Lance Grover

Lance Grover

ssh via https proxy, not sure how else to say it

Posted date:


So many reasons to be able to do this, and I hope the title is descriptive enough. I will admit that most people who want to do this are people who are on a corporate environment that is blocking ssh traffic…. but my purposes are a little darker….like usual (wink).

Sometimes ssh is blocked, some times you want to hide your ssh traffic….in my case I wanted a way to hide my ssh traffic from my raspberry pi drop boxes. When I do a pen test engagement and I physically break in I drop off a raspberry pi and the more stealthy I can have it be, as I have it perform tasks, the more dangerous and longer I can leverage it to help identify the vulnerabilities I need to find.

Yes, you can also use this method to circumvent corporate firewalls and security systems that are blocking ssh traffic, even if you run ssh on a non-standard port. This process will appear as regular TLS web traffic.

MODULES

Ok, enough of all that, lets dig into it. First lets start with the server, we need to setup an apache proxy. We will need mod_proxy, mod_proxy_connect, mod_proxy_http, mod_socache_shmcb modules enabled.

Lets first start with a kali linux system:

cd /etc/apache2/mods-enabled
ln -s ../mods-available/proxy.load proxy.load
ln -s ../mods-available/proxy_http.load proxy_http.load
ln -s ../mods-available/proxy_connect.load proxy_connect.load
ln -s ../mods-available/socache_shmcb.load socache_shmcb.load

Our other server example will be a CentOS 7 system, the good or not so good thing is that those modules are already enabled by default in the /etc/httpd/conf.modules.d/00-proxy.conf

PROXY CONIFG

The next thing is to actually configure a proxy lets start with an apache instance that is dedicated to this purpose on the kali box. We are going to create a file in /etc/apache2/conf-available called proxy-ssh.conf and we will create a symlink to it. Here is the proxy-ssh.conf file:

    ProxyRequests On
    AllowConnect 22
    #this readrequesttimeout helps keep the tunnel alive and not die so often.
    RequestReadTimeout header=0,MinRate=500 body=0,MinRate=500
    # Deny all proxying by default...
    <Proxy *>
        Order deny,allow
        Deny from all)
    </Proxy>
    # This directive defines which servers can be connected to.
    # Access is controlled here via standard Apache user authentication.
    <ProxyMatch ^(?=localhost:22$)>
        Order deny,allow
        Allow from all

        #You should replace the above two rules with something like this:
        # Deny from all
        # Allow from <some_host>
        # Allow from <some_host>
    </ProxyMatch>

Now create a symlink to this file:

cd /etc/apache2/conf-enabled
ln -s ../conf-available/proxy-ssh.conf proxy-ssh.conf

Kali, by default, does not enable ssl… we are just going to use the self signed ssl certificate that is created on install. So to enable ssl we will enable the configuration by doing this:

cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl.conf

On the CentOS 7 system, in this case we are going to setup the proxy on a name based virtual host, we will call our host httpsssh.lancegrover.com. We are going to create a file in /etc/httpd/conf.d/ called httpsssh.lancegrover.com.conf I am assuming you are using a letsencrypt ssl certificate (that you have already setup) so this is what our example file would look like:

<VirtualHost *:443>
    ServerAdmin webmaster@youremailserver.com
    ServerName httpsssh.lancegrover.com
    ErrorLog "logs/httpsssh.lancegrover.com-ssl-error_log"
    ErrorDocument 404 /404.html
    CustomLog "logs/httpsssh.lancegrover.com-ssl-access_log" combined
    RequestReadTimeout header=0,MinRate=500 body=0,MinRate=500

    ProxyRequests On
    AllowConnect 22
    # Deny all proxying by default...
    <Proxy *>
        Order deny,allow
        Deny from all
    </Proxy>
    # This directive defines which servers can be connected to.
    # Access is controlled here via standard Apache user authentication.
    #<ProxyMatch ^(?=localhost:22$)> #this doesn't work for our named based virtual hosting on CentOS 7 so we use the full name here:
    <ProxyMatch ^(?=httpsssh.lancegrover.com:22$)>
        Order deny,allow
        Allow from all

        #You should replace the above two rules with something like this:
        # Deny from all
        # Allow from <some_host>
        # Allow from <some_host>
    </ProxyMatch>

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
  SSLHonorCipherOrder On
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:!LOW:!MD5:!kRSA:!kDHr:!kDHd:!kSRP:!aNULL:!3DES:!RC4
#  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !AECDH"
  SSLCertificateFile      /etc/letsencrypt/live/httpsssh.lancegrover.com/cert.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/httpsssh.lancegrover.com/privkey.pem


  SSLCertificateChainFile /etc/letsencrypt/live/httpsssh.lancegrover.com/chain.pem
</VirtualHost>

CLIENT USING PROXYTUNNEL

We are only going to give a single linux example for using proxytunnel, maybe I will do an example of using putty and proxytunnel on windows but there are a lot of those examples out there in the interwebs….

We are going to do the client from a kali box, proxytunnel is usually already installed. So we are going to run this proxytunnel to test, this firs is to the kali server:

proxytunnel -v -E -p httpsssh.lancegrover.com:443 -d localhost:22 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

This next example is for the CentOS 7 server using the name hosting:

proxytunnel -v -E -p httpsssh.lancegrover.com:443 -d httpsssh.lancegrover.com:22 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

If you get a good connection it is now time to configure up your ssh settings, so create a ~/.ssh/config file or add it to your existing config, this first one is for our kali server:

host httpsssh.lancegrover.com
 Hostname httpsssh.lancegrover.com
 User myuser
 ProxyCommand proxytunnel -v -E -p httpsssh.lancegrover.com:443 -d localhost:22 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

This next one is for our CentOS 7 server:

host httpsssh.lancegrover.com
 Hostname httpsssh.lancegrover.com
 User myuser
 ProxyCommand proxytunnel -v -E -p httpsssh.lancegrover.com:443 -d httpsssh.lancegrover.com:22 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

Now you can just connect to your ssh server over https by doing:

ssh httpsssh.lancegrover.com

You can even run a little wireshark test to watch your traffic, all TLS!

CREDIT WHERE CREDIT IS DUE

I don’t want to forget the links to some other websites that document similar setups:
https://egret.psychol.cam.ac.uk/techniques/firewall.html
https://blog.bmaehr.com/tunneling-ssh-over-https-with-apache-2-4-and-virtual-hosts/
https://medium.com/@shrimpy/how-to-config-putty-ssh-over-to-proxy-tunnel-5dd72f18bc77
https://blog.cppse.nl/apache-proxytunnel-ssh-tunnel