Inside out - we have a firewall! Beyond the myth

Tags: #<Tag:0x00007f8a152209d8> #<Tag:0x00007f8a15220910> #<Tag:0x00007f8a15220848> #<Tag:0x00007f8a15220780>

Inside out - we have a firewall! Beyond the myth.

This is an unsorted collection of traffic encapsulation techniques that can be useful in all sorts of situations. It assumes some level of network access and some levels of network restrictions.

Use SSH with local port forwarding

    ssh -L 31337:127.0.0.1:3128 [email protected] 
    sudo -i
    export http_proxy="http://127.0.0.1:31337"
    export https_proxy="http://127.0.0.1:31337"
    apt-get update
    ...

    /opt/nessus/sbin/nessuscli fix --secure --set proxy=127.0.0.1
    /opt/nessus/sbin/nessuscli fix --secure --set port=31337

Make sure that the environment variables are present for the user.

You may also use a Socks5 proxy:

ssh -D 5000 [email protected]
export http_proxy="socks5://127.0.0.1:5000"
export https_proxy="socks5://127.0.0.1:5000"

I usually make use of the local Socks proxy, because it’s shorter and the DNS resolution may happen remotely for most applications.

Using socat as a TCP forwarder

socat TCP-LISTEN:9443,fork TCP:10.1.2.3:443

This is a TCP forward server for port 9443 on the local system to the 10.1.2.3:443 endpoint. Each connection will be forked into a new process. It’s like poor man’s HAProxy.

SSH via HTTP CONNECT via an Apache2 Proxy

Your Apache2 server config

This is for an Apache2 on a Debian server. Could be Dyndns, could be Cloud.

Load the required modules:

a2enmod proxy_connect
a2enmod proxy

192.168.123.123 here will be a reachable SSH server (port 22) from the the Apache2 system. It’s an internal IP.

We want to connect to this SSH server via the externally reachable HTTP server, using the Apache2 here as our intermediate Proxy.

Can Apache2 (or some other web server) forward SSH?

<VirtualHost apache_ssh_proxy.com:80>

   ProxyRequests On
   AllowConnect 22

<Proxy *>
    Order deny,allow
    Deny from all
</Proxy>
<Proxy 192.168.123.123>
    Order deny,allow
    Allow from 1.2.3.0/24
    Allow from 3.2.1.1/32
</Proxy>

</VirtualHost>

– Yes, it can. You see the <Proxy 192.168.123.123>. That defines the SSH server IP we want to connect to via AllowConnect 22. We set Allow from 1.2.3.0/24 to whitelist these IPs. Here it’s a bogus value for the sake of documenting the approach.

Your local SSH client

On Linux you can define an SSH server in the .ssh/config with a ProxyCommand with proxytunnel. This will make the OpenSSH client use a HTTP proxy, which is initialised via a command.

Host jumper
    ProxyCommand proxytunnel -q -p apache.ssh.proxy.com:80 -d 192.168.123.123:22
    DynamicForward 1080
    ServerAliveInterval 60

If you type ssh [email protected] the SSH client will run via a proxytunnel. The encrypted SSH protocol will be encapsulated in HTTP packets this way.

You can replace proxytunnel with socat, or some python hacks. Keep in mind that this approach uses CONNECT, which is easily detectable on a traffic monitor. – Especially if you want to use this as a file-transfer channel. You may use TLS / SSL and configure your Apache as an encrypted endpoint. But modern proxies can perform SSL interception and therefore you will probably be detected.

References

If you want to make effective use of ProxyTunnel, the proxy server you are going to be tunneling through must adhere to some requirements.

Must support HTTP CONNECT command
Must allow you to connect to destination machine and host, with or without HTTP proxy authentication

SSH via HTTP via Apache2 and bridge

A more stealthy way to tunnel SSH via HTTP is bridge. This is a Ruby script, which will not use HTTP CONNECT. Therefore the communication channel will not stand out as a Proxy channel.

SSH via Websockets via Apache2 and wstunnel