Skip to content

Instantly share code, notes, and snippets.

@frohoff

frohoff/SNI-FILTER-BYPASS.md

Created June 7, 2024 19:25
Show Gist options
  • Save frohoff/e4981af51ce672e4fd809008a1b1fb96 to your computer and use it in GitHub Desktop.
Save frohoff/e4981af51ce672e4fd809008a1b1fb96 to your computer and use it in GitHub Desktop.
Download ZIP
SNI filtering bypass
Raw
SNI-FILTER-BYPASS.md

Make requests to example.com but spoofing the TLS SNI as google.com to bypass network security controls that only enforce based on SNI:

$ curl -sk https://google.com -H "Host: example.com" --resolve google.com:443:$(dig +short example.com)
$ (printf "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"; sleep 1) | openssl s_client -connect example.com:443 -servername google.com -state

See the issued SNI with ssldump:

$ sudo ssldump -i any
New TCP connection #1: 172.27.137.172(51318) <-> 93.184.215.14(443)
1 1  0.0095 (0.0095)  C>S  Handshake
      ClientHello
        ...
        extensions
          server_name
              host_name: google.com
        ...
1 18 0.9508 (0.0090)  S>C  application_data
1    0.9508 (0.0000)  S>C  TCP FIN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment