SSH over SSL

This was written mostly for fun, I had the idea to be able to slip out of any network with SSH. The approach most people usually use is to run SSH server on port 443 (HTTPS) which kind of works, but only until somebody doesn't actually check what is listening there. The other quite easy way to stop SSH from connecting outside is to check inside the packets for clear string from the server, usually you get something like that:


and there is a similar banner from the client side.

They both stand out quite a bit and are easy to spot and/or kill, example:

ngrep -K 3 '-OpenSSH_' port not 22

or snort with flexresp can do this also in a very nice and efficient way

My idea was to first hide the SSH server and then hide the communication. This is not perfect of course any one curious enough looking at the pcaps will spot something fishy, but probably this will fly pass 99% of people - any one doing real traffic analysis ? ;)

The server (sammael) acts similar to stunnel (of course sammael does much less) - it is able to terminate SSL connections and then send unencrypted traffic to a different service. When a special pass phrase is in the first packet after SSL handshake it connects to local SSH server instead of the default which is HTTP. When you point your browser to the host on which sammael is running you will see a normal HTTPS webpage.

The client (nisroc) does most of the work, it connects (can pass through HTTP proxy, and is able to use basic authentication) to the host and port on which sammael is running using SSL, checks digest of the cert to prevent MITM and if everything is correct sends the pass phrase and verifies that the connection to the SSH server was established.

Both server and client have TCP_CORK set on the sockets, so there is a bit less packet exchange between the hosts.

No comments:

Post a Comment