Payload Hunt

When talking about virtual private networking, we really cannot avoid discussing about "payload". Payload in telecommunications is the portion of transmitted data that is the actual intended message. When it comes to computer viruses, payload is the portion of the malware which performs malicious actions Source: https://en.wikipedia.org/wiki/Payload_(computing)) Thus, payload in vpn plays an essential role. In the Philippines, based on our observations in the past 10 years, telecommunication companies such as Globe Telecom and Smart Communications spent millions on patching up these so-called "payload" to keep their internet services from being used for free. Today, I will share to you how to hunt a good payload that can be used on our vpn. These payloads can also be used in http injector, ktr, SVL injector and the like. So lets, begin.

Look for Freesites.

1. First step is to look for any free sites depending on what network you use. Free sites are web pages offered by your network that can be accessed with or without data balace (Zero Load). For example: www.smart.com.ph or smart.com.ph. Most of the time Hosts/Domain itself is good, however in some cases, good payloads can be found on its subdomains.

Test your Domain.

2. How shall we know if the payload is ok? We have to test if it is getting a 200 ok response from the server itself. Other responses can be 302 moved temporarily, 301 moved permanently, 403 forbidden, 503 not in service, 404 not found. You may test your payload here. On our example below we run a test for smart.com.ph.

In the above example, it is getting two redirects and 200 status. Our goal here is to get a 200 ok response. You can test on your vpn if it is working or not. 

Find subdomain.

3. Since the above example is getting redirects, most of time it wont work. So lets check even its subdomains. How can we get its subdomain? Sign up for an account here and let us reveal subdomains that can be used as payload and lets test it at once later.

On the example above, we are actually getting 140 subdomains that can be tested. You can test these one after the other or you can actually download it at once by clicking the download button as encircled in green below:

Save it as a text document and copy all of them and paste it on our httpstatus.io. You can paste maximum of 100 domains.

Sort out all subdomains that resulted only 200 status and you may test it for your self by loading it up to your vpn. In the example below I used edm.smart.com.ph as my payload on my openvpn config.

client

dev tun

proto tcp

remote 111.221.44.63 443

http-proxy 111.221.44.63 80

resolv-retry infinite

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

persist-key

persist-tun

auth-user-pass

comp-lzo

reneg-sec 0

verb 3hidepass

http-proxy-option CUSTOM-HEADER ""

http-proxy-option CUSTOM-HEADER "POST host_port@edm.smart.com.ph  HTTP/1.0"

<ca>

-----BEGIN CERTIFICATE-----

MIIE4jCCA8qgAwIBAgIJAKWcZi6Yk/12MA0GCSqGSIb3DQEBCwUAMIGmMQswCQYD

VQQGEwJpZDELMAkGA1UECBMCaWQxEzARBgNVBAcTCnRjcHZwbi5jb20xEzARBgNV

BAoTCnRjcHZwbi5jb20xEzARBgNVBAsTCnRjcHZwbi5jb20xEzARBgNVBAMTCnRj

cHZwbi5jb20xEzARBgNVBCkTCnRjcHZwbi5jb20xITAfBgkqhkiG9w0BCQEWEmNv

bnRhY3RAdGNwdnBuLmNvbTAeFw0xNzA0MDUxOTU4MDNaFw0yNzA0MDMxOTU4MDNa

MIGmMQswCQYDVQQGEwJpZDELMAkGA1UECBMCaWQxEzARBgNVBAcTCnRjcHZwbi5j

b20xEzARBgNVBAoTCnRjcHZwbi5jb20xEzARBgNVBAsTCnRjcHZwbi5jb20xEzAR

BgNVBAMTCnRjcHZwbi5jb20xEzARBgNVBCkTCnRjcHZwbi5jb20xITAfBgkqhkiG

9w0BCQEWEmNvbnRhY3RAdGNwdnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP

ADCCAQoCggEBAPCnjZtWuBd9M0Gsrb6aeDBNGRuwpAe0/DguEt9zXbUUCDwJULWb

9Ww6etWj9yE1c/Xs9FT2ThyrXcj5gICEiJn/tJjwX3tqpvF5IuX+LUx8ORw9TtCe

EAl2XErxLrWTE03PZhiTQZy+FalkzAlKWLhT7oTTW/G0x/rxgJ/ghL/IuEL/YFow

uiHMSo60gy0yOiSIljGHL9JE+iZ375ddyz+0M1Ym8DTBTdsJGMDM6XyhxC2K9hSR

t9PVvqh4vhLNICWRiPEqJMwX1xlwHPnhZDXJHOo+0e5X2q2AlrgRvu4IhJrr+hmb

K6GgQy367CO3aIsJ+q0pXpLM0h9YZjTES2sCAwEAAaOCAQ8wggELMB0GA1UdDgQW

BBRiCXKVOBXJqgMTRK31Fmmu732NXTCB2wYDVR0jBIHTMIHQgBRiCXKVOBXJqgMT

RK31Fmmu732NXaGBrKSBqTCBpjELMAkGA1UEBhMCaWQxCzAJBgNVBAgTAmlkMRMw

EQYDVQQHEwp0Y3B2cG4uY29tMRMwEQYDVQQKEwp0Y3B2cG4uY29tMRMwEQYDVQQL

Ewp0Y3B2cG4uY29tMRMwEQYDVQQDEwp0Y3B2cG4uY29tMRMwEQYDVQQpEwp0Y3B2

cG4uY29tMSEwHwYJKoZIhvcNAQkBFhJjb250YWN0QHRjcHZwbi5jb22CCQClnGYu

mJP9djAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDOArvv5lg8sFyb

zMAnevekePEOvB7hDxO6T+NwVOlMRLRSmn8Ht/8IUbMKttQwJYBPg5qBavhU40wb

Z1qI5EIRbkjyHW1muRU9gDGLIxvvFuHgqpmtsIdKuYDbLkfL+Y8jPyGy44H+j5uw

qCQ4miCwIXROR6xH94Lb1ncjUa9YbdslEhp7DmRz+xqXzMuayFKGJvgtwy0wdqS1

PXqDqEyMP23xEhAlCZJsNXRoI96/IDLeDEJeM0lir8dqqNylWbSUNtxqq0Cy2KaZ

hnCP18/A5ITaOq2M8Z+VTA09AZQ1WmfbsCeAQkI5KsAKlzTTGU7CAz0NhzwpxM2L

7PxAfw8m

-----END CERTIFICATE-----

</ca>

You can download it here and import it to your openvpn. You can actually connect to the internet with zero balance.