Saturday, April 14, 2012

Practical SSH Tunneling: Using Putty to Bypass Web Filters and Firewalls

About SSH v.2 and SSH tunneling

SSH (Secure Shell) was an Internet Task Force (IETF) protocol for encrypting traffic to access a remote host. SSH v2 standard came out in 2006 and is incompatible with SSH v.1.  Version 2 uses Diffie-Hellman (DH) key exchanges to create a tunnel between a client and a server. Thus, SSH works very similary like a VPN and was, in fact, called a poor man's VPN. SSH has lower levels of security and encryption than VPN. Apart from that, I don't really know the exact difference between an SSH tunnel and a VPN and if you happen to do, please feel free to post a comment or link to your blog/article that explains SSH versus VPN.

SSH v.2 is both a boon and a bane for network engineers. I've been using SSH v.2 to do a myriad of things, some of which to purposely circumvent network policies that would normally disallow people to access other parts of the network. For this article, we will use SSH tunneling to bypass corporate firewall and webfiltering. This is possible using any Web Socket capable browser such as Mozilla Firefox and Opera (I've heard  Google Chrome will support it soon).

Using SSH tunneling (only possible with SSH 2), we can 'piggy-back' traffic bound for different ports and redirect them to another destination which, your computer may not be allowed, but the remote server connected via SSH, can. Among the most common uses of SSH tunneling are:

1. As a proxy server to bypass your local web filtering;
2. As a poor man's alternative to VPN -- make other people connect to another computer your computer normally cannot communicate to,
3. to create IMAP connections to an email server,

Disclaimer: This article is to show how SSH can possibly compromise network security. I do not  encourage anyone to use SSH as a proxy, nor do I espouse a culture where one arbitrarily bypasses network security at will without any contructive purpose (to hack just because you can). A network or security engineer can always use UTMs, access-lists,  firewalls, IPS, etc. to block SSH connection to and from a network.

How to use Putty to configure SSH tunneling and bypass the firewall and URL web-filtering.

For this to work, you will need Putty (download at: http://www.putty.org/). You can also use any other SSH client programs such as bitvise tunnelier, but note that the screenshots below show Putty. You will also need a server which you can SSH to. This server should be outside your company's network (e.g. home computer, another website, friend's router, etc.)

1. Open Putty. In the main window, under host, type the IP address or hostname of the server you will be connecting to via SSH.


2. At the left side of the screen, click connection >> SSH >> tunnel. In the 'Source port' enter 8080 (or any port number you wish that is above 1028). Leave the 'Destination' blank but choose the radio buton 'Dynamic'. Click Add. Then, at the left side of Putty, navigate back to session (where you were before when you typed the hostname or SSH server's IP address), and save the profile. Finally, click 'Open'.


3. After you clicked 'Open', a black box appears showing your SSH session is successful. you will have to enter the remote server's SSH login credentials (username and password). Make sure you are logged in to the remote server.

4. Once connected to the remote server via SSH, open Mozilla Firefox. Under 'Advanced' tab, choose 'Network'. Inside the 'Cnnection' box under the Network tab, click settings. A new menu box will then appear. Fill the boxes up as shown in the photo below, except that under port, you should put in the port you put in the SSH >> tunnels configuration box before you made the SSH connection in Putty. in our case, it was port 8080.


5. Close all dialogue boxes (but keep the putty SSH connection open). You can now surf using Mozilla Firefox without being filtered by your corporate firewall.


If you are going to use SSH tunneling for something else apart from using it as a web socket proxy, remember step number 2 above. This time instead, check all boxes, and choose the "Local" radio button instead of "Dynamic" radio button. In the "Destination" textbox, enter your destination in the format <ip address>:<port number>. Thus, if you are connecting to the remote server's MySQL port (port 3306) for example, you put <IP Address>:3306. Save the session, then repeat steps 3-4. You should be able to use the new port pairing as your redirection pair. That is, if you connect to your local computer's IP address via the <source port> you will instead be redirected to the <destination server:port>.

We can give more examples in our next posts. If you have questions and need some examples, feel free to post it under comments.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...