Monday, July 16, 2012

SSH proxy tunnel

Recently I read an article about how to use a SSH client as a SOCKS proxy tunnel for Firefox.
Very nice article by the way.

I started thinking on how to use this SSH proxy as a tunnel for other TCP traffic.
It would be cool to do a remote portscan using this SSH tunnel or just to read your POP3 email and evading the firewall on your local site.

Let's do this...

First of all, create the SSH proxy tunnel.
On your *nix box start a SSH connection to your remote SSH server with the following options:

ssh -D 0.0.0.0:5200 -p 443 root@remotehost.org



The -D option starts the SOCKS proxy listener, listening on your interface on port 5200 (just a random port).

The other options... yeah right, this makes the tunnel to your remote host.
My remote SSH server is listening on port 443.

Now you can start and configure your Firefox browser using the SOCKS v5 proxy option. Don't forget to change the listening port to 5200!



Point your browser to http://www.whatismyip.com/ and you will see that you are surfing with the IP address of your remote SSH server.

All HTTP traffic is now encrypted using your SSH tunnel. The HTTP is actually encapsulated in the SSH session. So I'm evading the firewall logs on my local site? Yes you are!

What about other traffic, can we also tunnel other traffic?
Sure, I will demonstrate this with a portscan using nmap.

To tunnel other traffic through the SSH proxy tunnel I use a program called proxychain.
After installing the program you can find the config file in our Linux /etc directory,
it's called proxychain.config

Edit this file with your favorite editor.
Go to the end of the file and adjust the following setting:



Start your program that you want to tunnel using proxychains.

You can do a nmap portscan using the following syntax:
proxychains nmap -sTV www.google.be -p 80 -P0

Don't forget to use the -sT option, this starts a TCP three-way handshake scan.
Only valid TCP-connections are allowed using the SOCKS Proxy.
By default nmap is using a SYN scan.



You can read your POP3 email using the following syntax:
proxychains telnet in.telenet.be 110



You are bypassing local firewall and ISP limitations!