Possible methods to get the internet in restricted network
Brute Host: http header.
You can use this url for this http://151.236.217.13/ok
This url always returns 200 so we can use it to check redirects.
It returns You find the hole plaintext response.
$ curl -H "Host: blabla.com" http://151.236.217.13/ok
You find the hole
Some ISP's may cache http traffic.
To check this we can add random data to request and server will retutrn it in response
$ curl -H "Host: blabla.com" http://151.236.217.13/ok?cachedornot123
You find the hole
cachedornot123
Some IPS's may inject javascript in http page. We can check this by calculating checksum of response
$ curl -H "Host: blabla.com" http://151.236.217.13/ok?someshit | md5sum
e355a7c941287bf3d924cff1ab8fab13
Some hosts in LAN may allow forwarding. Lets scan it to find hidden gateways
IPS may allow forwarding to some local networks, so additional networks may be possible to add via option
https://github.com/pentestmonkey/gateway-finder
Scan LAN for 8080, 80, 1080, 3128 and so on for proxies
Some IPS's block's only 80 and 443 ports. Lets try to connect from/to 53 TCP/UDP port and other ports/protocols.
How to expoit? ToS flags? Fragmentation?
When nothing else works