What is SSH tunneling and how does it work?

SSH tunneling uses the Secure Shell protocol to create a secure, encrypted pathway between your computer and a remote server. Traffic sent to a specific local port is forwarded through this tunnel, appearing to originate from the remote server, thus circumventing local network blocks.

Why does my SSH tunnel connection sometimes become unreliable?

This can happen when using basic SSH tunneling with a SOCKS proxy, leading to a 'TCP over TCP' situation. The nested reliability layers of TCP can interfere with congestion control, making the connection unstable. Tools like 's shuttle' are designed to mitigate this.

What if the network administrator blocks the standard SSH port (port 22)?

You can often circumvent this by configuring your SSH server to listen on a different, less common port (e.g., port 444). If you can establish a connection to your own server on this alternative port, you can then use SSH to tunnel out.

What is Netcat and how is it useful for network testing?

Netcat (nc) is a powerful networking utility that can read and write data across network connections. It's excellent for testing if specific ports are open and listening, and can act as a basic proxy or relay for data, aiding in network diagnostics.

Is it possible to tunnel data even if only DNS traffic is allowed?

Yes, techniques like DNS tunneling exist, such as using the 'Iodine' system. This method embeds data within DNS queries, allowing for data transmission even when other protocols are blocked by the network administrator.

What are the security risks of trying to hack out of a restricted network?

Attempting to bypass network security can lead to violations of terms of service and serious security repercussions. Network administrators can detect anomalies like long-lived connections through proxies, and sophisticated monitoring systems can easily identify such activities, potentially leading to legal consequences.

Hacking Out of a Network - Computerphile

Computerphile

Education4 min read26 min video

Aug 27, 2021|249,922 views|8,212|426

computers computerphile computer science Computer Science Hacking Cracking Richard G Clegg Network Networking coding code

Save to Pod

Key Moments

TL;DR

Learn how to bypass network restrictions using SSH tunneling, proxies, and DNS. Warning: illegal and risky.

Key Insights

Network administrators implement firewalls to block access to certain websites or services.

SSH tunneling can be used to create secure connections and bypass port restrictions.

SOCKS proxies, configured via SSH tunnels, can reroute traffic to circumvent firewalls.

Using TCP over TCP can cause performance issues; tools like sTunnel wrap tunneling more effectively.

Changing SSH's default port or using web proxies can further bypass restrictions.

Tunneling over DNS (e.g., using Iodine) offers another stealthy method to exfiltrate data.

Attempting to bypass network security is illegal and highly risky, often triggering alarms.

Security professionals can detect unusual, long-lived connections typical of tunneling.

Constantly being lucky to avoid detection is statistically improbable.

Even with sophisticated tunneling, network monitoring can lead to quick detection.

UNDERSTANDING NETWORK RESTRICTIONS AND BLOCKING RULES

This video explores methods to bypass network restrictions, often implemented by administrators using firewalls. These firewalls can block access based on specific websites, ports, or services. For example, a network administrator might block YouTube to conserve bandwidth on a train or in an airport. Blocking can target IP addresses, ports like 80 for HTTP or 443 for HTTPS, or specific services like email or SSH, thereby controlling network access and preventing unauthorized usage.

SSH TUNNELING FOR BENDING RULES

One primary method to circumvent network restrictions is through Secure Shell (SSH) tunneling. While SSH is typically used for secure remote login and file transfer, it can also be leveraged to create tunnels. By configuring an SSH command to listen on a local port and forward traffic down the secure connection to a remote server, users can effectively bypass blocked ports. This creates a virtual tunnel, allowing traffic intended for blocked services to be rerouted through the allowed SSH connection.

UTILIZING PROXIES VIA SSH TUNNELS

SSH tunnels can be further utilized to set up proxy servers, such as SOCKS proxies. By directing local traffic to a specific port (e.g., 1080) on the local machine, this traffic is then tunneled through SSH and emerges on the remote server. This allows the user's entire machine or web browser to use this tunnelled connection as a proxy, making it appear as though the traffic is originating from the remote server, thereby bypassing local network restrictions. However, TCP over TCP, used in this method, can lead to performance issues.

IMPROVED TUNNELING WITH S HUTTLE AND PORT REDIRECTION

To address the inefficiency of TCP over TCP, tools like sTunnel are introduced. S Tunnel offers a more robust and convenient way to manage tunneling, handling the underlying protocols more effectively. Additionally, if an administrator blocks the default SSH port (22), one can reconfigure SSH to run on an alternative port. If even that proves difficult, a server you control can be instructed to act as an SSH server on a non-standard port, allowing SSH connections even when the standard port is blocked.

WEB PROXIES AND NETCAT FOR ADVANCED BYPASSES

In highly secured environments where only specific exit points like web proxies are allowed, advanced techniques are required. The netcat command is highlighted as a versatile tool for network testing and establishing generic connections. By using a web proxy and clever port redirection, for instance, mapping traffic arriving on port 443 back to port 22, an SSH connection can be established. This allows for tunneled access even when the administrator has strictly limited outbound connections to a web proxy.

DNS TUNNELING AND OTHER EXFILTRATION METHODS

Domain Name Service (DNS) tunneling presents another sophisticated method to exfiltrate data or establish covert channels. Systems like Iodine exploit the DNS protocol, which is rarely blocked, to transmit data. By using subdomains or specially crafted DNS requests, data can be embedded and transmitted to a controlled DNS server. Other methods, like embedding data within ICMP (ping) packets, demonstrate the wide array of techniques available for network traffic manipulation and data exfiltration.

SIGNIFICANT RISKS AND DETECTION VULNERABILITIES

Despite the ingenuity of these techniques, attempting to bypass network security is highly illegal and carries significant risks. In corporate or restricted environments, administrators often employ sophisticated monitoring systems. Long-lived connections, typical of tunneling, are immediately suspicious and can trigger alarms. Endpoint monitoring and intrusion detection systems are designed to identify unusual traffic patterns and unauthorized software installations, such as sTunnel.

THE PROBABILITY OF DETECTION

Security professionals emphasize that while one might occasionally evade detection, the probability of remaining undetected over time is extremely low. The analogy of needing to be lucky every time versus an administrator only needing to be lucky once to catch an intruder highlights this disparity. Security measures are constantly evolving, and persistent attempts to bypass them are likely to be discovered, leading to severe consequences.

Mentioned in This Episode

●Software & Apps

●Companies

●Concepts

Network Tunneling: The Dos and Don'ts

Practical takeaways from this episode

Do This

Use SSH tunneling to bypass network restrictions when you have access to a remote server.

Consider using tools like 's shuttle' for more reliable tunneling compared to basic SSH TPC over TCP.

Explore alternative ports for SSH if the default port 22 is blocked.

Utilize Netcat for testing port accessibility and establishing basic network connections.

Understand DNS tunneling as an advanced technique if only DNS traffic is permitted.

Avoid This

Do not attempt any of these techniques on networks where you do not have explicit permission.

Avoid establishing excessively long-lived connections through web proxies, as this is suspicious.

Do not install arbitrary software on restricted networks.

Be aware that system administrators have sophisticated monitoring tools and are likely to detect unauthorized activity.

Recognize that attempting to bypass security measures requires being lucky every time, while the administrator only needs to be lucky once to catch you.

Common Questions

You can bypass network restrictions by using techniques like SSH tunneling. This involves creating an encrypted connection to a server outside the restricted network, which then forwards your traffic, making it appear as legitimate SSH traffic.

Topics

SSH Tunneling Firewall Bypass Port Blocking Proxy Server Netcat DNS Tunneling Network Administration SOCKS Proxy

Mentioned in this video

softwareNetcat

A versatile networking utility used for reading from and writing to network connections using TCP or UDP. It's described as a generic way to listen on ports, test connections, and facilitate tunneling.

softwareufw

A firewall command-line tool for Linux systems, used here to demonstrate blocking specific ports and IP addresses.

softwaretwisted

A target machine used in the demonstration with a test web page, serving as the endpoint for network access attempts.

companyrichardplague.org

A remote server used throughout the demonstration as an intermediary or target for SSH connections and tunneling.

toolSSH

softwareTCP

supplementIodine