The idea of this tutorial is to understand and configure your client to build a ssh connection through ssl. Of course your server must have a specific configuration as well. see the server side configuration tutorial: ssh over ssl part 1 : server side
nowadays firewall block port, but can also do a DPI to see which protocol you are using. It means that if you try to ssh on port 443 it won't work even if port 443 is open. To avoid it, we have to trick the firewall to think we are doing a legitimate https connexion but instead once we are in SSL (firewall can't read anymore), we switch to ssh!
This tutorial is made as a Proof Of Concept and should be used only for better understanding and POC purposes ! i'm not responsible of any use of this trick.
if you are using windows, i would recommand to use a linux virtual machine. it's way easier.
windows software (didn't try them):
- Optional depending if proxy authentication to bypass too: proxifier (not tested yet)
- Optional depending if proxy authentication to bypass too: cntlm
- openssh client
3. Proxy authentication
The first step is to be able to connect to the proxy, since most of the time it's the only way to access internet. If you don't have a proxy you can bypass this part, same thing if you don't need to be authenticate to use your proxy.
We need to have a way to authenticate to the proxy. to do so, if it's using basic auth, you can set your env variable http(s)_proxy. Look for it on Internet. But if it's using NTLM you will need another way.
A way is to use a local proxy authenticating itself to the remote proxy and giving you a local port already connected to the remote proxy.
cntlm do this job very well. download and install it (direcly for official website or apt-get).
then look into my config file. to generate the PassLM, PassNT, PassNTLMv2 you must first create the config file with all info, then in the console type in : "cntlm -H", it will ask you your password then generate you the 3 lines !
you can find lot of other option into this:
# Cntlm Authentication Proxy Configuration
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM 1AD35398BE6565DDB5C4EF70C0593492
# PassNT 77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB
PassNTLMv2 0B9163D719A31A2azeazeeazefghrghaD0 # Only for user 'bla', domain 'bli'
# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
# Workstation netbios_hostname
# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
# Enable to allow access from other computers
# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
# GFI WebMonitor-handling plugin parameters, disabled by default
# Headers which should be replaced if present in the request
#Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
once your config file is ready, you can test it in your terminal using this :
sudo cntlm -v -c /etc/cntlm.conf
if everything goes well, cntlm should tell you it's ready.
you can test it by connecting through it with firefox (set your proxy settings to use localhost and your define port in your confiuration)
4. Tunnel to your remote server on 443 port
this part is made to build a connection to your remote server on the port 443. if the firewall you are trying to bypass isnt looking into protocole it wont be necessary to go farer. indeed once you are connected you could directly do ssh into it. But if your firewall is watching, it will instantly close your connection since it's not https!
if you want to know build your proxytunnel connexion, then try to type in anything into it. your connection should close !
So, download proxytunnel and using the previous cntlm tunnel launch it like it :
sudo proxytunnel -p 127.0.0.1:3128 -d yourremoteserver.com:443 -a 7000
if your proxy wasnt using auth, you could directly type in your proxy address:port instead of 127.0.0.1:3128. we chose the local port 7000 for our tunnel
5. SSL tunnel
once you have a connection to your server, it's time to trick the firewall thinking we will do HTTPS.
To do so, we will use openSSSL like this :
openssl s_client -connect localhost:7000
if everything is working well, you should see your server certificate.
So for your ssh to use this tunnel SSL, it's simple: create or edit the file ~/.ssh/config
and add :
ProxyCommand openssl s_client -connect localhost:7000 -quiet
it's telling your ssh for this host, to use this has a proxy! so instead of trying directly to ssh, it will first execute this ssl tunnel, then use it!
everything is done for your client side!
for windows, you should look into stunnel but i didnt try
5. Sum up
sudo cntlm -v -c /etc/cntlm.conf
sudo proxytunnel -p localhost:3128 -d monserver.com:443 -a 7000
ssh -D 1080 firstname.lastname@example.org #with proxycommand in .ssh