Inside out - we have a firewall! Beyond the myth.
This is an unsorted collection of traffic encapsulation techniques that can be useful in all sorts of situations. It assumes some level of network access and some levels of network restrictions.
Use SSH with local port forwarding
ssh -L 31337:127.0.0.1:3128 [email protected] sudo -i export http_proxy="http://127.0.0.1:31337" export https_proxy="http://127.0.0.1:31337" apt-get update ... /opt/nessus/sbin/nessuscli fix --secure --set proxy=127.0.0.1 /opt/nessus/sbin/nessuscli fix --secure --set port=31337
Make sure that the environment variables are present for the user.
You may also use a Socks5 proxy:
ssh -D 5000 [email protected] export http_proxy="socks5://127.0.0.1:5000" export https_proxy="socks5://127.0.0.1:5000"
I usually make use of the local Socks proxy, because it’s shorter and the DNS resolution may happen remotely for most applications.
Using socat as a TCP forwarder
socat TCP-LISTEN:9443,fork TCP:10.1.2.3:443
This is a TCP forward server for port 9443 on the local system to the
10.1.2.3:443 endpoint. Each connection will be forked into a new process. It’s like poor man’s HAProxy.
SSH via HTTP CONNECT via an Apache2 Proxy
Your Apache2 server config
This is for an Apache2 on a Debian server. Could be Dyndns, could be Cloud.
Load the required modules:
a2enmod proxy_connect a2enmod proxy
192.168.123.123 here will be a reachable SSH server (port 22) from the the Apache2 system. It’s an internal IP.
We want to connect to this SSH server via the externally reachable HTTP server, using the Apache2 here as our intermediate Proxy.
Can Apache2 (or some other web server) forward SSH?
<VirtualHost apache_ssh_proxy.com:80> ProxyRequests On AllowConnect 22 <Proxy *> Order deny,allow Deny from all </Proxy> <Proxy 192.168.123.123> Order deny,allow Allow from 184.108.40.206/24 Allow from 220.127.116.11/32 </Proxy> </VirtualHost>
– Yes, it can. You see the
<Proxy 192.168.123.123>. That defines the SSH server IP we want to connect to via
AllowConnect 22. We set
Allow from 18.104.22.168/24 to whitelist these IPs. Here it’s a bogus value for the sake of documenting the approach.
Your local SSH client
On Linux you can define an SSH server in the
.ssh/config with a
proxytunnel. This will make the OpenSSH client use a HTTP proxy, which is initialised via a command.
Host jumper ProxyCommand proxytunnel -q -p apache.ssh.proxy.com:80 -d 192.168.123.123:22 DynamicForward 1080 ServerAliveInterval 60
If you type ssh
[email protected] the SSH client will run via a
proxytunnel. The encrypted SSH protocol will be encapsulated in HTTP packets this way.
You can replace
socat, or some python hacks. Keep in mind that this approach uses CONNECT, which is easily detectable on a traffic monitor. – Especially if you want to use this as a file-transfer channel. You may use TLS / SSL and configure your Apache as an encrypted endpoint. But modern proxies can perform SSL interception and therefore you will probably be detected.
If you want to make effective use of ProxyTunnel, the proxy server you are going to be tunneling through must adhere to some requirements.
Must support HTTP CONNECT command
Must allow you to connect to destination machine and host, with or without HTTP proxy authentication
SSH via HTTP via Apache2 and bridge
A more stealthy way to tunnel SSH via HTTP is
bridge. This is a Ruby script, which will not use HTTP CONNECT. Therefore the communication channel will not stand out as a Proxy channel.