3

I'm creating a security "dropbox" that can be deployed behind nat or any firewall, call out to a controlled publicly accessible server and then initiate control from the server.

I know this is easily done with an ssh -R command, however, I'm looking for something that effectively evades IDS/IPS over proper SSL/TLS and port 443.

Currently my setup that is working (SSL only) has my dropbox (we'll call this the client) calling out and initiating a stunnel connection with the server. I can then ssh manually from the client to the server.

This is fine and great, however, I need to be able to ssh from the server down to the client via the established stunnel.

Questions:

  1. Can I just ssh directly from the server over the existing stunnel connection (stunnel initiated by the client). This may require a stunnel config change, I'm just a little lost on what I should change.
  2. Can I reverse SSH tunnel from the client over stunnel to the server so the server then has a local port to ssh back down to the client? If so, I have not been able to get the ssh -R command to work properly as I think I end up creating a loop.

Below are my stunnel configs:

Server:

cert=/path/to/cert.pem
pid=/tmp/stunnel.pid
[ssh]
accept = 443
connect = 127.0.0.1:22

Client: 

cert=/path/to/cert.pem
pid=/tmp/stunnel.pid
client=yes
[ssh]
accept=2200
connect=<serverpubip>:443

Example SSH command to attempt and reverse from client to server over the stunnel connection:

ssh -i /path/to/cert -R 2200:localhost:2200 -p 2200 admin@localhost -f -N

Remember, the requirements are that only the client can call the server to initiate the initial connection (stunnel) and the traffic must be over well-formed SSL/TLS encryption. I also need to gain shell access from the server down to the client. Thanks in advance!

Update:

It ended up being a bad ssh command. The ssh command that worked for me is:

ssh -i /path/to/cert -R 2201:localhost:22 -p 2200 admin@localhost -f -N
Reaces
  • 5,547
  • 4
  • 36
  • 46
eficker
  • 873
  • 1
  • 7
  • 8
  • 1
    Have you considered to use OpenVPN on TCP/443? I don't know how indistinguishable from (the TLS layer of) HTTPS it really is, but maybe worth to explore. – Nils Toedtmann Sep 18 '14 at 06:42
  • 1
    @NilsToedtmann No, openvpn is very visible by the IDS-es. But there is _obfsproxy_ which can make this look similar to simple https traffic. – peterh Sep 18 '14 at 08:04
  • @PeterHorvath thx, interesting! Do you have a source? – Nils Toedtmann Sep 18 '14 at 09:01

3 Answers3

3

Your goal with your actual tools can't be reached, because

  1. stunnel is unable to do this back-connecting feature,
  2. ssh won't work as a daemon, and has a little bit different protocol from https. Enough smart IDS-es will be able to detect that.

What you had to do:

  1. As @NilsToedtmann suggested, you should use some type of tricky thing, at least an OpenVPN. The client side of the openvpn should run inside. Watch for the timeout/keepalive settings! You had to make the possible smallest overhead traffic.
  2. The OpenVPN traffic differs dangerously from the normal https, but there is a tool named obfsproxy with that you can embed the OpenVPN traffic into a more friendly looking data stream. This tool is part of the tor project, but can be used independently as well (and were developed against the big chinese firewall originally).
  3. If there is some type of corporate firewall in the picture, you could use cntlm to make this look as it were an ie8, and make it compatible with the kerberos-authenticated corporate proxies.
  4. On the server side, there is a tool, which can be maybe very useful, and its name is sslh. It allows you to multiplex your openvpn/ssh over https traffic with the normal https service.

So, your actual data connection is not so simple as you wish, but you can reach what you want. If you use all of these technologies, it could stand against even an intelligent network security check.

peterh
  • 4,914
  • 13
  • 29
  • 44
  • awesome advice, thanks. I'll take a look at those and attempt implementation. Have you seen ftp://ftp.stunnel.org/stunnel/tappipe/ ? Supposedly it allows you to connect two subnets over stunnel (stunnel's FAQ page recommends). Not sure if this would be a viable solution. – eficker Sep 18 '14 at 15:26
  • Peter, turned out it was my ssh command, but thank you for all the new tools you put in your answer, they have my gears turning for other projects. – eficker Sep 25 '14 at 03:48
2

I think all that's needed to is to change -R 2200:localhost:2200 to -R 2200:localhost:22 in your ssh command.

As it stands, you're connecting port 2200 on the server back to port 2200 on the client. And yes, that creates a forwarding loop since client:2200 is tunneled back to the server.

Assuming ssh on the client is running on port 22, then -R 2200:localhost:22 will connect port 2200 on the server to ssh on the client.

In order to help make this a little clearer, I suggest picking a different port number to reverse tunnel from the server: say, -R 2201:localhost:22. That way you're not using port 2200 on both hosts, which will help to keep you from getting the two ports confused.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Andrew, thanks for that explanation. I get lost every time on the ssh reverse tunnel commands. The problem over stunnel is that when I go to authenticate, the weird loop I end up creating tries to auth the local box, and I can't figure out how to do that otherwise. I'll attempt your solution this evening and report back. Thank you! – eficker Sep 18 '14 at 15:29
  • Andrew, you were absolutely right. Thank you for your answer. May there be many a free lunch and nere a flat tire for all your days. – eficker Sep 25 '14 at 03:47
2

Why not install a persistant reverse_http(s) meterpreter on the "dropbox"? I think this is the easiest way to acquire a reverse shell over http(s).

Kasper Taeymans
  • 121
  • 1
  • More detail on how to accomplish this would improve your answer – Dave M Aug 19 '15 at 14:39
  • Not a bad idea, however, I was looking to do this with standard tools in standard distros. Sometimes I have to work with existing infrastructure. Netstat reporting stunnel running is a little less innocuous. I realize I didn't make this distinction in my question, however. – eficker Aug 20 '15 at 17:57
  • I don't see why running a VM with msf installed on your PC would interfere with an existing infrastructure. Assuming that your "dropbox" is of the unix type (Rpi?), you can easily make a cron to execute the meterpreter periodically. – Kasper Taeymans Aug 20 '15 at 19:16