Breadcrumbs

 1. Introduction

The idea of this tutorial is to understand and configure your client to build a ssh connection through ssl. Of course your server must have a specific configuration as well. see the server side configuration tutorial: ssh over ssl part 1 : server side

nowadays firewall block port, but can also do a DPI to see which protocol you are using. It means that if you try to ssh on port 443 it won't work even if port 443 is open. To avoid it, we have to trick the firewall to think we are doing a legitimate https connexion but instead once we are in SSL (firewall can't read anymore), we switch to ssh!

This tutorial is made as a Proof Of Concept and should be used only for better understanding and POC purposes ! i'm not responsible of any use of this trick.

 

2. prerequisite

if you are using windows, i would recommand to use a linux virtual machine. it's way easier.

windows software (didn't try them):

- Optional depending if proxy authentication to bypass too: proxifier (not tested yet)
- Stunnel/proxytunnel 
- Putty

Linux software:

- Optional depending if proxy authentication to bypass too: cntlm 
- proxytunnel
- OpenSSL
- openssh client

 

3. Proxy authentication

The first step is to be able to connect to the proxy, since most of the time it's the only way to access internet. If you don't have a proxy you can bypass this part, same thing if you don't need to be authenticate to use your proxy.

Linux

We need to have a way to authenticate to the proxy. to do so, if it's using basic auth, you can set your env variable http(s)_proxy. Look for it on Internet. But if it's using NTLM you will need another way. 

A way is to use a local proxy authenticating itself to the remote proxy and giving you a local port already connected to the remote proxy.

cntlm do this job very well. download and install it (direcly for official website or apt-get). 

then look into my config file. to generate the PassLM, PassNT, PassNTLMv2 you must first create the config file with all info, then in the console type in : "cntlm -H", it will ask you your password then generate you the 3 lines !

you can find lot of other option into this:

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#
 
Username	yourusername
Domain		yourdomain
#Password	password
 
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB
 
 
PassLM          72C89120E4z1A9C966DDD358Cazeihaze7
PassNT          Dzazzazaza97D6azeazeaze9BA7C414A36
PassNTLMv2      0B9163D719A31A2azeazeeazefghrghaD0    # Only for user 'bla', domain 'bli'
 
 
 
# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation	netbios_hostname
 
# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy		10.0.0.42:8080
 
# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy		localhost, 127.0.0.*, 10.*, 192.168.*
 
# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen		3128
 
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy	8010
#SOCKS5User	dave:password
 
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#Auth		LM
#Flags		0x06820000
 
# Enable to allow access from other computers
#
#Gateway	yes
 
# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#
#Allow		127.0.0.1
#Deny		0/0
 
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize     1024
#ISAScannerAgent    Wget/
#ISAScannerAgent    APT-HTTP/
#ISAScannerAgent    Yum/
 
# Headers which should be replaced if present in the request
#
#Header		User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
 
# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>

#Tunnel		11443:remote.com:443

once your config file is ready, you can test it in your terminal using this :

sudo cntlm -v -c /etc/cntlm.conf

if everything goes well, cntlm should tell you it's ready.

you can test it by connecting through it with firefox (set your proxy settings to use localhost and your define port in your confiuration)

 

4. Tunnel to your remote server on 443 port

this part is made to build a connection to your remote server on the port 443. if the firewall you are trying to bypass isnt looking into protocole it wont be necessary to go farer. indeed once you are connected you could directly do ssh into it. But if your firewall is watching, it will instantly close your connection since it's not https!

if you want to know build your proxytunnel connexion, then try to type in anything into it. your connection should close !

So, download proxytunnel and using the previous cntlm tunnel launch it like it :

sudo proxytunnel -p 127.0.0.1:3128 -d yourremoteserver.com:443 -a 7000

if your proxy wasnt using auth, you could directly type in your proxy address:port instead of 127.0.0.1:3128. we chose the local port 7000 for our tunnel

 

5. SSL tunnel

once you have a connection to your server, it's time to trick the firewall thinking we will do HTTPS.

To do so, we will use openSSSL like this :

openssl s_client -connect localhost:7000

if everything is working well, you should see your server certificate.

So for your ssh to use this tunnel SSL, it's simple: create or edit the file ~/.ssh/config

and add :

Host monserverdistant.com
	ProxyCommand openssl s_client -connect localhost:7000 -quiet

it's telling your ssh for this host, to use this has a proxy! so instead of trying directly to ssh, it will first execute this ssl tunnel, then use it!

everything is done for your client side!

for windows, you should look into stunnel but i didnt try

 

5. Sum up

sudo cntlm -v -c /etc/cntlm.conf
sudo proxytunnel -p localhost:3128 -d monserver.com:443 -a 7000
ssh -D 1080 login@monserver.com #with proxycommand in .ssh

6. Sources

http://tyy.host-ed.me/pluxml/article4/port-443-for-https-ssh-and-ssh-over-ssl-and-more

http://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuration.html

https://forum.kde.org/viewtopic.php?f=83&t=119352

 

Add comment


Security code
Refresh

Go to Top
Template by JoomlaShine