Penetration Testing mailing list archives

Re: bypassing employer's proxy to surf anonymously

From: Hubert Seiwert <hubert () westpoint ltd uk>
Date: Tue, 13 Jun 2006 10:47:52 +0100

When using SSH through the local proxy, it might be an idea to run the
outside sshd on
port 443, so it's harder to distinguish from an https server.

Also, in case you're not aware, a proxy server on the other side
(Privoxy in your example)
is not really necessary - You can use the ssh -D option (or 'Dynamic' in
the PuTTY port
forwarding options) to get a SOCKS server on localhost which makes
outside connections
through the remote sshd.

Another method of tunneling would be through DNS. You say that dns
traffic is blocked
on the server, but as long as there is a DNS server on the internal
network that will do
recursive resolving for you it's possible. You can use Dan Kaminsky's
OzymanDNS scripts
to get an stdin/stdout pipe to a remote host through DNS, through which
you can then run
ssh using the -ProxyCommand option. You need Perl with threads support
enabled on the
server and the ability to delegate a subdomain to the ozyman dns server.

References:

http://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdf
http://dnstunnel.de/

If the local network is being monitored, you would see a great deal of
DNS queries which
would raise a red flag, but if only the local proxy is being monitored
this kind of tunneling
would be invisible.

Disclaimer: Bypassing your company's internet proxies and breaking the
internet AUP is not
recommended and may get you in trouble.

-- 
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028



gimeshell () web de wrote:

Hi,

perhaps subject sounds a little bit hard, but hard words are often
much clearer than polite words.

Someone is trying to find smartest way to bypass employer's
proxy from intranet. You can see it as a principle: there is someone
who don't want you to do something, but you know you will be
better...because you are an geek.

First of all, it works but i need help in fixing some flaws.

Situation:

Server: Windows 2000, proxy and simple packet
filtering to eliminate icmp traffic, dns traffic and some more packet
types,
Client: Windows 2000l, putty tunneling local port
There is no ip forwarding enabled on server so i fortunally must use
proxies facilities. Proxy has following 'special' ports open: 1080,
2121,
3128.

For port 3128 you must login with username/passwort. It is known.
Fort port 2121 there is only username without pass required.

Host A INSIDE...localport 4444--->ssh tunnel--->through PROXY/FIREWALL
(3128)--->Host B OUTSIDE (22) running privoxy (proxy server).

Problem:

Proxy is monitoring traffic and shows much suspicious traffic flowing to
xxx.xxx.xxx.xxx (https). That's the ssh tunnel to destination
with dynamic ip address.

Question:

Is there a solution to prevent proxy traffic monitor (and therewith
big brother) to see SSH traffic to dynamic ip? So that there isn't any
suspicious line in proxy traffic monitor's output? The best: Proxy
doesn't get notice of nasty traffic at all.

Perhaps there is some technique to hide data in unsuspicious packets?

regards,
gimeshell

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------

Current thread:

bypassing employer's proxy to surf anonymously (Jun 12)
- Re: bypassing employer's proxy to surf anonymously Hubert Seiwert (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously alan (Jun 13)
    - Re: bypassing employer's proxy to surf anonymously jm (Jun 14)
  - Re: bypassing employer's proxy to surf anonymously (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously dajackman (Jun 13)
    - Re: bypassing employer's proxy to surf anonymously (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously (Jun 14)
    - Re: bypassing employer's proxy to surf anonymously jm (Jun 14)
- Re: bypassing employer's proxy to surf anonymously Karyn Pichnarczyk (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously (Jun 13)
    - RE: bypassing employer's proxy to surf anonymously Erin Carroll (Jun 13)

(Thread continues...)