🎭 Proxy Proxy, where are thou?

Remember: Author accepts no responsibility for following this guide incorrectly and/or using this guide outside of a learning setting outside of a lab/training setting.

Mission Statement

This entry came into existence to try and encourage people to think outside the box. If there’s a goal you need to do but you’re unable to complete that goal due to certain policies being applied.

In a hypothetical scenario, let’s say you’re unable to access sites linked to blogs, which is where a good 70% of fixes will come from, for example, this website is a blog, but inherently blogs are not dangerous, Obviously, unless they have malicious code in bedded to the blog, and you click on it - but stupid you don’t click on links you’re not not sure about.

Seriously if you have say a problem with Microsoft Windows, I’m sure the majority of fixes you will find will be blog based unless it’s a known problem and Microsoft have conveniently documented it for you on Their websites that usually go along the lines of learn.microsoft.com - However, this will only occur when the situation is fully supported by Microsoft, With many of the fixes you have to do you will find the fix will not be fully supported by Microsoft and you need to think outside the box.

Blogs are not Dangerous

Blogs are not dangerous, like a gun the problem is not the gun itself but what the User does with the gun, That is the same with blogs.

If you are aware of what you’re changing and you’re aware of where the problem lies, a blog will be your single most important asset to fix the problem on the whole Internet, as usually they come about because the correct support is not available when you need it officially, and other people will think outside the box, hence the reasons blogs are there to start with.

Official Documentation does not always help 

Official support and documentation is fantastic when it’s officially supported, but the contents of another technical person’s head will never fully be supported by the official document documentation, and to be clear official documentation will tell you if you follow the instructions incorrectly then you can break your computer - nothing has changed with a blog, 

You need to make sure the article being outlined, matches your situation exactly before changing things like file paths, and Registry keys and updating System drivers.

Trying other Access

So do you need to get a blog but it’s blocked, let’s say in a college environment, you could try all the older technologies to get around this like trying the cached copy on Google, trying to visit by IP address, trying to use proxy avoidance website - The list goes on, but you will find you will not get a lot of joy with these solutions as many of the modern web filters can quite easily prevent access using many of these techniques.

Cross Platform Testing

Your next option is to use a cross platform website tester that will simulate a browser in a web browser, A common one here is Browserling - the purpose of sides like this is to give you a Browser at a remote location that doesn’t go through the filtering service you’re currently using, this will then mean you can access the blog that was blocked 

But stop and think about this, It’s quite easy to block those websites as well, They won’t all fall into the same category, but they will span a couple of categories, which would then put you right back to square one.

Outside Box Thinking

This requires you to think outside the box a little bit more but it can’t be a solution where you can simply block the category because that won’t be very fruitful moving forward, so let’s get a little bit more creative, you need a way of connecting to something outside the filtering solution to then bring your proxy back through that connection

SSH Server

So let’s take any Linux box that has a service called SSH, that service will listen on TCP:22 for connections so it can be remotely managed, excellent that sounds like her idea doesn’t it?

Unfortunately, not if you create a connection to this it’s very easy to block and you won’t be able to browse the Internet by connecting to something outside on the Internet, also, many places will not allow the standard SSH port out through the Internet 

SSH is very customizable, and we should all know by now the standard port does not always need to be the listening port, this can be quite easily customized.

SSH with FTP Ports

FTP is obviously for file transfers back when it was a cool thing to doHowever, many browsers don’t natively support FTP because it’s been removed, But if you try to test port 21 and you’re allowed to connect, then you could quite easily tell your SSH instance to listen on port 21

However, port 21 is designed for FTP so I probably wouldn’t leave this open continually unless you want a lot of people trying to attack that port As usually people are expecting an FTP server at the other end of it.

Port Knocking

This is where port knocking comes into place, Not officially a term, but it describes what happens - For this to work on the place where you have your SSH server masquerading on port 21

You need to have a firewall rule that says when someone tries to connect to say port TCP:7994 that the firewall automatically opens port 21 for two minutes, after whichever , the port is closed again - but not before you have made your connection, if you set the rule correctly, it will only stop unestablished connections - which means your current connection to your SSH server on port 21 remains but future connections are unable to be established because the port is now shut.

SSH with FTP ports not so wise?

Choosing port 21 is quite an easy vector for an administrator to shut that port, as who uses FTP because it’s inherently insecure unless you have a certificate involved as it will send your login credentials clear text and unencrypted over the Internet - if you do use certificates it becomes FTPS However, in this day Of age if you are setting up an FTP server, make sure it’s a mutually authenticated FTPS server

Try HTTPS with SSH?

If you wish to turn up the heat in the kitchen instead of getting your external SSH server to listen on TCP:21 Then you could flip that connection to TCP:443 - this would then be an SSH server, listening on the HTTPS protocol - which accounts for over 95% of Internet traffic, This is quite a simple update to your SSH configuration. You just need to change it from listening on port 21 to listening on port 443.

It should be quite a parent that TCP 443 needs to be enabled for any Internet based traffic that secured, Therefore, it’s not a simple to block This protocol because you essentially shut off your Internet connection, Which would stop you getting into actual HTTPS website like Google.

Port Knocking with HTTPS and SSH

Obviously, it goes without saying this will need to be protected with the same port knocking mechanism that we went through earlier, if the port is open, continually people can quite easily read the signature of your SSH Serve response and it would quickly get marked as not a website, unless you hide the header or masquerade, it like a HTTP server like for example nginx

HTTP Inspection - the πŸ‘Ώ TLSi

HTTPS Inspection is another thing to consider, however, this is also referred to as TLSi - which stands for TLS inspection.

This is where rather than your browser talking to the destination website, If you have this feature enabled, you will talk to your proxy server, it will break the connection and then re-establish it from the proxy server to the destination website.

If you’ve heard of stuff like this before being referred to as man in the middle, you’re absolutely correct, this is exactly what this technology does and depending on configuration, it can detect non-HTTPS traffic in a HTTPS stream - which would include your SSH connection, this diagram illustrates the issue perfectly, where the "perpetrator" is HTTPS inspection:

This used to be the advice, however with HTTPS inspection the connection is secure but not fully as its been broken by the proxy and re-established, which means if you TLSi - Your traffic has been intercepted and it’s not the genuine article.

This is how normal traffic works without HTTPS inspection:

However HTTPS inspection does this to your traffic:

However, it is worth pointing out that many people do not use HTTPS inspection correctly, as for this technology to work effectively, it needs to work in conjunction with firewall rules - for many proxy solutions, simply taking the box to turn it on, is not enough and causes more issues than it solves.

TLSi Downgrade Issues

If you are inspecting your TLS traffic, for arguments sake, let’s assume the remote site is running TLS 1.3, in normal circumstances The client would negotiate with the server on TLS 1.3 - this would therefore keep the client server relationship in full security mode.

If you then add TLSi into the mix and you navigate to the same website You could find that the connection between your browser and the proxy has been downgraded to TLS 1.2 or worse older on the certificate you’re using for your inspection, Which means when the connection is Reestablished, it would also be in the downgraded TLS 1.2 protocol.

This means that if you’re inspection certificate is not up-to-date and only supports the older ciphers and protocols, then you are introducing an insecurity where there wasn’t one before.

Front Door - Hostname?

The front door for connecting to your SSH server, will either be a host name or an IP address, which yes, can be easily Blocked if it’s a custom domain, The same with an IP address - However, the problem with this approach is while you can block a custom domain if you leave the front door on I cloud provider owned host name. This could easily be updated on the fly.

Front Door - IP Address?

If you up for an IP address, this can also be changed relatively quickly, In fact, it can be changed quicker than it can be blocked, You see this happen all the time on phishing emails

The host name or IP address you get redirected to will be here today gone tomorrow, this is so actively renewable due to the amount of the zombie computers on the Internet that are unknowingly serving sites like this, so while blocking an IP address or hostname is a temporary inconvenience, many cloud providers will let you generate a new one on demand as much as you require.

SSH need more than SSH

We have spoken a lot about the SSH server, but the connection to this will not really solve your Internet woes based on the original statement of blog websites being blocked, This is where, on that same server, you need to install proxy solution, I personally always use squid here because it’s stable. It’s very quick and it’s reliable, I have already added another article about installing squid search for it and follow that if you’re not not sure how to do it.

Squid Proxy required

Squid will be used for this guide and make sure you get the latest version of squid so it’s fully patched, once you have this running and configured the default port, it will listen on is TCP:3129 - for this example, you do not really need to change the port, But that would be down to dealers choice if you wish to change the port to some other random port, that is your prerogative.

You should have an SSH server and a squid proxy server on the same server, now you need to get the two working together.

SSH Client

Putty is the choice of weapon - or valid tool

This is simply an SSH client that will Allow you to connect a remote endpoint, and that endpoint will be the server housing SSH and squid, the connect method does not matter hostname or IP, however, you may need unique settings to be able to talk through the proxy.

If you have a proxy Support with integrated or minimal authentication then you can simply just connect using the host name/IP, and the port of TCP:443 - if successful, you will be prompted with a response to login

If you have proxy forces authentication, Then, you also had the option to provide a username and password for this particular transaction, this will not be used to authenticate your SSH server but rather the proxy required to get to your SSH server, once connected, you can continue on with this guide.

If you have a proxy that has a custom authentication token, then you may need to adapt how you connect based on the authentication expected, Unfortunately, I can’t go into every option because they could be quite a few.

Putty Tunnel Mode

Now you have the connection to your SSH server, You now need to add some tunnels to your SSH configuration to be able to access the proxy server, The tunnel configuration goes something like this:

The settings entered here will need to be reflected in the proxy server settings for your client operating system, depending on your client configuration will depend where you need to set these settings, if you are using Windows 8.1 or above, which translates to server 2016 or above, you only need to set this in the proxy settings from the settings app.

SSH to the Proxy with the tunnel

Now you have your SSH connected and your tunnel is online, all you need to do is set the proxy to this:

Then when you try to access a blog, rather than the block page you will now see the blog obviously ensure that the Squid proxy is protected with NextDNS or OpenDNS or another DNS filtering services to ensure it is not "unrestricted" - but there you have it.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„