Episode 614 – Firewall evasion, SSH and virtual appliances!
Got a restrictive firewall blocking sites at school or work? Evade ’em easily with your own private web proxy. Want to securely tunnel any port through an SSH session? Darren’s got just the trick. Wondering how to properly use Asleap to crack MS-CHAPv2 PPTP VPN handshakes & LM Hashes? Interested in trying out neat free enterprise applications but don’t feel like spending hours in a terminal? Try deploying a virtual appliance in minutes, the free and open source way.
Port Tunneling and Socks5 Proxies with a Secure Shell (SSH)
First up, ssh -D. The -D option specified a local "e;Dynamic"e; application-level port forwarding. Any connection made to the specified port goes through the tunnel as a SOCKS4 or SOCKS5 proxy. Perfect for secure web browsing as demonstrated with Firefox in this segment.
ssh -D 8080 [email protected]
Second, ssh -L. The -L option enables port forwarding. Using this option tells the SSH client to listen to traffic on a specified port and forward it along through the tunnel. The server receives this data and points it to the specified destination, whether it be on the destination network or otherwise. In our example we use the -L option to securely connect to an open IRC server.
ssh [email protected] -L local-listen-port:destination-ip:destination-port
Bypassing site-blocking firewalls with your own private web proxy
The age old scheme for bypassing restrictive firewalls, like those that block sites at school or work, has been to use a web proxy. Of course this is followed up by the network administrator blocking all mainstream proxies. But what if you could run your own? Well, you can and it’s really freaking easy. In this segment Darren demonstrates PHProxy
Cracking MS-CHAPv2 PPTP VPN handshakes & LM Hashes Followup from 6×12
On episode 612 we demonstrated a tool, asleap, designed to crack MS-CHAPv2, the authentication protocol commonly found in Microsoft PPTP VPNs. The final demo was unsuccessful due to the encoding of the handshake and response sniffed by Wireshark. Viewer Sc00bz was kind enough to post a PHP script that accepts the challenge, response and username and provides you with the proper asleap command to run with the properly encoded byte sequences. Sc00bz has well documented the code, which lives now on this Hak5 forum thread. Thanks Sc00bz!
Deploying Virtual Appliances in minutes the open source way
A Virtual Appliance can be though of as a software image containing a supporting stack designed to run inside a virtual machine. A quick look at vmware’s virtual appliance directory shows that there are hundreds of applications that can be quickly and easily deployed. In this segment I take the Dimdim open source virtual appliance, designed for vmware, and deploy it with VirtualBox (just becasue I can).