:15:40 +0000

even cooler than using the user-agent of a browser on linux, you can spoof the user-agent of a game console and not even be prompted to login with credentials. i simply put “Wii” as my user-agent in firefox and was able to have completely anonymous internet. my university has taken it upon themselves to ban me from the internet for using BitTorrent, so this was my only recourse. Good luck guys!

By: CONTRA>

CONTRA> — Wed, 11 Nov 2009 20:34:35 +0000

Not sure why the exec was removed, but this is one of the first google results for “bypass safeconnect” so it should at least have a working solution. At colleges, they usually implement safeconnect as allowing all game consoles by default. In order to bypass even the login requirements, I used sec_cloak (http://www.irongeek.com/downloads/sec_cloak.zip) to alter my TCP/IP fingerprint to that of a playstation 2, and then used Firefox’s user-agent switcher to imitate a Playstation 3, and they never even knew the difference. Hope that helps you all.

If you want to test the efficacy of a solution, but are not connected to a safeconnect network, try this: http://lcamtuf.coredump.cx/p0f-help/

By: CONTRA>

CONTRA> — Wed, 11 Nov 2009 20:28:21 +0000

At colleges, they usually implement safeconnect as allowing all game consoles by default. In order to bypass even the login requirements, I used sec_cloak (http://www.irongeek.com/downloads/sec_cloak.zip) to alter my TCP/IP fingerprint to that of a playstation 2, and then used Firefox’s user-agent switcher to imitate a Playstation 3, and they never even knew the difference. Hope that helps you all.

If you want to test the efficacy of a solution, but are not connected to a safeconnect network, try this: http://lcamtuf.coredump.cx/p0f-help/

By: s.m.s.

s.m.s. — Thu, 24 Sep 2009 19:51:58 +0000

John: You asked me to report back, so here I am. It seems like they are fingerprinting the TCP stack, because obfuscating the TCP fingerprint got me past the NAC. OSfuscate has an option to change the fingerprint, so if this program is used, useragent switcher should also be used, to ensure that there is no discrepancy between the TCP fingerprint and the browser’s useragent.

By: Mike

Mike — Fri, 11 Sep 2009 00:31:56 +0000

Hi,

I have tried both the user agent and spoofing my TCP fingerprint but neither are working. Any suggestions at what they might be doing?