Gateway Cryptography

1
Gateway Cryptography

• Hacking Impossible Tunnels Through Improbable
  Networks with OpenSSH et al.
• Originally By Dan Kaminsky, CISSP
• http//www.doxpara.com
• Shamelessly mangled, retargeted, and reissued by
  Titus Winters

2
Summary

• This is not how to crack SSH. This is SSH on
  crack.
• 1) How to get there from here
• 2) What to do once you get there
• 3) Making getting there easier

3
The Basics

• Bringing people up to speed
• This is not another talk about the wonders of a
  simple local port forward
• What OpenSSH does
• Forwards a shell (w/ transparent X support)
• Forwards a single command (with full stdio)
• Forwards a single TCP port

4
SSH under Windows

• 1) Install Cygwin from www.cygwin.com
• 2) Create a shortcut to rxvt
• C\cygwin\bin\rxvt.exe -rv -sl 20000 -fn
  Courier-12" -e /usr/bin/bash
• bash doesnt work under whistler yet, so use zsh
  if you want to retain your tab-completion sanity
• 3) Finally enjoy a usable Unix environment under
  Win32
• Everything in this talk is cross platform, as
  long as youve made Windows cross to another
  platform
• (Still some other things you can do, more on this
  later.)

5
Forwarding Shells

• ssh user_at_host
• Encryption 3DES/Blowfish/AES
• Authentication Password, RSA/DSA
• Key Generation
• ssh2 ssh-keygen t dsa
• Key Authorization
• ssh2 cat /.ssh/id_dsa.pub ssh user_at_host
  umask 0600 mkdir .ssh cat gtgt authorized_keys2
• SSH 1 / 2 Separate auth so remember ssh -1 and
  ssh -2

6
Forwarding Commands

• ssh user_at_host lsssh t user_at_host top
• Fully 8 bit clean for most commands, supports
  (unclean) TTYs for anything that wants to redraw
  screen (like top) using t
• Full STDIO(stdin/stdout/stderr) support
• Allows pipelines across multiple systems

7
Command ForwardingCD Burning Over SSH

• mkisofs reads in files and spits out a burnable
  image
• cdrecord burns the image.
• Normal CD Burningmkisofs JR files cdrecord
  dev,, speed -
• Remote CD Burningmkisofs JR files ssh
  user_at_host cdrecord dev,, speed -
• Remote CD Burning From Windows mkisofs.exe JR
  files ssh.exe user_at_host cdrecord dev,,
  speed -

8
Command ForwardingFile Transfer w/o SCP

• GETalicehost ssh alice_at_bobhost cat file gt
  file PUTfalicehost cat file gt ssh
  alice_at_bobhost cat gt file LISTalicehost ssh
  alice_at_bobhost ls MGETalicehost ssh
  alice_at_bobhost tar -cf - /etc tar -xf
  RESUME GETalicehost ssh alice_at_bobhost tail c
  231244 file gtgt file

9
Forwarding Ports

• ssh user_at_host -L8000127.0.0.180ssh user_at_host
  -R80127.0.0.18000
• Separates into listener vs. location
• If local listens, the destination is relative to
  the remote location
• If remote listens, the destination is relative to
  the local location

10
Limitations on Port Forwards

• By default, only the systems directly hosting the
  listener can connect to it
• Local forwards can be made public using the g
  option, but remote gateway ports must be
  enabled using GatewayPorts Yes
• Destination locations are unrestricted

11
Accessing a Port Forward

• Application Layer
• Connect Directly to 127.0.0.1 or localhost
• Operating System Layer (systemspace)
• Pre-empt DNS lookup in hosts file
• Unix /etc/hosts
• Win95 \windows\hosts
• WinNT \WINNT\system32\drivers\etc\hosts
• All forwards must be preannounced, and share the
  same IP (127.0.0.1)

12
ProblemStatic Forwards Are Inflexible

• Work decently only when
• Each port is only used once
• Passes
• Mail(smtp, pop3, imap)
• Simple Web(HTTP)
• Fails
• Web Surfing Multiple Sites (HTTP)
• P2P File Transfer(Napster, Gnutella),
• Ports are predictable in advance
• Fails miserably
• FTP, both Active and Passive

13
SolutionDynamic Forwarding w/ SOCKS

• ssh user_at_host -D1080
• SOCKS4/5 An in-band protocol header, nothing
  more, that allows the client to very quickly tell
  a proxy server where its actual destination was
• SOCKS4 is extraordinarily simple
• 9 bytes from Client, 8 byte response, and the
  client has informed the proxy where it actually
  wants to go!
• Library Preloads are excessive
• The idea Run a trivial SOCKS daemon in the ssh
  client use it to redirect the destination of
  each channel.

14
Dynamic ForwardingApplication Support

• Most major Windows applications support SOCKS
  proxies directly
• Internet Explorer, CuteFTP, IM Clients, P2P
  Clients(Napster, Gnutella)
• Dialpad (Voice over IP to a telephone for free
  over SSH!)
• SocksCap32 can be used to Socksify remaining
  apps on Windows
• Outlook Express, LeechFTP, Media Player, etc.
• Unix applications can be reasonably socksified too

15
ProxyCommandBlind Proxying w/ SSH

• ssh -o 'ProxyCommand arbitrary_tool proxy u h
  p' user_at_10.1.0.1
• A ProxyCommand is an arbitrary tool that, after
  it finishes executing, leads to an 8 bit clean
  path to an SSH daemon
• OpenSSH's excuse for SOCKS support -)
• Allows end-to-end crypto through any 8bit clean
  link
• Like SSL over HTTP Connect

16
No Internet Accessible Bastion Proxy Now What?

• proxy ssh user_at_client -R2022127.0.0.122client
  ssh user_at_127.0.0.1 -o "HostKeyAlias proxy"
  -L8000www-internal80
• Turns inability to trust into irrelevancy of
  trust
• Negative You cant trust the addresses of x,
  y, or z!
• Positive It doesnt matter if you think youre
  talking to the addresses of x, y, or z.
• MUST CHECK HOSTKEY itll work even if you dont

17
Cross-Connecting Mutually Firewalled Hosts

• server ssh proxyuser_at_proxy -R10022127.0.0
  .122client ssh -o 'ProxyCommand ssh
  proxyuser2_at_proxy nc 127.0.0.1 10022'
  user_at_server or in my syntaxclient ssh
  proxyuser2_at_proxy/10022 user_at_server
• Again, as long as IP addresses cannot be trusted,
  it doesnt matter that youre talking to the
  proxy and connecting through one of its ports.

18
Expanding Escape Syntax

• noname ?Supported escape sequences. -
  terminate connectionR - Request rekey (SSH
  protocol 2 only)Z - suspend ssh - list
  forwarded connections - background ssh (when
  waiting for connections to terminate)? - this
  message - send the escape character by typing
  it twice(Note that escapes are only recognized
  immediately after newline.)
• Eventual goal Port both ssh_config syntax and
  ssh command line syntax to the escape character
  mode
• Allow on-demand things like activation of X
  forwarding

19
((Secure SUThe Battle Against Direct Root

• Most security gurus will decry direct root
  login
• Holdover from the battle against admins doing
  everything as root
• SU is a painless enough context switch
• If it hurts to switch, people will just do it all
  as root
• Advantages to being forced to switch accounts
• Inertia
• Emotion significance of the action is
  emphasized
• Accounting logs show who used root
• Even though it essentially reduces the security
  of the root account to the security of the Alice
  account, even OpenBSD (2.7, at least) still
  exhorts users not to ssh directly to root, and
  instead to use SU.

20
Secure SUThe Near-Perfect Compromise

• alicehost ssh alice_at_bobhost -t su l
  rootSSHD creates a secure execution environment
  when commands are explicitly specified
• Shell configuration files not loaded
• su, as a setuid app, cant generally be traced by
  ordinary users
• User logs in as normal, is safely prompted for
  the root password, gets a root shell without
  having to slum in through insecure space

21
Secure SUDeveloping Individuated Root

• Individual Public Keys For Root Access
• Nobody learns root password
• authorized_keys contains list of identities
  allowed to connect as root to the system
• SSHD modified to log who connected to root
• Scales to multiple security-critical accounts
• Root can modify its own authorized_keys, but
  other accounts could have root owned, root
  readable authorized_keys files.
• Individual Root Accounts
• Multiple accounts all set to same UID, but with
  different passwords
• Alice_Root, Bob_Root, etc.
• Really only works for root

22
Stranded?

• mindterm Java applet with full port forwarding
  / proxying capabilities.
• Google for mindterm, find an available
  installation of the applet.
• If youve got web and outgoing SSH, youve got
  access to the world.

23
Conclusion

• ssh is powerful
• ssh is flexible
• ssh is fun.
• any questions? any requests?