Wednesday·04·April·2012
Tools for CLI Road Warriors: Hidden Terminals //at 00:57 //by abe
Some networks have no connection to the outside except that they allow surfing through an HTTP(S) proxy. Sometimes you are happy and the HTTPS port (443) is unrestricted. The following server-side tools allow you to exploit these weaknesses and get you a shell on your server.
sslh
sslh is an SSH/SSL multiplexor. If a client connects to sslh, it checks if the clients speaks the SSH or the SSL protocol and then passes the connection to the according real port of SSL or some SSL enabled service, e.g. an HTTPS, OpenVPN, Tinc or XMPP server. That way it’s possible to connect to one of these services and SSH on the same port.
The usual scenario where this daemon is useful are firewalls which block SSH, force HTTP to go through a proxy, but allow HTTPS connections without restriction. In that case you let sslh listen on the HTTPS port (443) and to move the real HTTPS server (e.g. Apache) to listen on either a different port number (e.g. 442, 444 or 8443) or on another IP address, e.g. on localhost, port 443.
On an Debian or Ubuntu based Apache HTTPS server, you just have to do the following to run Apache on port 442 and sslh on port 443 instead:
apt-get install sslhas root.- Edit
/etc/default/sslh, changeRUN=notoRUN=yesand--ssl 127.0.0.1:443to--ssl 127.0.0.1:442. - Edit
/etc/apache2/ports.confand all files in/etc/apache2/sites-available/which contain a reference to port 443 (which is only/etc/apache2/sites-available/default-ssl.confin the default configuration) and change all occurrences of443to442. service apache2 restartservice sslh start
Now you should be able to ssh to your server on port 443 (ssh -p 443 your.server.example.org) while
still being able to surf to
https://your.server.example.org/.
sslh works as threaded or as preforking daemon, or via inetd. It also
honors tcpwrapper configurations for sshd in /etc/hosts.allow and /etc/hosts.deny.
sslh is available as port or package at least in Gentoo, in FreeBSD, in Debian and in Ubuntu.
AjaxTerm
A completely different approach takes AjaxTerm. It provides a terminal inside a web browser with login and ssh being its server-side backend.
Properly safe-guarded by HTTPS plus maybe HTTP based authentication this can be an interesting emergency alternative to the more common — but also more often blocked — remote login mechanisms.
AjaxTerm is available as package at least in Debian and in Ubuntu.
Happily I never were forced to use either of them myself. :-)
Tagged as: AJAX, AjaxTerm, Apache, Debian, HTTPS, libwrap, OpenVPN, SSH, SSL, sslh, tcpd, tcpwrapper, Ubuntu, XMPP
// show without comments // write a comment
