Wednesday, 23 January 2008

Open a SSH connection through an http proxy and dig tunnels :)

I'm working for an IT Services & Software Engineering company, and I often work for some time (3 months to a year) by the client company's office...

And often, I'm behind a ****ing proxy that filters http request, provide antivirus analysis etc.. Useful for the company securtity and efficiency, but really borring for me.

Those proxy allows http (tcp/80) and https (tcp/443) connections and nothing else...

So no tcp/22 for SSH, and I miss it really much for many reasons.

So here is what to do, to get an SSH connexion to a linux box.

But beware that doing that will certainly break the security contract you signed when you enter the company. Doing that allow you to bypass the content filtering and security. And you could be fired for that...

This blog post will show you how to bypass an http proxy with a basic authentication.

The following post will show you a way to bypass a proxy with NTLM authentication mecanism.

Server configuration

You're a geek like me, so you have a linux box somewhere running 24hours a day running a ssh server in a linux box.

The ssh server usually listen on the tcp/22 port, but this port is filtered by the proxy. The proxy allow tcp/80 & tcp/443.

As the tcp/80 is probably used by your web server, we'll focus on tcp/443, the https port which you probably don't need. But you can do the same with tcp/80 port.

What we need is that your linux box accepts a ssh connection on the tcp/443 port.

We can either change the ssh server setting to listen on port 443 or redirect the connection established on the 443 port to 22 port.

I prefer the second option that leaves untouch the ssh server configuration, and let your linux box be accessed trough ssh on it's standart port.

You can redirect you 443 port to the 22 port using iptables or other tools.
You may even have a graphical interface that allow you to do that easily.

With the sme server, i've such a tools (a web interface attainable only though my local network)

You can find information on how to do that here :

if this can help, here is the lines of my iptables-save output that involves the 443 port :

-A PortForwarding_22383 -p tcp -m tcp --dport 443 -j DNAT --to-destination
-A InboundTCP_22383 -d -p tcp -m tcp --dport 443 -j ACCEPT

where is my external public ip address.

Once this is done, you can test it by trying to open an ssh connection on the port 443, or use telnet (telnet youBoxIp 443) and you should see you open ssh server version : SSH-2.0-OpenSSH_3.9p1.

Configure your ssh client

Putty is a marvelous ssh client for windows, I couldn't live without it.

You can get it here :

All settings describe below can be change on the fly when the ssh connection is open (except for the proxy setting... of course) by right clicking in the title window->change settings.

Basic settings

In the hostname field, enter the ip or domain name of your linux box.
in the port field, enter 443 (or 80 if you use the 80 port)

In Saved sessions, enter a string that remind you your trully loved linux box ;o)

Putty's number of lines of scrollback

this is not really a mandatory step, but really usefull.

Replace the 200 value by 20000000 (it should be enough). Adding more zeros could lead putty the behave strangely... i've tried ;o)

Putty's encoding

In order to have a proper display of characters in your putty, you need to set the encoding of putty accordingly to your linux box configuration (mostly UTF-8 or your country's specific charset).

You can find these setting on your linux box in /etc/sysconfig/i18n

cat /etc/sysconfig/i18n

here it's fr_FR which is ISO-8859-1 charset.
You can find which charset match with your country code in /usr/share/i18n/locales/your country code

cat /usr/share/i18n/locales/fr_FR
comment_char %
escape_char /
% French Language Locale for France
% Source: RAP
% Address: Sankt Jo//rgens Alle 8
% DK-1615 Ko//benhavn V, Danmark
% Contact: Keld Simonsen
% Email:
% Tel: +45 - 31226543
% Fax: +45 - 33256543
% Language: fr
% Territory: FR
% Revision: 4.3
% Date: 1996-10-15
% Users: general
% Charset: ISO-8859-1
% Distribution and use is free, also
% for commercial purposes.

Keep alive settings

The http proxy will automatically close an idling connection. To avoid that, putty has the keep alive parameter which simulate an activity and thus avoid the proxy to close the connection.

Set it to 4 seconds which is a good value.

Proxy settings

Here is the tricky part...

You need to get the proxy url and port, login and password.

In most case, your company uses Microsoft windows and Internet explorer.

You can get the proxy settings from internet explorer, in :
Tools->Internet Options->Networking->Network parameters

If the checkbox in the proxy server fieldset is ticked, then just use the information in this fieldset (have a look in Advanced also) but in most case, it will use a script.
copy and paste the proxy script in the internet explorer address bar, save the content to a file and read it...

You need to determine what is the proxy url you use.
The proxy scripts usually use your network address and subnet to determine which is the proxy server you should use with function such as dnsDomainIs(host, "") or isInNet (host, "", "")

     if ( dnsDomainIs (host, "") ||
dnsDomainIs (host, "") ||
dnsDomainIs (host, "") ||
dnsDomainIs (host, "") ||
isInNet (host, "", "") ||
isInNet (host, "", ""))


if (isInNet (myIpAddress (),"", ""))
return "PROXY;" +
return "PROXY srv-proxy-01.site2.dom:8090;" +
"PROXY srv-proxy-02.site2.dom:8090";

in this case, the proxy usr would be one of the srv-proxy-02.site2.dom and the port would be 8090.

In a command console(Windows key+R, type cmd), you can get your ip address with the following command :
ipconfig /all

Which will help you to determine the proxy settings that is calculated by the scripts.

Or more basically you can run, still in a console

netstat -a

and look for something like a proxy...

The proxy url might contains the word proxy so
netstat -a | find "proxy"

Once you have it (or you can try each url & port in the script)
paste it in the proxy hostname an port.

Username is usually your NT Domain\windows account username.
You can get it by hitting CTRL+ALT+SUPPR, it will be displayed the the window that appears. (type escape to return to where you were)

SSH compression

Enabling ssh compression will make the connexion smoother...

SSH tunnels

SSH Tunnels, one of the wounderfull functionnality of the SSH protocol.

in the source port, type 22, in the destination

this will create a tunnel that will take the tcp traffic on the port 22 of the local machine to the remote 22/tcp port with the ip : your linux box, all that throug the ssh connection (established on the 443 port, forwarded to the 22 port)

Like this, you can browse file with a secure ftp programm like winscp, filezilla, or any text editor that supports SSH like ultraedit.

You'll just need to point this programs to localhost:22.
Not on yourLinuxBoxIp:443, because this link won't be kept alive by default by these programs.

Another usefull tunnel is L3390->

where machine would be a windows computer with remote desktop activated (Windows Key+pause, remote connection tab, remote desktop fieldset) on your private network that can be reached by your linux box.

with this, you can run Microsoft Terminal Service Client : windows key + R, type mstsc, type localhost:3390 and you'll be able to use your windows computer which is also up 24h a day ;o) and browse the web as if you were at home (a bit slowly though).

You can see why i wrote this post :

Save settings

Save all these settings.

If it doesn't works, try other proxy settings in the proxy configuration script.
If it still don't work, it may be because your company uses the NTLM authentication protocol. This will be described in a next article.

late update :


Endre said...

Damn, a pity that NTLM article never came... :)

Manson Thomas said...

humm... did you check here :