Traversing the Corporate Firewall

by superbeast

Remember the day you started your new job at that major corporation?

Finally, job security!

Of course, your joy was quickly curtailed when you realized your only access to the Internet was via HTTP or HTTPS.  No personal mail, no news groups, IRC, VPN, etc., etc., etc.

What fun is a corporate job if you can't exploit it for personal use?

I needed my newsgroup fix and Google Groups was not going to satisfy it.

Discover

I did some researching and found a way to traverse the firewall using SSH.

Now, SSH by itself is basically just a secure Telnet.  However, many SSH clients allow you to perform port forwarding.

Port forwarding allows you to specify forwarding from a port on your local machine to a port on any remote machine via the SSH client.  This means if you have a server at home with high-speed Internet access, you can connect to it via SSH and forward ports through it.

Then you can point your mail client or news client or any other client to the localhost:port and connect to the remote machine.  People are currently using HTTP tunneling, but this is a way to tunnel any TCP/IP connection, and to work through your own or a friend's server.

Implement

I know what you're thinking - SSH runs on port 22 and the firewall has that blocked.  Big deal!  You have two options:

1.)  Via SOCKS

This method requires you to set up a SOCKS proxy on your server.

You can configure the SOCKS proxy to listen on port 443 rather than the standard 1080.  You can then configure your SSH client to use your SOCKS proxy server on the given port.  This way you can send your SSH traffic through the SOCKS proxy and to port 22 on the local server.  It can be referenced by internal name or internal IP address.

Here is how I set mine up:

Home Server

  • Name: gonzo
  • Internal IP: 192.168.1.1
  • External IP: 123.123.123.1
  • Configure SOCKS proxy to listen on: 123.123.123.1:443
  • Configure SSH to use: socks://123.123.123.1:443 as proxy.
  • Configure SSH remote host as gonzo or 192.168.1.1.

Pros

You are obscuring the fact that you are running an SSH server by blocking port 22 and using SOCKS to connect to it.

If you are scanned, most people will assume SSL and leave you alone.  You also have a SOCKS server to use as a proxy for other programs if you like.

Cons

If you leave your SOCKS proxy open, others may find it and use it.  The best thing to do would be to configure it to only allow connections to the local box.

2.)  Via Port 443

This method is very similar; just set the SSH server to listen on 443 and set your SSH client to use 443 instead of 22.

Pros

Easy to set up.

Cons

If someone scans you, they may realize you are running SSH and try to connect or exploit it.

Conclusion

Once you get this up and running, you will see the power of using port forwarding.

Not only can you use it for POP3, SMTP, NNTP, etc., but you can also use it for terminal services.

Imagine opening an RDP client on your machine at work and connecting to your desktop at home!  And to top it off, all traffic running through the tunnel is encrypted.

If your corporate security group is sniffing or gathering traffic stats on you, none of this will show up.  It will look simply like an encrypted session with your server.

Good luck!

Software Used

These are all for Windows, but there are definitely Linux equivalents.

SSH Clients

SecureCRT - www.vandyke.com

SSH Secure Shell - www.ssh.com

SSH Servers

VShell - www.vandyke.com

SOCKS 5 Proxy

Wingate - www.wingate.com
Return to $2600 Index