Quite easy. The HTTP Proxy spec allows for a "CONNECT" method to support secure HTTPS proxying. This essentially allows a client browser to say to the proxy, "I want a TCP connection to X host, y port, and if I must, this is my authentication". The proxy responds with "200 OK", or not, depending on auth, etc, and establishes the TCP connection to the desired host. It then gets out of the way, and forwards bytes received to the other party. In this way, an SSL session can be proxied, without the proxy being a weak link (having to decrypt and reencrypt), as the browser negotiates the SSL connection with the actual server, not with the proxy. There is nothing fundamentally preventing ANY other application from using the same proxy to connect to a port of its choice, and tunnelling any arbitrary protocol over that TCP connection, after the CONNECT request has succesfully completed. That is, other than the proxy's access control lists (authorised ports, authorised hosts, authorised users, etc) So if I were to run an SSH daemon on port 443 on a host that the proxy would let me connect to, I could use corkscrew to request a connection to that server, and then handshake an SSH session over that "negotiated" TCP connection. If the proxy would let me connect to port 22, I would not have to sun the daemon on port 443, obviously. Most proxies (squid for example) DO have restrictions as to the permitted ports for a CONNECT method, I think https and snews, or some such. OpenSSH would just use corkscrew as a means of establishing a TCP connection instead of doing its own TCP connect call, and once established, would simply start negotiations. OpenSSH can apparently even operate over a direct serial connection if you have sshd listening in "inetd mode" instead of a getty, and use some "corkscrew equivalent" code to perform the serial part of the connection. Rogan -----Original Message----- From: Marco de Vivo [UCV] [mailto:mdevivoat_private] Sent: 28 September 2001 01:59 To: pen-testat_private Subject: CORKSCREW 2.0 Hi, Can somebody address me to where to find some CORKSCREW (tunneling ssh via HTTP proxies) documentation?. If there isn't any, can at least somebody explain me the basic architecture of this tool? I mean an overall explanation of the way it works. TIA Marco de Vivo ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 10:25:13 PDT