Re: bypassing employer's proxy to surf anonymously

From: Hubert Seiwert (hubert@westpoint.ltd.uk)
Date: Tue Jun 13 2006 - 05:47:52 EDT

When using SSH through the local proxy, it might be an idea to run the
outside sshd on
port 443, so it's harder to distinguish from an https server.

Also, in case you're not aware, a proxy server on the other side
(Privoxy in your example)
is not really necessary - You can use the ssh -D option (or 'Dynamic' in
the PuTTY port
forwarding options) to get a SOCKS server on localhost which makes
outside connections
through the remote sshd.

Another method of tunneling would be through DNS. You say that dns
traffic is blocked
on the server, but as long as there is a DNS server on the internal
network that will do
recursive resolving for you it's possible. You can use Dan Kaminsky's
OzymanDNS scripts
to get an stdin/stdout pipe to a remote host through DNS, through which
you can then run
ssh using the -ProxyCommand option. You need Perl with threads support
enabled on the
server and the ability to delegate a subdomain to the ozyman dns server.

References:

http://www.doxpara.com/slides/BH_EU_05-Kaminsky.pdf
http://dnstunnel.de/

If the local network is being monitored, you would see a great deal of
DNS queries which
would raise a red flag, but if only the local proxy is being monitored
this kind of tunneling
would be invisible.

Disclaimer: Bypassing your company's internet proxies and breaking the
internet AUP is not
recommended and may get you in trouble. 

-- 
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
gimeshell@web.de wrote:
> Hi,
>
> perhaps subject sounds a little bit hard, but hard words are often
> much clearer than polite words.
>
> Someone is trying to find smartest way to bypass employer's
> proxy from intranet. You can see it as a principle: there is someone
> who don't want you to do something, but you know you will be
> better...because you are an geek.
>
> First of all, it works but i need help in fixing some flaws.
>
> Situation:
>
> Server: Windows 2000, proxy and simple packet
> filtering to eliminate icmp traffic, dns traffic and some more packet
> types,
> Client: Windows 2000l, putty tunneling local port
> There is no ip forwarding enabled on server so i fortunally must use
> proxies facilities. Proxy has following 'special' ports open: 1080,
> 2121,
> 3128.
>
> For port 3128 you must login with username/passwort. It is known.
> Fort port 2121 there is only username without pass required.
>
> Host A INSIDE...localport 4444--->ssh tunnel--->through PROXY/FIREWALL
> (3128)--->Host B OUTSIDE (22) running privoxy (proxy server).
>
> Problem:
>
> Proxy is monitoring traffic and shows much suspicious traffic flowing to
> xxx.xxx.xxx.xxx (https). That's the ssh tunnel to destination
> with dynamic ip address.
>
> Question:
>
> Is there a solution to prevent proxy traffic monitor (and therewith
> big brother) to see SSH traffic to dynamic ip? So that there isn't any
> suspicious line in proxy traffic monitor's output? The best: Proxy
> doesn't get notice of nasty traffic at all.
>
> Perhaps there is some technique to hide data in unsuspicious packets?
>
> regards,
> gimeshell
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security? 
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
> Choice Award from eWeek. As attacks through web applications continue to rise, 
> you need to proactively protect your applications from hackers. Cenzic has the 
> most comprehensive solutions to meet your application security penetration 
> testing and vulnerability management needs. You have an option to go with a 
> managed service (Cenzic ClickToSecure) or an enterprise software 
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
> help you: http://www.cenzic.com/news_events/wpappsec.php 
> And, now for a limited time we can do a FREE audit for you to confirm your 
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>
>   
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:05 EDT