digip Posted February 27, 2007 Posted February 27, 2007 Ok. I have Open SSH installed, and I set up and configured everything for the service, as well as my programs I wanted to use with it. I have it working with my web browser, but one thing I was noticed, the browser connects to the internet using the socks 127.0.0.1 7070 as the proxy or Secure Tunnel. All the page data is encrypted, but I can see with Wireshark that it will still get the login and password when doing any http posts to a website as well as see all cookie data. Is there a way to make all traffic encrypted using Open SSH tunnelling, or should I go with something else? Quote
Sparda Posted February 27, 2007 Posted February 27, 2007 It is all encrypted until it leaves the tunneling server. Quote
cooper Posted February 27, 2007 Posted February 27, 2007 Are you sure you're asking Wireshark to grab the data actually sent across the wire, as opposed to the local traffic between your browser and the proxy? All data should be getting the encryption treatment. Quote
digip Posted February 27, 2007 Author Posted February 27, 2007 Another thing I noticed is it totally bypassed my Firewall(software). I see local traffic on 127.0.0.1 port 22 in the firewall logs, but it is not picking up any sites I visit in the log(which isnt a bad thing, but how do I know the firewall is protecting my browser and pc). My firewall software will filter ads and popups, but when using this method, the popups and ads get through. I even set the firewall to connect through the proxy, and they still seem to be getting in(possibly due to returned ssh data, it doesnt see what it normally looks for?) I would think that the request made from my end would show as garbled data like most of the captured packets on wireshark, but some of the things I am seeing are my passwords in plain text. Let me look into it this: Are you sure you're asking Wireshark to grab the data actually sent across the wire, as opposed to the local traffic between your browser and the proxy? and I will get back to you guys. It may be I just have something not set properly, but wireshark says its the connection from me(my internet ip) and the sites ip address. I see nothing going to 127.0.0.1 in wireshark(which is what I thougt would be there if it was passing the data locally) Quote
digip Posted February 27, 2007 Author Posted February 27, 2007 Well, I am at a loss. I can still see most of the traffic that I want to filter out and my firewall does not seem to see the ssh and is bypassing it. All data captured with Wireshark is secure and encrypted except HTTP post and GET methods, as well as email traffic and passwords(except when seleting SSL from the email program pointed to the server I am connecting to that supports secure connections). Also, I can see any css, xml and javascripts in the packets. Just the basic text of the pages seems to be encrypted. Here is my setup, so maybe I am not doing the setup correctly. -Installed OpenSSH v3.8.1p1-1 -Added my user groups and passwd files -Started the service -Telnet into shell with PuTTY: PuTTY set up: - Host Name 127.0.0.1 port 22 - Conenction/SSH/Tunneling : Source Port 7070 (Dynamic), Destination left blank -Setup Browser proxy pointed to 127.0.0.1:7070 using SOCKS, not HTTP or others... So, what are your settings or setup for SSH and what should I change or look into? EDIT: Forgot to add that I am using Wireshark 0.99.4 (SVN Rev 19757) with WinPcap 4.0beta2 Quote
digip Posted February 28, 2007 Author Posted February 28, 2007 Here is a packet captured for th forum logins. I have ommited important info, but the userid and password were found using a man in the middle attack. I am not sure if its because I am using vmware to capture the one machine, but I can see about 50% of the data flow unencrypted.: POST /forums/login.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.hak5.org/forums/login.php?sid=x...xxxxxxxxxxxxxxx Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.hak5.org Content-Length: 60 Connection: Keep-Alive Cache-Control: no-cache Cookie: phpbb2mysql_sid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx username=digip&password=xxxxxx&redirect=&login=Log+inHTTP/1.1 302 Date: Wed, 28 Feb 2007 03:00:32 GMT Server: Apache/2.0.54 (Unix) PHP/4.4.4 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.3.2 X-Powered-By: PHP/5.2.1 Set-Cookie: expires=Thu, 28-Feb-2008 03:00:32 GMT; path=/ Set-Cookie: phpbb2mysql_sid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; path=/ Location: http://www.hak5.org/forums/index.php?sid=x...xxxxxxxxxxxxxxx Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 20 Keep-Alive: timeout=15, max=87 Connection: Keep-Alive Content-Type: text/html Quote
SomeoneE1se Posted February 28, 2007 Posted February 28, 2007 .....what? you're...... what??? the information is.... nevermind let's start from the beginning why are you using SSH? Quote
digip Posted February 28, 2007 Author Posted February 28, 2007 .....why are you using SSH? Several reasons. To encrypt my internet traffic as well as bypass content filtering. I also wanted a secure way to log in remotely to my home box using VNC while on the road without setting up a VPN. A vpn does not give me crontol of the pc, only shared access to specific shared folders. Also, I could use PC Anywhere, but why pay for them when you have Open SSH and PuTTY to do basically the same when adding VNC? Quote
SomeoneE1se Posted February 28, 2007 Posted February 28, 2007 a VPN would work better if you want to encrypt all the traffic because you cant set it up so that ALL your traffic has to go over the VPN connection and you can use VNC with a VPN connection... but all a VPN connection or even a SSH connection does is encrypt if from your computer to your remote computer once it leaves the remote computer it's no longer encrypted. The idea of using a VPN or SSH was for if you were using unsecured wireless networks at like starbux that's the only thing you really should be worried about. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.