Penetration Testing mailing list archives

RE: CORKSCREW 2.0

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Fri, 28 Sep 2001 18:32:30 +0200

Quite easy.

The HTTP Proxy spec allows for a "CONNECT" method to support secure HTTPS
proxying.

This essentially allows a client browser to say to the proxy, "I want a TCP
connection to X host, y port, and if I must, this is my authentication".

The proxy responds with "200 OK", or not, depending on auth, etc, and
establishes the TCP connection to the desired host. It then gets out of the
way, and forwards bytes received to the other party. In this way, an SSL
session can be proxied, without the proxy being a weak link (having to
decrypt and reencrypt), as the browser negotiates the SSL connection with
the actual server, not with the proxy.

There is nothing fundamentally preventing ANY other application from using
the same proxy to connect to a port of its choice, and tunnelling any
arbitrary protocol over that TCP connection, after the CONNECT request has
succesfully completed. That is, other than the proxy's access control lists
(authorised ports, authorised hosts, authorised users, etc)

So if I were to run an SSH daemon on port 443 on a host that the proxy would
let me connect to, I could use corkscrew to request a connection to that
server, and then handshake an SSH session over that "negotiated" TCP
connection. If the proxy would let me connect to port 22, I would not have
to sun the daemon on port 443, obviously.  Most proxies (squid for example)
DO have restrictions as to the permitted ports for a CONNECT method, I think
https and snews, or some such.

OpenSSH would just use corkscrew as a means of establishing a TCP connection
instead of doing its own TCP connect call, and once established, would
simply start negotiations. OpenSSH can apparently even operate over a direct
serial connection if you have sshd listening in "inetd mode" instead of a
getty, and use some "corkscrew equivalent" code to perform the serial part
of the connection.

Rogan

-----Original Message-----
From: Marco de Vivo [UCV] [mailto:mdevivo () reacciun ve]
Sent: 28 September 2001 01:59
To: pen-test () securityfocus com
Subject: CORKSCREW 2.0


Hi,

Can somebody address me to where to find some CORKSCREW (tunneling ssh via
HTTP proxies) documentation?. If there isn't any, can at least somebody
explain me the basic architecture of this tool? I mean an overall
explanation  of the way it works.

TIA

Marco de Vivo



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

CORKSCREW 2.0 Marco de Vivo [UCV] (Sep 28)
- Re: CORKSCREW 2.0 Carric Dooley (Sep 28)
- Re: CORKSCREW 2.0 Nexus (Sep 29)
- <Possible follow-ups>
- RE: CORKSCREW 2.0 Dawes, Rogan (ZA - Johannesburg) (Sep 28)