Transcript SSH Tunneling - DefCamp 2014

SSH Tunneling:
a gate to freedom
and a threat
Andrei Hodorog, DefCamp 2014

This presentation is a proof of concept and is
intended for educational purposes only!

Do not proceed pentesting your corporate /
University network without authorisation!

Apart from the annoyances, there are beneficial
aspects of the restrictions (if you are a newbie,
some of them are really for your security and the
safety of the wider organisation / University).

You can get fired or expelled if caught!
Disclaimer
4/13/2015
Andrei Hodorog, DefCamp 2014
2

Second year student @ Cardiff University
(Computer Science with Security and Forensics)

Security enthusiast

Freelancer web developer

Cisco CCNA Certified (I also have a passion for
networks!)
Who am I?
4/13/2015
Andrei Hodorog, DefCamp 2014
3
Restrictions in my University
4/13/2015
Andrei Hodorog, DefCamp 2014
4





Live HTTP header analysis - not using a blacklist, but
blocking all non-HTTPs websites containing words
such as “proxy”, “hack”, “bypass”, “torrent”, etc.;
Blocking even legitimate hosts (e.g.: the BitDefender
website and the BitDefender update server);
Blocking short URLs (marked as SPAM);
Blocking all the network user ports (above 1024);
Routers having VPN passthrough disabled;
◦ Cannot connect to VPNs or TOR

Restricting DNS access to their DNS server
◦ Unable to use OpenDNS or any other alternatives;

Without their DNS server, can’t even ping 8.8.8.8
◦ DNS tunneling not working.
Tight firewall and tight policy
4/13/2015
Andrei Hodorog, DefCamp 2014
5
The annoying error message
4/13/2015
Andrei Hodorog, DefCamp 2014
6
3G / 4G connection tethering - not reliable:
 Drains phone battery (~1% / min) – if not using USB tethering;
 For some providers, cannot receive calls during the data
connection;
 Providers generally detect and block tethering, unless stated
otherwise in the contract;
 Sometimes need to use ClockworkMod Tether – very slow;
 The need for an unlimited plan;
 Limited to 71.8 Mbps for 4G in the best scenario – Why if you
have a FREE 1Gbps connection provided by the University?
The most popular bypass method
4/13/2015
Andrei Hodorog, DefCamp 2014
7
ForceBindIP – old tool (last version released in 2009), not supported
anymore, but still working;
http://www.softpedia.com/get/System/System-Miscellaneous/ForceBindIP.shtml
ForceBindIP {4FA65F75-7A5F-4BCA-A3A2-59824B2F5CA0} c:\path\to\app.exe
OR
ForceBindIP 1.2.3.4 c:\path\to\app.exe
This way, you could force blocked applications to access the
tethered connection, but not reliable either:
 Need to add the command to the path of each application;
 Need to always have the tethered connection active.
Another try – two connections
4/13/2015
Andrei Hodorog, DefCamp 2014
8
80 (HTTP);
 443 (HTTPS – secure HTTP);
 20 & 21 (FTP);
 22 (SFTP – secure FTP and SSH).

They had to allow connections through
SFTP in order to allow the students to
securely upload / download files remotely
to / from the school server.
Ports open
4/13/2015
Andrei Hodorog, DefCamp 2014
9
All the magic is done through port 22,
which can be used to establish an SSH
(Secure Shell) connection.
In plain terms, a secure connection to a
server where you have a shell account.
The little “gate”
4/13/2015
Andrei Hodorog, DefCamp 2014
10

Tunneling all the traffic through that
secure connection in order not to be
detected by the firewall.
The basic concept: SSH tunneling
4/13/2015
Andrei Hodorog, DefCamp 2014
11

The connection can be established through any SSH client,
including the popular Putty. Then you have to emulate a
SOCKS proxy through which you will tunnel all the traffic.

Linux: ssh -D 9999 [email protected]
The configuration
4/13/2015
Andrei Hodorog, DefCamp 2014
12
 Then you only need to configure the SOCKs
connection in your applications!
You should also configure your browser to resolve
all the DNS requests through the proxy!

The configuration
4/13/2015
Andrei Hodorog, DefCamp 2014
13

Use a software such as Proxifier (www.proxifier.com) for
applications that don’t support SOCKs connections (e.g.:
TeamViewer, Winamp).
Linux: Proxychains (proxychains.sourceforge.net):
bash$ proxychains firefox localhost:9999

The configuration
4/13/2015
Andrei Hodorog, DefCamp 2014
14
You should leave the legitimate traffic untouched in order not to raise
suspicions)… The network admins will think something is wrong if they
only see encrypted traffic coming from your host.
 Use FoxyProxy (available for both FireFox and Chrome): getfoxyproxy.org

The automation
4/13/2015
Andrei Hodorog, DefCamp 2014
15

Setup rules based on the web URLs patterns (e.g.: all the
addresses containing “torrent”, “hack”, etc.) – useful for
Google and YouTube search queries.

Add websites automatically to the “whitelist” (list with
tunneled addresses) based on a certain content pattern (e.g.
A text fragment like “This website is blocked in accordance
with the University policy”, “torrent”, “hack”, etc.).

When you access a blocked website matching a pattern, it
automatically refreshes through the tunnel.

Setup “blacklists” (maybe you never want to tunnel Facebook,
email, online banking, PayPal, unless you really trust your
server – remember the HeartBleed bug!).
What you can do with FoxyProxy?
4/13/2015
Andrei Hodorog, DefCamp 2014
16

Encrypting the traffic in a public WiFi network: by default,
all the non-HTTPs traffic is unencrypted and can be sniffed!

Bypassing geolocation restrictions of certain websites (e.g.:
BBC iPlayer, Hulu, YouTube, Netflix).
An additional layer of protection for your real IP address
when using VPN or anonymity services (e.g.: Tor).

Other uses of this method
4/13/2015
Andrei Hodorog, DefCamp 2014
17






Most reliable – set up your own server or buy a VPS or
dedicated package;
Cheapest and almost as much reliable - shared hosting –
some providers:
You will probably need to contact support and ask them to
enable it – provide a valid reason (a little social
engineering involved ):
“I need to practice MySQL commands on CLI for my work.”
“I need to run live Python and Ruby on Rails scripts on
REPL.”
These are big companies – have better things to do than
monitoring you!
Getting an SSH account
4/13/2015
Andrei Hodorog, DefCamp 2014
18
You can check for yourself if it’s already enabled by default! Just try to
establish a SSH connection to your shared IP address with your cPanel
credentials!
 Some webhosts allow connecting only through stored RSA keys
(passwordless login). You can generate your own key using
PuTTYgen and add it in the allow list in cPanel:


You can either generate a new key and use it with your SSH client or
import an already generated key using, for example, PuTTYgen.
Getting an SSH account
4/13/2015
Andrei Hodorog, DefCamp 2014
19
Jailbroken iPad with OpenSSH installed at home – low electricity
consumption;
 Gigabit
connection; gigabit router – connected through
Thunderbolt to Ethernet adapter!

Might need to configure port 22 forwarding on your router:
 www.portforward.com – Guidance for any model!

My option
4/13/2015
Andrei Hodorog, DefCamp 2014
20
All traffic – RSA encrypted
Even if they see suspicious traffic coming from your IP address / account,
simply say that you connected to your home machine to download large files
– nobody can prove anything – unless they have NSA like folks in the IT
department that can intercept your keys and sniff your traffic.
SSH connections perfectly legal if the port is open and not stated in the
organisation policy otherwise!
What goes through the tunnel – your business, not their ;)
Getting caught? 
4/13/2015
Andrei Hodorog, DefCamp 2014
21

Users accessing illegitimate websites (SSH
tunneling is the most popular method to
bypass WebSense) and use illegitimate
applications against your policy;

Users can tunnel any TCP-based protocol,
including
P2P
and
squeeze
your
bandwidth;

A rootkitted host can attempt to covertly
connect to the outside world.
Risks posed to your organisation
4/13/2015
Andrei Hodorog, DefCamp 2014
22

The general solution to avoid your network users
to do this is to either disable port 22 completely
or only allow connections to the hosts in your
Local Area Network or a whitelist of trusted IP
addresses or hosts.

…but this way you only make the work harder, as
an SSH connection can be established through
any port, including 80!

Partial solutions:
◦ Deep Packet Inspection – if packet payload is SSH and not in
the whitelist – drop it ;
◦ Only allow inbound traffic (especially on ports 80 and 443) and
allow outbound traffic only to trusted IP addresses.
Avoiding this in your organisation
4/13/2015
Andrei Hodorog, DefCamp 2014
23

There's no way for a firewall to determine if HTTP
(or any other protocol) is being tunnelled over
SSH, as SSH is encrypted against eavesdropping,
which will also impact your ability to do protocol
inspection.

Short version: you can't inspect SSH payloads.

The protocol is designed to prevent man in the
middle. You can tell that the protocol is SSH
easily enough by network inspection, but not
that it is being used to tunnel something else.
The general remaining problem
4/13/2015
Andrei Hodorog, DefCamp 2014
24

By default, sshd allow to forward TCP sessions to any ports. You can
restrict them to specific hosts and/or ports via the PermitOpen parameter
(available since release 4.4):
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port

It can also be useful to restrict who can use the port forwarding:
Simple rules:
Allow specific port per groups:
AllowTcpForwarding no
Match User john,andy,ted
AllowTcpForwarding yes
AllowTcpForwarding no
Match Group admins
AllowTcpForwarding yes
PermitOpen 192.168.0.1:443
If you have your corporate SSH server
running OpenSSH
4/13/2015
Andrei Hodorog, DefCamp 2014
25

By default, the SSH daemon does not log
the sessions established via a tunnel.

To show them, you need to run the sshd
in debug mode (-d).

This is not acceptable in an operational
environment because of the large
overhead.
Logging
4/13/2015
Andrei Hodorog, DefCamp 2014
26
Here is a quick patch to log all outgoing sessions initiated by the sshd with a
mapping to the UID (UserID). In serverloop.c, patch the function
server_request_direct_tcpip() like this:
915,918d914
< // BEGIN PATCH TunnelLogging
< uid_t who;
< // END PATCH
<
925,930c921,922
< // BEGIN PATCH TunnelLogging
< // debug("server_request_direct_tcpip: originator %s port %d, target %s
port %d",
< who = getuid();
<
logit("Tunnel: %s:%d -> %s:%d UID(%d)",
<
originator, originator_port, target, target_port, who);
< // END PATCH
-->
debug("server_request_direct_tcpip: originator %s port %d, target %s
port %d",
>
originator, originator_port, target, target_port);

Logging
4/13/2015
Andrei Hodorog, DefCamp 2014
27

For each new TCP session, the following
line will be sent to Syslog:
Feb 27 08:03:08 honey sshd[9060]:
Tunnel: 127.0.0.1:51209 ->
0.channel26.facebook.com:80
UID(2349).

The patch will allow to correlate who
connected and from which IP address.
Logging
4/13/2015
Andrei Hodorog, DefCamp 2014
28

If you run an external SSH server that your users need to
log
into,
disable
SSH
forwarding
with
the
AllowTcpForwarding option in sshd_config.

Watch your traffic. See how much traffic various protocols
use on your network. This will not only help you catch SSH
tunnels, it will help you catch any other sort of tunnel.

You could forbid external SSH, and only permit protocols
that can be proxies, such as Telnet.

You can set up a legitimate SOCKS server, with logging,
and require all traffic pass through it. Anyone tunneling
large amounts of traffic through the server will stand out in
the logs.
Summary
4/13/2015
Andrei Hodorog, DefCamp 2014
29
Thank you for your attention!
Questions?
[email protected]
http://uk.linkedin.com/in/hodorogandrei
4/13/2015
Andrei Hodorog, DefCamp 2014
30