Episode 614 – Firewall evasion, SSH and virtual appliances!
Got a restrictive firewall blocking sites at school or work? Evade ‘em easily with your own private web proxy. Want to securely tunnel any port through an SSH session? Darren’s got just the trick. Wondering how to properly use Asleap to crack MS-CHAPv2 PPTP VPN handshakes & LM Hashes? Interested in trying out neat free enterprise applications but don’t feel like spending hours in a terminal? Try deploying a virtual appliance in minutes, the free and open source way.
Download HD Download MP4 Download XviD Download WMV
Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)
SSH Tunneling isn’t new to the show, we’ve done it before over DNS or in conjunction with VNC. Today we’re looking at two SSH tricks for tunneling just about any traffic.
First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.
Usage
ssh -D 8080 user@server
Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.
Usage
ssh user@server -L local-listen-port:destination-ip:destination-port
For more SSH-fu check out the ssh man page or Linux Journal’s interesting series on 101 uses of openssh.
Bypassing site-blocking firewalls with your own private web proxy
The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy
Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12
On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!
Deploying Virtual Appliances in minutes the open source way
A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).
[...] This post was mentioned on Twitter by Darren Kitchen, Scott Wrosch. Scott Wrosch said: RT @hak5darren: Firewall evasion, secure traffic tunneling, and quickly deploying free virtual appliances! @hak5 6×14 http://is.gd/4Y0BX [...]
[...] Episode 614 – Firewall evasion, SSH and virtual appliances! http://www.hak5.org/episodes/episode-614 a few seconds ago from [...]
Social comments and analytics for this post…
This post was mentioned on Twitter by hak5darren: Firewall evasion, secure traffic tunneling, and quickly deploying free virtual appliances! @hak5 6×14 http://is.gd/4Y0BX...
The one thing about SSH tunneling is that not everyone has access their own VPS to SSH to and if you just want to tunnel occasionally it’s silly to pay for a whole VPS.
My advice: Amazon EC2. You can spin up a server when you need it and spin it down when you’re done. Only costs you $0.085 an hour. A very mall price to pay for privacy on the go, and much better bandwidth than hosting your own on a residential broadband account.
[...] Hack 5 – Episode 614 – Firewall evasion, SSH and virtual appliances! [...]
When you are not able to connect to port 22 because of firewall restrictions, instead of using this “phpbased proxy”, I recommend forwarding port 443 or port 80 on your VPS to port 22, so you can connect to ssh over an open port.
Personally I have my homeserver running ssh on port 443 at home, so that whereever I am, I can connect to it to tunnel my traffic or access my data.
Greats from Germany,
Hope to see you all on 26C3: http://events.ccc.de/congress/2009/wiki/index.php/Welcome
Robin
Great show and great info … thanks.
I use FreeBSD Shell.com. http://www.freebsdshell.com and they allow me to do everything I need to do and it is ultra-cheap. I don’t have to set up nothing
Also I might mention that you can do IRC and your IP is protected along with the fact you have a little node in cyberspace that you can use for offsite backup and can connect from anywhere. I’m currently using it to watch hulu
Great episode, some really usefull tips, clean and simple! The episode with OpenVPN ALS was also very nice, using ssh shell for me is just simple enough and basically all I need
I don’t use Xchat, but doesn’t it support SOCKS ? Cause in that case you could just use the -D option. I know mIRC does, I’ve used that myself to tunnel my IRC, FTP and HTTP traffic through my box at home when I’m at school (wifi). A little side-note, I can highly recommend MyEnTunnel, http://nemesis2.qx.net/pages/MyEnTunnel , to establish and stay connected to your shell, if you wanna have a simple GUI.
Thank for a nice show! Long time watcher, been watching all your episodes since the very first one.
Jakob from Denmark
BTW, I was greeted with some error page when I submitted my post, the 2. captcha thingy, I guess.
I have tried MyEnTunnel, its ok but still restricted. you get way more options and all together better range with the latter I mentioned.
JC Denton – I’m not sure what you mean. MyEnTunnel is just a GUI for plink (PuTTy). This app can only do what it is created for, maintaining and creating SSH tunnel(s).
@Jakob yes you are right. What I’m saying is for all around functionality go with what I said. If you have a home server, etc. that type of thing then what you are saying works fine as a gui. So in essence what you are saying is 100% correct for what the app does.
For all the Mac heads out there that like things a little more simple…
Checkout SSHTunnel It’s SSH without the typing…
I really loved this episode. It was practical, interesting and very informative.
Hey, great episode. One note about using the SOCKS proxy in Firefox. By default, Firefox will NOT use the proxy for DNS lookups! You must configure that in the about:config . Here is an article that briefly discusses it: http://www.outflux.net/blog/archives/2006/12/07/paranoid-browsing-with-squid/
The bottom line is that without that, people would know where you are going, but couldn’t look at the actual data. So I guess this setting is just for the extra paranoid …
at 1:58 – what is that server set up. is it a virtual appliance? can you post the link or email me a link to its site.
@napisani – I think maybe it’s the web-config interface (cPanel or Plesk) for his VPS (@domain.com??)
@jintoreedwine – Yeah great tip, that should really be in the shownotes! You can never get enough security
I still don’t understand that virtual application thing, does it come in a package with everything that is needed to run it, or ?
Excellent show. I’ve noticed that they are getting more meaty which is what they should be for a tech channel. If we want to watch fluff, we’d watch the increasingly fluffy news shows, or the E! channel.
Keep it up.
@Jakob – the best way to think of a virtual appliance is like a small precompiled operating system with the dependencies already installed for the specific program that you are trying to run.
for example.
if you have a web conferencing virtual appliance the web conferencing program might require perl or sql.
the virtual appliance has all that already installed. Sort of like a specified disk image for the use of one program.
Hope that helps
The proxy solution(and ssh tunneling) works only if the network admin allows all connections to go through the firewall and the router. I personally only allow our proxy server to go out, and other servers(like update servers, etc). All other machines are restricted inside, they can not even ping the gateway. So if the users change their proxy settings, they will not be able to surf.
Wonderful with some SSH-fu. The -D option popping up a SOCKS5 was just so amazing when I discovered it: http://twitpic.com/bt9vi
Anyway there also was some SSH magic added to the oneclick VNC thing you ran a long time ago, to use it to “call home”:
http://wiki.hak5.org/wiki/Episode_3×05#OneClick_VNC_Utility
Next I’m absolutely setting up autossh…
07:09
disconnect :Unknown command
Update that
I did the freebsdshell.com as recommended and it was perfect. and very easy too. I’m anonymous and have no problems getting past my work or the uni now. As were I couldn’t before. Thanks for the tip JC Denton
Hiya all installed the php proxy script and was able to acsess facebook and btinternet login page , but they would not allow me to log in face threw an error saying make sure your are loging from facebook and not another site i think this is the only draw back from the script or am I doin somthing wrong.
Julian
@Julian, I had that same issue. You aren’t doing anything wrong. I finally gave up on that and went with a freebsdshell.com account. It just works. Hope this helps
[...] great bit of feedback from the SSH Tunneling segment in episode 614 was from Jan-Marteen in The Netherlands. His Hak5 inspired cross-platform Python and PHP scripts, [...]
[...] great bit of feedback from the SSH Tunneling segment in episode 614 was from Jan-Marteen in The Netherlands. His Hak5 inspired cross-platform Python and PHP scripts, [...]
Been doing this ssh-fu for a while. In the days of dialup I would create a ssh tunnel (v2 with compression) over my slow dialup to a linux box I had at work. Then I would port forward 3128 from my local linux serv to 3128 on the remote serv which was running squid proxy. It gave me a little speed bump because of the compression plus cacheing.
yeah good ole compression, it works well for dial up, Don’t use on broadband
Explicitly wonderful and amazing people
Need for an expert hacker to talk to him or a member of the team hak5
my@hotmail.it
[...] great bit of feedback from the SSH Tunneling segment in episode 614 was from Jan-Marteen in The Netherlands. His Hak5 inspired cross-platform Python and PHP scripts, [...]
[...] great bit of feedback from the SSH Tunneling segment in episode 614 was from Jan-Marteen in The Netherlands. His Hak5 inspired cross-platform Python and PHP scripts, [...]
[...] Re: A quick guide to SSH tunnelling the guys from Hak5 did a really good show on SSH tunneling. Check it out http://www.hak5.org/episodes/episode-614 [...]
Nice segment about proxies and ssh tunneling but this is kinda old news. Plus PHPproxy is the worst code out there IMHO. Use Zelune because you can actually cache the cookies needed for Flash video i.e. You Tube works in proxy. Example is my site http://www.blank1.info or no ad mode http://www.blank1.info/final... Look forward to watching rest of episode.
Fatal error: Call to undefined function ctype_alnum() in /var/www/xxxxxxxxx/htdocs/proxy/index.php on line 328
ERROR PHP Proxy
What wrong
[...] great bit of feedback from the SSH Tunneling segment in episode 614 was from Jan-Marteen in The Netherlands. His Hak5 inspired cross-platform Python and PHP scripts, [...]