OpenSSH is a glorious implementation of a critical network protocol. Most networks have disabled and banned the use of telnet, rsh, and ftp in favor of the more “secure” SSH protocol. OpenSSH runs on every platform I’ve encountered (using CygWin on Windows). SSH provides an encrypted channel for data transfer. Usually that’s Keyboard Interactive Sessions or Files (using SCP), however SSH is capable of setting up multiple channels and acting as a SOCKS4 or SOCKS5 Proxy.

From the manual:

-D [bind_address:]port

Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address.  Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine.  Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.  Only root can forward privileged ports.  Dy-
namic port forwardings can also be specified in the configuration
file.

That’s a lot of technical mumbo jumbo, so what does it mean?! Well it means that if you have ssh and an ssh server outside of your work network that you can connect to, you can SOCKS5 Proxy all your Interesting Traffic elsewhere by issuing this command:

ssh -D3128 server

Then pointing your applications to SOCKS5 Proxy localhost port 3128 will encrypt all the traffic between you and the server that you’re connecting to. This only provides privacy from the LOCAL or CORPORATE network, and does not encrypt your traffic on it’s way to it’s external destinations!!!!

In the next installment, we’ll cover PuTTY.exe and how to evade proxies on Windows platforms.

Additionally, these proxies do very little to increase the security of the network. I’m fairly certain that by the time the Proxy Vendor is alerted to malware distributing websites, an anti-virus company has already issued an update. This is redundant. Normally, I’d fully support this redundant – ok, I’ll drop the buzzword – Defense in Depth solution.

However, piggy-backing on the heels of ay real security value, which is best described as the graph of 1/x, are made up categories of websites to deter your users from doing things that your CEO believes are inappropriate. Interestingly enough, if the CEO is involved in Fantasy Football, you’ll be hard pressed to find an IT Infrastructure that denotes that classification of sites as inappropriate. I digress.

I hate these policies. The whole concept of the internet is free access to information. As my job is Information Security, I frequently surf into the areas of the internet that WebSense might classify as “Inappropiate Content”, “Hacker Sites”, or “Proxy Sites”. It’s the nature of my business. Luckily for me, I’ve been granted an exception to the policy that allows me to view such terrible web content.

However, my users are frequently inconvenienced by searches for “adult oriented material” as some of our reproductivity scientists might need access to sites that contain terms like “sex”, with interesting prefixes like “oral” and “vaginal”. *Gasp*

So, tired of executives so out of touch with their users that they don’t recognize them, much less know what they do, I begin my multipart series on Proxy Evasion with the Environmental Concerns.

CygWin

If you’re running Windows, I highly recommend that you install CygWin. It provides a POSIX Compliant Environment for Windows. I’d be lost on Windows without it.

Using CygWin you can install a host of tools for network scouting, monitoring, manipulation, defense, and attack. Some of my indispensables include:

• nmap – find out about a host
• iptraf – find out about network traffic
• tcpdump / libpcap – excellent network sniffer
• winpcap – I can’t remember if CygWin actually has libpcap support, if not, I remember having enormous success with WinPCAP

None of those are necessary for Proxy Evasion, but they are nice tools to have laying around when you’re connected to a network.

Mac OS X

Don’t worry, I’m a Mac user too. Mac OS X comes with a number of UNIX utilities already installed. I highly reccommend installing the Developer’s Tools package to get GCC and then installing one of the ports systems available. The two forerunners in the GNU/OpenSource porting for OS X are:

• Fink – Provides source & binary downloads of packages with full dependency support.
• MacPorts – Previously DarwinPorts, source only ports system.

Though most free software will download and compile without hassle, it’s nice to have a package management suite that manages and downloads dependencies so you spend less time searching and installing and more time using your software.

But.. But.. I don’t have Admin Rights!

As a way to “increase security”, organizations will remove administrative privileges from average user’s computers. I feel this is complete hipocracy, so I discourage it. However, if you’re unfortunate to have these restraints enforced on your computer, there are ways to run your programs without installing them, and thus be compliant with the “I will not install my own software on company computers” rule you signed when you took the job.

They’re called “Portable Apps.” They’re designed to be installed & run off of USB flash drives and require no disk access on the computer you run it on. This generally avoids all automated software policy enforcement, allowing you to run your programs without being hassled.

Here are the two biggest repositories for portable apps:

• Portable Windows Apps
• Portable Mac OS X Apps

This biggest advantage to portable apps is the fact that they’re preferences are also stored on the drives. This means even if you don’t have access to modify the network settings (ie, Proxy settings) on your applications because of an enforced policy, you can still modify the preferences on the portable apps. This is terribly useful once we have tunnels setup to use for proxying.

I carry around a copy of Thunderbird, Firefox, Gaim/Adium, Abiword, and for Windows, PuTTY.

If you’re on Windows, please download PuTTY now. It’s a light weight ssh terminal that does not need to be installed. It’s precompiled and can run with out writing preferences anywhere you’re not allowed.

By becoming aware of software solutions that allow you to do your work, you can setup a hospitable environment for productivity, free from the annoyances of “ADMINISTRATOR PRIVILEGES REQUIRED.”

In the next article, we’ll cover using SSH for Proxy Evasion.