[Home] [Blog] [Contact] - [Talks] [Bio] [Customers]
twitter linkedin youtube github rss

Patrick Debois

A few cases of (Tunnel) Piercings for firewalls for SSH access

As consultant I go around in multiple companies. In order to get access to all of my resources and testing systems, I have to be able to reach outside their corporate LAN with shell (SSH) access.

Case 1: Customer allows all access outside
Ok this one, is each, just SSH outside and this works.

Case 2: Port 22 is blocked, only HTTP and HTTP/S is allowed (No Proxy)
If no proxy is used, I have a server running an SSH server on port 443 (HTTP/S), using the listen command in the SSH server config.

       ProxyCommand /usr/bin/corkscrew proxy-ip 8080 %h %p ~/.ssh/myauth
 
Case 3: only HTTP and HTTP/S with corporate Basic Authentication HTTP proxy 
I use corkscrew as a proxycommand in my sshconfig and configure it to use the proxy to reach outside. This relies on the 'CONNECT' command to be allowed. I once had this site filtered by a filtering proxy, but there enough mirror sites available. Or if you are a windows man, Putty has this functionality built in.

See also: http://daniel.haxx.se/docs/sshproxy.html


Case 4: only HTTP and HTTP/S with NTLM or ISA based proxy Server
I run the tool ntlmMaps and run a local proxy, and then configure my corkscrew to use this local proxy for connecting outside.

Case 5: CONNECT command is denied in proxy, plain HTTP only
Install htc on my client and hts on the server (httptunnel) to convert the SSH traffic into http native protocal so that it goes by the proxy.

Case 6: HTTP access only available on port 80 and my websites run on port 80.
Install a proxy (squid) locally or use the apache mod_proxy module. Then you can use this as your proxy similar to case 3. Be cautious on using a proxy on your apache , because they might access more then you want.

You see it's hard to stop me. Off course a policy would discourge me, but this only happened with one customer.  I also wonder, how can you stop this as an administrator, http/s is hard to see. Off course you could block some sites but disable access to all http/s sites is impossible.
Decrypting the tunnel would trigger suspicion. Maybe based on the number of connects you can disable stations using the tunnel.