1 00:00:00,614 --> 00:00:04,436 Sometimes you will be behind a HTTP proxy. 2 00:00:04,734 --> 00:00:07,563 This is likely when you’re at places like work, school, 3 00:00:07,876 --> 00:00:09,956 university, private networks. 4 00:00:10,392 --> 00:00:13,809 If you look in the browser settings 5 00:00:13,810 --> 00:00:16,839 for the machine that you are forced to use 6 00:00:16,840 --> 00:00:18,205 when you are on that network, 7 00:00:18,468 --> 00:00:21,428 you can potentially tell whether or not 8 00:00:21,760 --> 00:00:24,560 you’re using a proxy on that network. 9 00:00:24,845 --> 00:00:29,200 So you will see something in here, maybe here, HTTP proxy, 10 00:00:31,200 --> 00:00:34,354 the IP address and the port number. 11 00:00:34,720 --> 00:00:38,045 If you’re on Windows and you look at Internet Explorer, 12 00:00:38,388 --> 00:00:40,217 that will show you if there are any 13 00:00:40,422 --> 00:00:42,109 system proxy settings, 14 00:00:42,110 --> 00:00:45,565 again, note down the IP and the port number. 15 00:00:45,771 --> 00:00:48,222 You can also be using a transparent proxy, 16 00:00:48,223 --> 00:00:51,379 which means there will be no settings in here. 17 00:00:51,380 --> 00:00:54,247 You will just automatically go through 18 00:00:54,625 --> 00:00:56,167 the transparent proxy. 19 00:00:56,298 --> 00:01:00,659 And also, you can be on auto detect proxy settings 20 00:01:00,660 --> 00:01:03,165 where you’ll be using some form of 21 00:01:03,440 --> 00:01:07,645 proxy auto-config, or PAC or PAC file, 22 00:01:08,640 --> 00:01:10,822 which look something like this. 23 00:01:10,937 --> 00:01:13,931 So you’ll have to try and locate the PAC file, 24 00:01:14,182 --> 00:01:16,503 and then, if you do, you might be able 25 00:01:16,504 --> 00:01:19,680 to find the proxy’s IP address and port, 26 00:01:19,820 --> 00:01:21,329 note down the IP address 27 00:01:21,330 --> 00:01:24,960 and port of any proxy servers that are in here. 28 00:01:25,150 --> 00:01:27,520 This file is likely to be on the proxy server 29 00:01:27,670 --> 00:01:30,700 as a file you can download via a web link, 30 00:01:31,010 --> 00:01:33,390 or it could even be a local file. 31 00:01:34,640 --> 00:01:37,190 There are two main types of HTTP proxies 32 00:01:37,530 --> 00:01:39,850 that you are likely to encounter. 33 00:01:40,130 --> 00:01:46,060 Now, many HTTP proxies don't actually proxy HTTPS. 34 00:01:46,160 --> 00:01:48,150 They only proxy HTTP. 35 00:01:48,470 --> 00:01:51,350 And that is because HTTPS 36 00:01:51,770 --> 00:01:55,250 requires more administrative efforts. 37 00:01:55,350 --> 00:01:56,600 They have to make more changes, 38 00:01:56,650 --> 00:01:58,410 they have to add encryption certificates 39 00:01:58,560 --> 00:02:00,080 and other sorts of things. 40 00:02:00,340 --> 00:02:02,429 So instead of proxying, 41 00:02:02,430 --> 00:02:04,272 what they do is they forward 42 00:02:04,504 --> 00:02:08,376 the HTTPS traffic onto the final destination, 43 00:02:08,480 --> 00:02:09,728 as long as of course 44 00:02:09,729 --> 00:02:13,256 the final destination’s domain or IP is allowed, 45 00:02:13,376 --> 00:02:15,232 and they do this using something called 46 00:02:15,233 --> 00:02:18,224 the “HTTP CONNECT command”, 47 00:02:18,568 --> 00:02:21,960 that essentially opens a private tunnel 48 00:02:22,120 --> 00:02:24,096 for the browser to use. 49 00:02:24,944 --> 00:02:27,648 Proxies that do do this generally 50 00:02:27,880 --> 00:02:29,688 should be easier to bypass 51 00:02:29,952 --> 00:02:33,600 as there’s no content inspection of the HTTPS, 52 00:02:33,688 --> 00:02:36,639 and you can create a good tunnel with HTTP CONNECT, 53 00:02:36,640 --> 00:02:38,400 which I’ll show you how to do. 54 00:02:38,731 --> 00:02:40,137 Now, so that’s the first type. 55 00:02:40,525 --> 00:02:46,811 Second type does do full proxying of the HTTPS protocol. 56 00:02:47,108 --> 00:02:49,302 Meaning that they, when it gets to here, 57 00:02:49,588 --> 00:02:51,577 it breaks the encryption, 58 00:02:51,760 --> 00:02:55,177 there is no end-to-end encryption between here and here, 59 00:02:55,325 --> 00:02:57,885 with these second types of proxies. 60 00:02:58,125 --> 00:02:59,805 And because they have broke the encryption, 61 00:03:00,091 --> 00:03:02,148 they’re able to filter here 62 00:03:02,411 --> 00:03:05,634 based on the contents of the traffic. 63 00:03:05,817 --> 00:03:07,154 So how do they do this breaking? 64 00:03:07,155 --> 00:03:09,134 Well, on a private network, 65 00:03:09,440 --> 00:03:10,356 this is normally done by 66 00:03:10,378 --> 00:03:13,534 placing a certificate on the browser. 67 00:03:13,694 --> 00:03:14,458 The browser then, 68 00:03:14,661 --> 00:03:18,099 wherever it connects to with a HTTPS connection, 69 00:03:18,100 --> 00:03:20,378 or sometimes all connections, 70 00:03:20,596 --> 00:03:23,927 it creates an SSL connection to the proxy here, 71 00:03:24,109 --> 00:03:27,200 and that’s where it ends, and that’s where is broken. 72 00:03:27,323 --> 00:03:29,963 The proxy then examines the traffic here, 73 00:03:30,167 --> 00:03:31,316 and if it’s okay, 74 00:03:31,665 --> 00:03:35,389 it then forms a second SSL tunnel here, 75 00:03:35,390 --> 00:03:39,584 or SSL/TLS connection to the final destination. 76 00:03:39,792 --> 00:03:42,240 And it does that on behalf of the client. 77 00:03:42,576 --> 00:03:44,596 Now of course, it does require 78 00:03:44,597 --> 00:03:46,443 a certificate on here, 79 00:03:46,746 --> 00:03:48,311 If there is no certificate on here, 80 00:03:48,312 --> 00:03:50,906 there’s no certificate installed in the browser, 81 00:03:51,324 --> 00:03:53,569 then you will get warnings saying 82 00:03:53,570 --> 00:03:56,301 that there’s a certificate security error 83 00:03:56,302 --> 00:03:58,300 and that the certificate is invalid. 84 00:03:58,500 --> 00:04:01,022 But this is actually a very, very common technique 85 00:04:01,480 --> 00:04:05,417 in businesses that want to proxy HTTPS. 86 00:04:05,670 --> 00:04:09,830 You use their device, they put that cert on there, 87 00:04:10,160 --> 00:04:12,779 and they break the encryption at the proxy 88 00:04:12,780 --> 00:04:15,335 and are able to see all the traffic. 89 00:04:15,555 --> 00:04:19,048 Still, it is potentially possible to get through 90 00:04:19,280 --> 00:04:22,336 this second type of proxy as well. 91 00:04:22,528 --> 00:04:24,840 So let's look at some ways of doing this. 92 00:04:26,096 --> 00:04:28,352 So the first tool to try to get through 93 00:04:28,353 --> 00:04:31,239 a HTTP proxy is Corkscrew. 94 00:04:31,240 --> 00:04:33,969 Corkscrew is a tool for hot tunneling 95 00:04:33,970 --> 00:04:36,682 SSH through HTTP proxies, as it says. 96 00:04:37,125 --> 00:04:41,028 And it supports a multitude of operating systems, 97 00:04:41,268 --> 00:04:42,822 including Mac OS X, 98 00:04:43,222 --> 00:04:46,388 you can even get it on Win32 with Cygwin, 99 00:04:46,811 --> 00:04:48,777 and also Linux, of course. 100 00:04:49,097 --> 00:04:51,622 And it is available in repositories. 101 00:04:52,685 --> 00:04:54,662 On Debian, for example, on Kali, 102 00:04:54,914 --> 00:04:58,102 a sudo apt-get install, and then Corkscrew, 103 00:04:58,342 --> 00:05:00,943 and you’ll be able to get a fully working version 104 00:05:00,944 --> 00:05:01,990 from the repository. 105 00:05:03,138 --> 00:05:04,004 So what we’re going to do now, 106 00:05:04,005 --> 00:05:05,010 is we’re going to open up 107 00:05:05,076 --> 00:05:08,007 a dynamic SOCKS port proxy 108 00:05:08,373 --> 00:05:11,706 on our local machine that sends traffic through 109 00:05:11,986 --> 00:05:16,133 the HTTP proxy and then on to the SSH server. 110 00:05:16,360 --> 00:05:18,786 To open the connection to the SSH server, 111 00:05:19,133 --> 00:05:23,066 we will first try to use the HTTP CONNECT method, 112 00:05:23,360 --> 00:05:26,426 which allows a client to connect to a server 113 00:05:26,720 --> 00:05:29,280 through an HTTP proxy by sending 114 00:05:29,706 --> 00:05:33,066 a HTTP CONNECT request to the proxy. 115 00:05:33,533 --> 00:05:36,249 And this is how Corkscrew works, 116 00:05:36,250 --> 00:05:37,911 so that’s what we’re going to use. 117 00:05:38,297 --> 00:05:40,280 So let me explain this command here. 118 00:05:40,582 --> 00:05:41,594 So we’re SSHing, 119 00:05:41,782 --> 00:05:43,857 we're SSHing on port 22. 120 00:05:44,160 --> 00:05:47,930 Now this, you would need to change. 121 00:05:48,260 --> 00:05:52,510 This is likely going to be port 80 or port 443. 122 00:05:52,680 --> 00:05:54,029 This needs to be whatever 123 00:05:54,030 --> 00:05:57,230 your firewall happens to allow out. 124 00:05:57,400 --> 00:06:01,030 And then, we’re going to run additional commands, 125 00:06:01,320 --> 00:06:03,520 which we’re going to do through the proxy command, 126 00:06:03,760 --> 00:06:05,879 and we’re going to run Corkscrew, 127 00:06:05,880 --> 00:06:07,880 we’re going to run the program Corkscrew. 128 00:06:08,490 --> 00:06:11,870 And the first thing is, is going to connect, 129 00:06:12,030 --> 00:06:15,359 that is the IP address of the proxy server, 130 00:06:15,360 --> 00:06:16,672 that’s why we needed to know it, 131 00:06:17,125 --> 00:06:19,780 and then this here, 8118, 132 00:06:19,850 --> 00:06:22,710 is the port of the proxy server. 133 00:06:22,900 --> 00:06:24,069 And then we’re going to open up 134 00:06:24,070 --> 00:06:26,840 a dynamic SOCKS proxy 135 00:06:27,200 --> 00:06:29,640 locally on 8080 136 00:06:29,780 --> 00:06:34,560 that connects through to demo.stationx.net. 137 00:06:35,220 --> 00:06:36,440 Once we have done that, 138 00:06:36,910 --> 00:06:40,640 we can put in 127.0.0.1, 139 00:06:41,190 --> 00:06:44,150 port 8080, into a browser 140 00:06:44,260 --> 00:06:49,040 and that browser will go via the HTTP proxy 141 00:06:49,200 --> 00:06:54,020 and then SSH onto demo.stationx.net. 142 00:06:54,180 --> 00:06:56,280 So let's give that a try, see if it works. 143 00:07:02,300 --> 00:07:05,380 So there we are, we’re on the SSH server, 144 00:07:05,640 --> 00:07:09,460 so that has got us through the HTTP proxy. 145 00:07:10,680 --> 00:07:14,559 So I’m enabling my browser to go through that proxy, 146 00:07:14,560 --> 00:07:20,040 so 127.0.0.1, 8080, SOCKS proxy, remote VPN. 147 00:07:24,860 --> 00:07:25,860 And there we go, 148 00:07:27,280 --> 00:07:29,819 I’m coming from the Amazon data center 149 00:07:29,820 --> 00:07:32,271 in Dublin where the demo server is. 150 00:07:33,520 --> 00:07:34,520 So there you go, 151 00:07:34,617 --> 00:07:37,296 able to get through a HTTP proxy. 152 00:07:37,536 --> 00:07:38,880 Not too painful. 153 00:07:39,152 --> 00:07:40,704 Remember, you need to change this 154 00:07:40,728 --> 00:07:43,616 to a port that the firewall allows, 155 00:07:44,088 --> 00:07:46,008 and of course you need Corkscrew 156 00:07:46,280 --> 00:07:47,200 and you need to know 157 00:07:47,201 --> 00:07:51,333 the IP address and port of the proxy. 158 00:07:52,213 --> 00:07:54,977 If the HTTP CONNECT method is not available, 159 00:07:55,040 --> 00:07:57,902 Corkscrew just isn't working for whatever reason, 160 00:07:57,903 --> 00:07:59,737 then you can try another tool. 161 00:08:00,060 --> 00:08:04,832 We have Proxytunnel here. Just scroll down. 162 00:08:05,391 --> 00:08:08,736 You can see it is available for Windows, 163 00:08:08,856 --> 00:08:10,699 OpenBSD, NetBSD, 164 00:08:10,700 --> 00:08:12,344 so it should work on Mac. 165 00:08:12,592 --> 00:08:16,080 It is available for Debian and Kali, 166 00:08:17,144 --> 00:08:21,269 and is available in the Repository under Proxytunnel, 167 00:08:21,270 --> 00:08:22,783 so you can just simply get it there 168 00:08:22,784 --> 00:08:24,545 and “apt-get install proxytunnel”. 169 00:08:26,688 --> 00:08:29,622 And this is the command you would use, 170 00:08:30,000 --> 00:08:31,309 if we look here, 171 00:08:31,310 --> 00:08:33,679 we can see this is very similar structures 172 00:08:33,680 --> 00:08:35,573 to what we previously did, 173 00:08:35,826 --> 00:08:38,120 but we’re just using Proxytunnel here instead. 174 00:08:38,446 --> 00:08:40,353 Now see, we’ve got port 22 again, 175 00:08:40,553 --> 00:08:42,813 that needs to change to whatever port 176 00:08:43,152 --> 00:08:48,506 is allowed out of your firewall, port 80, port 443 etc. 177 00:08:49,580 --> 00:08:53,973 So here is the actually command: “proxytunnel –p”. 178 00:08:54,106 --> 00:08:57,333 This is the IP address of the proxy server, 179 00:08:57,620 --> 00:09:03,266 then 8118 is the port, and then again, 180 00:09:03,640 --> 00:09:07,866 we are creating a local dynamic SOCKS proxy, 181 00:09:08,160 --> 00:09:11,866 and we’re connecting to demo.stationx.net, 182 00:09:12,053 --> 00:09:14,746 in order to create that SOCKS proxy. 183 00:09:14,973 --> 00:09:16,733 So let's give this a try. 184 00:09:18,733 --> 00:09:20,706 This one gives a little bit more information here. 185 00:09:20,933 --> 00:09:24,080 It shows us that we’re going through this HTTP proxy, 186 00:09:24,600 --> 00:09:28,853 and we’re going through to this SSH server here. 187 00:09:32,840 --> 00:09:33,840 And there we go. 188 00:09:37,413 --> 00:09:38,413 And there we are. 189 00:09:38,586 --> 00:09:40,239 We’re coming from Ireland again, 190 00:09:40,240 --> 00:09:43,666 so we’re successfully getting through that proxy, 191 00:09:44,373 --> 00:09:45,480 and you can see there, 192 00:09:45,546 --> 00:09:49,173 connected to the local SOCKS proxy on 8080. 193 00:09:50,426 --> 00:09:51,779 Now, not all proxies 194 00:09:51,780 --> 00:09:54,186 are going to play ball, I’m afraid. 195 00:09:54,440 --> 00:09:57,039 There are many things that they can use 196 00:09:57,040 --> 00:09:59,760 to try and stop you getting through. 197 00:09:59,946 --> 00:10:01,893 First one is Authentication. 198 00:10:02,080 --> 00:10:05,080 So it may be that you need to authenticate to that server. 199 00:10:05,426 --> 00:10:07,449 And here, you can see the command here, 200 00:10:07,450 --> 00:10:11,232 so I’ve added “-P” with proxytunnel, 201 00:10:11,776 --> 00:10:15,568 and you enter your “username: password”, 202 00:10:15,696 --> 00:10:18,624 and you can pass your username and password 203 00:10:18,832 --> 00:10:20,112 to the proxy server. 204 00:10:21,376 --> 00:10:23,376 If you don't want to put your username and password 205 00:10:23,584 --> 00:10:24,639 in the actual command, 206 00:10:24,640 --> 00:10:26,800 because it will show up in the process list, 207 00:10:27,168 --> 00:10:30,096 then you can use “-F” 208 00:10:30,320 --> 00:10:32,432 and just put the username and password 209 00:10:32,512 --> 00:10:34,272 in a file, like so. 210 00:10:34,448 --> 00:10:36,096 And this is with Proxytunnel. 211 00:10:37,200 --> 00:10:40,096 And with Corkscrew, you can do the same sort of thing. 212 00:10:40,288 --> 00:10:42,160 You can do it from a file. 213 00:10:42,768 --> 00:10:43,768 So there you go, 214 00:10:43,840 --> 00:10:46,160 you put the username and password in a file 215 00:10:46,320 --> 00:10:49,040 and it will send that to the proxy server. 216 00:10:50,256 --> 00:10:52,479 Some proxies may even want more information, 217 00:10:52,480 --> 00:10:56,880 like your browser's user agent and your referrer. 218 00:10:57,216 --> 00:11:00,992 Now you can still provide this using Proxytunnel. 219 00:11:01,472 --> 00:11:04,142 If you noticed, this command is the same 220 00:11:04,143 --> 00:11:05,575 as what we’ve just been using, 221 00:11:05,835 --> 00:11:09,685 but the difference is here we’ve got this “-H”, 222 00:11:10,315 --> 00:11:14,856 and then here we’re adding the agent in quotes. 223 00:11:15,496 --> 00:11:17,880 If you’re not sure what your agents string is, 224 00:11:18,088 --> 00:11:20,320 then just do a search for user agent 225 00:11:20,768 --> 00:11:24,064 and paste something in there for your user agent. 226 00:11:24,312 --> 00:11:26,800 And it’s got the Host here with the “-H”, 227 00:11:27,176 --> 00:11:30,360 taking the variable here from here. 228 00:11:30,792 --> 00:11:33,072 Then we also have “Referrer”, 229 00:11:33,744 --> 00:11:36,736 and again, we’re taking the variable “h” here. 230 00:11:37,160 --> 00:11:40,304 And then “-P”, username and password, 231 00:11:40,656 --> 00:11:43,048 and then creating the local tunnel. 232 00:11:43,568 --> 00:11:45,564 Now, that’s getting a little bit large, 233 00:11:45,565 --> 00:11:48,805 isn't it, now as a command? So there is an alternative. 234 00:11:50,291 --> 00:11:53,472 Because the command is long, what we can do is, 235 00:11:53,860 --> 00:11:59,048 we can set up a Default Command to run per host. 236 00:11:59,496 --> 00:12:02,656 And we do that by editing the Config file, 237 00:12:02,832 --> 00:12:06,752 which will be in the “.ssh” folder for the user 238 00:12:06,952 --> 00:12:08,456 that you want to run this command. 239 00:12:08,768 --> 00:12:10,584 So let's edit this file, 240 00:12:11,200 --> 00:12:13,264 and I’ve actually prepopulated it here, 241 00:12:13,600 --> 00:12:15,080 and this is what you’re going to need. 242 00:12:15,328 --> 00:12:18,379 So “Host” is the nickname for the server 243 00:12:18,380 --> 00:12:19,695 that you’re going to connect to. 244 00:12:19,696 --> 00:12:22,327 “User” is the user you’re going to connect as. 245 00:12:22,735 --> 00:12:25,897 “Host name” is the IP address or URL 246 00:12:26,022 --> 00:12:28,822 to your server or domain name for your server. 247 00:12:29,325 --> 00:12:30,820 The port you’re connecting to, 248 00:12:31,177 --> 00:12:34,617 this is what will be 80 or 443 for you. 249 00:12:35,154 --> 00:12:37,257 A dynamic port that’s going to create 250 00:12:37,258 --> 00:12:39,296 the SOCKS5 proxy 251 00:12:39,365 --> 00:12:42,005 that it’s going to create locally, that you’re going to connect to. 252 00:12:42,362 --> 00:12:44,341 And then, this is the proxy command, 253 00:12:44,608 --> 00:12:48,346 this is the same as I’ve just shown you 254 00:12:48,966 --> 00:12:49,643 and you could put 255 00:12:49,680 --> 00:12:53,015 any of the previous proxy commands just in here. 256 00:12:54,166 --> 00:12:57,495 And you can see it goes on and on. 257 00:12:58,898 --> 00:13:01,298 So now, so if I save that, 258 00:13:04,596 --> 00:13:06,664 if I do SSH demo, 259 00:13:07,064 --> 00:13:11,095 it’s going to do the full proxy command, proxytunnel, 260 00:13:11,440 --> 00:13:15,449 because I have that configuration in my Config file 261 00:13:15,450 --> 00:13:18,566 and it will create that local SOCKS proxy 262 00:13:18,942 --> 00:13:23,271 with just this command, because “Demo” is the host. 263 00:13:25,342 --> 00:13:25,955 And there we go, 264 00:13:26,106 --> 00:13:27,386 we can see it’s connecting 265 00:13:27,387 --> 00:13:31,555 through the HTTP server to the SSH server. 266 00:13:35,004 --> 00:13:36,124 And there we are. 267 00:13:37,377 --> 00:13:42,400 Go on here, refresh, and there we are, 268 00:13:42,764 --> 00:13:47,768 a tunnel through the HTTP server, using SSH is working. 269 00:13:48,853 --> 00:13:50,177 And there are some other options, 270 00:13:50,178 --> 00:13:52,399 but I can't go through everyone, 271 00:13:52,400 --> 00:13:55,342 but the good ones are HTTPTunnel. 272 00:13:55,840 --> 00:13:57,306 This is some software that you put 273 00:13:57,520 --> 00:14:00,684 both on a server and on a client, 274 00:14:00,968 --> 00:14:03,315 and you create connections between the two. 275 00:14:03,582 --> 00:14:05,457 So instead of using SSH, 276 00:14:05,857 --> 00:14:08,044 you’re using this instead. 277 00:14:08,595 --> 00:14:13,709 This is available for Windows and Linux, 278 00:14:13,710 --> 00:14:14,986 and it is available 279 00:14:15,368 --> 00:14:17,546 in the Debian Tails repository. 280 00:14:18,026 --> 00:14:22,035 And then, Windows wise, you’ve got HTTPtunnel, 281 00:14:23,351 --> 00:14:26,240 which looks like this, which you can try out. 282 00:14:27,582 --> 00:14:30,755 There’s BarbaTunnel, you can try. 283 00:14:32,035 --> 00:14:33,617 There’s Super Network Tunnel, 284 00:14:33,946 --> 00:14:36,266 but that is a pay for solution, 285 00:14:38,328 --> 00:14:39,511 which looks like this. 286 00:14:41,946 --> 00:14:44,604 And then, if you’re in a Windows environment 287 00:14:44,648 --> 00:14:48,720 and you need to do NTLM type authentication, 288 00:14:49,164 --> 00:14:53,759 this is a authentication proxy that might enable you 289 00:14:53,760 --> 00:14:56,782 to get through a HTTP proxy. 290 00:14:57,075 --> 00:14:58,048 Which may help you out, 291 00:14:58,049 --> 00:15:01,053 if you’re needing to do NTLM authentication. 292 00:15:01,400 --> 00:15:03,973 So that’s getting through HTTP proxies. 293 00:15:04,640 --> 00:15:05,720 In most cases, 294 00:15:06,146 --> 00:15:08,240 with one of these tools or techniques, 295 00:15:08,440 --> 00:15:10,986 there’s a good chance you will be able to get through, 296 00:15:11,293 --> 00:15:13,903 but of course, always remember about the consequences. 297 00:15:13,904 --> 00:15:17,026 If the consequences are high, all of these techniques 298 00:15:17,200 --> 00:15:20,240 could be discovered by a keen administrator.