Security Basics mailing list archives

RE: ssh tunnelling

From: "Bergeron, Jared" <jared.bergeron () office xerox com>
Date: Mon, 15 Sep 2003 10:25:44 -0700

SSH tunneling is a concern of mine as well. With the proper "End Point" you can basically bypass anything you need to. 
I suppose the same would apply to stunnel and other ssl tunneling apps

For example I have Wingate on the remote machine. This listens for www and socks 5 (these are all I seem to need but 
will also do ftp, dns, etc). All I have to do is tunnel those ports and I can run web thru that proxy and any socks5 
clients (IM, IRC, etc) I can run thru there as well.

I also have 1494 tunneled to a citrix box at home for anything else I need. Granted the citrix port is less of a risk 
because the "payload" is just screen changes and mouse movements, but does provide a productivity and data exchange 
concern.

Its scary...

Jared Bergeron




-----Original Message-----
From: Joe McCray [mailto:joe () rootwars org] 
Sent: Friday, September 12, 2003 6:14 PM
To: security-basics () securityfocus com

OOOOOO this looks like a fun one. When I was a Systems Administrator we used to 
run Websense. One of the features that it had was proxy avoidance. So you want 
to find out if "Proxy Avoidance" is enabled. I would check this before you 
start getting into all of the local port redirection stuff. Just see if you can 
get to websites like anonymizer.com and other proxying sites. This is going to 
be the first thing that your more savvy users will try. Websense is actually a 
decent product, and when it's really locked down it's tough to get around.

As far as port redirection it's more commonly used by attackers to access hosts 
behind filtering devices such as routers or firewalls. 

Example:
You compromise a webserver and you now have command line control over it. You 
realize that the database server only accepts connections from the webserver 
that you are on. It is otherwise inaccessible from the internet. So you set up 
your port redirection for port 80 or 8080 to the IP address of the database 
server port 1433. So now when you send commands to port 80 of the webserver 
they are redirected to port 1433 of the database server.

=============

If you are already on the local LAN, and you just want to get out to a box that 
you control you might want to consider running SSH, MS Terminal Server, or 
whatever application it is on ports like 21, 25, 80, or 8080. This will usually 
be allowed out of most networks. 

I've never used PacketShape so I don't know how it would handle ssh traffic 
going to port 80 for example.

Joe McCray
joe () rootwars org
http://www.rootwars.org
Hacking Games   Hands-on Courses   HackLab Access



Quoting Kampanellis John <ikampa () softlab ntua gr>:

Hi!

I am about to write the security policy of a media group as part of my
intersnhip.
Among other things I want to check their actuall security.
The group uses websense and packetshape. The first to prevent users  from
visiting restricted sites and the second to "cut" applications such as
ICQ,P2P etc.

I thought that a good idea would be to create a SSH tunnel with the outside
world and try to pass the traffic trough the tunnel, and check if that
enables me (or any user)  to bypass the filters mentionned above in order to
use and visit restricted programmes and web sites respectevily.

I try to do port forwarding :

ssh2 -L 8000:local_host_IP:50000 username@remotehost

then I am not so sure what to do. For IE I declare as proxy my IP with port
8000 (for the example above). I did the same thing with msn. However, it
doesn't seems to work.

Any ideas?
Thnx


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

ssh tunnelling Kampanellis John (Sep 12)
- Re: ssh tunnelling Joe McCray (Sep 15)
- RE: ssh tunnelling Dave Falloon (Sep 25)
- <Possible follow-ups>
- RE: ssh tunnelling Bergeron, Jared (Sep 15)