SSH KungFu

This is a post to sum up ; aggregate ; and share some knowledge about what it’s possible to do with an SSH access and bounce and/or hide your connections and surf.

Step 1: Which client can you use?

Step 2: Which account could you use?

An account on a machine you own?

If it’s with linux/unix, it’s perfect and make sure that the ssh server is installed. In case of a windows OS, there’s an ssh daemon available with cygwin and, if you want to go deeper, a virtual machine with a linux on it is even better.

An account on a machine you know?

It could be an account on a friend’s server (a dedicated or self hosted) or an account in a former company.

An account on an unknown machine?

I read that it was possible to have an account on those websites.

Step3: Once you have a connection, exploit it!

Always a bit funny, w3m which is a browser inside the console (and better than lynx). The traffic, and even the rendering of the pages, is done on the server-side and then it’s impossible to intercept on your side.

More practical: the port forwarding. It’s what is called also tunnel. With linux take a look an option -L. With windows, putty, in the configuration tree then Configuration ; SSH ; and Tunnels. The port forwarding is easy and it’s the only way to open a tunnel in the opposite direction of the connection (option -R with ssh or Remote in putty). But it’s only useful if the destination is static and known when the forwarding is declared and also with TCP.

More useful: what is called dynamic port forwarding, which is in fact a SOCKS proxy. To make it simple, it’s a TCP proxy (wikipedia say that’s also possible to forward UDP packets but I never tried). The principle behind dynamic port, is that we only declare the listening port. The destination will be given through the SOCK protocol and thus can vary, like when you surf. With SOCKS5 even the DNS resolution is done at the end of the tunnel which guaranty more privacy.

So ssh/putty provides a proxy and you have to configure your browser to use it. With firefox, you just declare a proxy SOCKS (let empty the other proxy addresses). The port is the port you have chosen. To be sure that the DNS resolution is done at the end of the tunnel set network.proxy.socks_remote_dns to true in about:config and restart. Now, all your browsing is kept cyphered between your host and the SSH server. In fact, if whatever application implement the SOCKS interface then you can tunnel it Pidgin, ThunderBird,…).

Some limits remain like the direction (from client to server) but it is enough for normal use. It’s what tor provides in fact, a socks proxy.

Harder and better: the tunnel ethernet over SSH. It’s only available with ssh with the option -W. You have to have specific access rights on the server side to prepare the tun interface and as it’s more a VPN site-to-site than a tunnel, you will have to handle the routes (or the NAT masquerading) with care.

Difficulties to connect

Here, I explained how to exploit an SSH connection but sometime etablishing the session is the tricky (or funny) part.

If there’s a FW. Setting the SSH server to listen on port 80 or 443 should be enough. If you also have a website on your ssh box, take a look at sslh.

If there’s a proxy on your way out then you have to delude it by using httptunnel to have a TCP tunnel to your SSH serveur which can then tunnel your traffic.

If there’s an intelligent proxy on your way out then you cannot go through and you have to avoid it. Perhaps trying to use tunnels over ICMP or DNS.

Walking the line

As final words, keep in mind that you are responsible. Based on the level of tracking system, with motivation you can be found. Even the antivirus on your host can spot you. So… be an adult.