Breadcrumbs

Securité

1.blog presentation

At first i wanted a space that allows me to save my findings and technical configurations i didn't want to forget. Then i tell myself why not put it on Internet to share with other ppl that are looking for information on something i already did.

for the moment i didn't activate any commentaries or anything else on the website. Indeed as i said i'm not a blogger, i just want to save my finding and share it with other people that might help. But if you have some questions, do not hesitate to ask me nicely by email and i will try to answer you.

i have a small lab at home to play with stuff i found, and experiments. my lab is made of a NAS, several raspberry, and recently a VM server ESXi because i'm tired of having too many Rpi & Co!

The blog itself isn't very powerful because i didn't want to spend to much time on it, but if one day it require more work, i will see. for the moment it met my need and that's all i want!

 

 2. I, Me and Myself

It's very hard to present yourself, so i will be very brief!

I'm a french computer science ingeneer specialize in security. i always liked to try to understand everything i touch especially in computer science. I like to say i'm no expert in any technology but i'm trying to! 

The security field is very interesting because you have the opportunity to think as a good guy trying to protect yourself, but also like bad  guys trying to break or steal everything! Of course i'm kidding, but you have to understand (and try) how hackers do to bypass security equipment etc. To do so, you have to undertand a very large field of security starting from the computer : OS, hardware etc to the network : TCP, VLAN, Firewall, IDS etc.

As an example of how i like to undertand thing and try to be the bad guy you can find my final internship presentation at the defcon 18 in 2010 thanks to the security lab of stanford : https://www.youtube.com/watch?v=rpMpmm0nlEM 

But that's not everything, security field means also trying to protect your company from a governance point of view: how do you protect a company with thousand employees without knowledge in security ? you have to think policies, procedure, control etc! and from a bigger scale, it become harder and harder... it's easy to protect your frontdoor with titan but if you don't know that you have several backdoor in wood, what the point ?! ;)

 

 

I'm currently living in Montpellier after spending my studies in Paris Epita and working in Paris in several companies for over 6 Years!

you can find more details on me on linkedin and you can contact me by email: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

1.Introduction

This tutorial is made for you to be able to test how to do SSH over a standard https SSL/TLS connection (at least for the CONNECT). the objective is to understand how it's working and to be able for you to make a POC if you want to. I'm not responsible for what purpose you are using it to. most of this tutorial was possible thanks to the hard work of blog.chmd.fr

this tutorial is definitely doable on a Raspbeery Pi

 do not hesitate to let me a comment to ask questions.

Lors de l'une de mes missions j'ai pu mettre en place un cluster Elasticsearch dans lequel on injectait les flux réseaux d'une grande banque graçe à couple suricata/logstash. ensuite graçe à elasticsearch et Kibana il est alors possible d'avoir une vision centralisée des alertes qui peuvent ensuite être traité par une équipe pour remonter des alertes plus perninentes. Attention néanmoins, toutes la puissance de l'alerting provient des sondes et de leurs configurations.

1.Architecture physique simplifiée

Architecture physique du cluster elasticsearch/suricata
Architecture physique du cluster elasticsearch/suricata

 1. Introduction

The idea of this tutorial is to understand and configure your client to build a ssh connection through ssl. Of course your server must have a specific configuration as well. see the server side configuration tutorial: ssh over ssl part 1 : server side

nowadays firewall block port, but can also do a DPI to see which protocol you are using. It means that if you try to ssh on port 443 it won't work even if port 443 is open. To avoid it, we have to trick the firewall to think we are doing a legitimate https connexion but instead once we are in SSL (firewall can't read anymore), we switch to ssh!

This tutorial is made as a Proof Of Concept and should be used only for better understanding and POC purposes ! i'm not responsible of any use of this trick.

 

2. prerequisite

if you are using windows, i would recommand to use a linux virtual machine. it's way easier.

windows software (didn't try them):

- Optional depending if proxy authentication to bypass too: proxifier (not tested yet)
- Stunnel/proxytunnel 
- Putty

Linux software:

- Optional depending if proxy authentication to bypass too: cntlm 
- proxytunnel
- OpenSSL
- openssh client

 

3. Proxy authentication

The first step is to be able to connect to the proxy, since most of the time it's the only way to access internet. If you don't have a proxy you can bypass this part, same thing if you don't need to be authenticate to use your proxy.

Linux

We need to have a way to authenticate to the proxy. to do so, if it's using basic auth, you can set your env variable http(s)_proxy. Look for it on Internet. But if it's using NTLM you will need another way. 

A way is to use a local proxy authenticating itself to the remote proxy and giving you a local port already connected to the remote proxy.

cntlm do this job very well. download and install it (direcly for official website or apt-get). 

then look into my config file. to generate the PassLM, PassNT, PassNTLMv2 you must first create the config file with all info, then in the console type in : "cntlm -H", it will ask you your password then generate you the 3 lines !

you can find lot of other option into this:

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#
 
Username	yourusername
Domain		yourdomain
#Password	password
 
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB
 
 
PassLM          72C89120E4z1A9C966DDD358Cazeihaze7
PassNT          Dzazzazaza97D6azeazeaze9BA7C414A36
PassNTLMv2      0B9163D719A31A2azeazeeazefghrghaD0    # Only for user 'bla', domain 'bli'
 
 
 
# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation	netbios_hostname
 
# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy		10.0.0.42:8080
 
# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy		localhost, 127.0.0.*, 10.*, 192.168.*
 
# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen		3128
 
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy	8010
#SOCKS5User	dave:password
 
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#Auth		LM
#Flags		0x06820000
 
# Enable to allow access from other computers
#
#Gateway	yes
 
# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#
#Allow		127.0.0.1
#Deny		0/0
 
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize     1024
#ISAScannerAgent    Wget/
#ISAScannerAgent    APT-HTTP/
#ISAScannerAgent    Yum/
 
# Headers which should be replaced if present in the request
#
#Header		User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
 
# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>

#Tunnel		11443:remote.com:443

once your config file is ready, you can test it in your terminal using this :

sudo cntlm -v -c /etc/cntlm.conf

if everything goes well, cntlm should tell you it's ready.

you can test it by connecting through it with firefox (set your proxy settings to use localhost and your define port in your confiuration)

 

4. Tunnel to your remote server on 443 port

this part is made to build a connection to your remote server on the port 443. if the firewall you are trying to bypass isnt looking into protocole it wont be necessary to go farer. indeed once you are connected you could directly do ssh into it. But if your firewall is watching, it will instantly close your connection since it's not https!

if you want to know build your proxytunnel connexion, then try to type in anything into it. your connection should close !

So, download proxytunnel and using the previous cntlm tunnel launch it like it :

sudo proxytunnel -p 127.0.0.1:3128 -d yourremoteserver.com:443 -a 7000

if your proxy wasnt using auth, you could directly type in your proxy address:port instead of 127.0.0.1:3128. we chose the local port 7000 for our tunnel

 

5. SSL tunnel

once you have a connection to your server, it's time to trick the firewall thinking we will do HTTPS.

To do so, we will use openSSSL like this :

openssl s_client -connect localhost:7000

if everything is working well, you should see your server certificate.

So for your ssh to use this tunnel SSL, it's simple: create or edit the file ~/.ssh/config

and add :

Host monserverdistant.com
	ProxyCommand openssl s_client -connect localhost:7000 -quiet

it's telling your ssh for this host, to use this has a proxy! so instead of trying directly to ssh, it will first execute this ssl tunnel, then use it!

everything is done for your client side!

for windows, you should look into stunnel but i didnt try

 

5. Sum up

sudo cntlm -v -c /etc/cntlm.conf
sudo proxytunnel -p localhost:3128 -d monserver.com:443 -a 7000
ssh -D 1080 login@monserver.com #with proxycommand in .ssh

6. Sources

http://tyy.host-ed.me/pluxml/article4/port-443-for-https-ssh-and-ssh-over-ssl-and-more

http://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuration.html

https://forum.kde.org/viewtopic.php?f=83&t=119352

 

Prise de note & workflow :

 

 

Monitoring:

  • Shinken: http://shinken-monitoring.org/
    • capacity planning (graphite), compatible nagios.
    • Documentation peu clair
  • PandoraFMS: http://pandorafms.com/
    • easy to install
    • client pandora