RE: CORKSCREW 2.0

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 09/28/01


Message-ID: <98A3855A9087D411952F00508B61BD400268C6B0@ZAJNBNT006>
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
To: "'Marco de Vivo [UCV]'" <mdevivo@reacciun.ve>
Subject: RE: CORKSCREW 2.0
Date: Fri, 28 Sep 2001 18:32:30 +0200

Quite easy.

The HTTP Proxy spec allows for a "CONNECT" method to support secure HTTPS
proxying.

This essentially allows a client browser to say to the proxy, "I want a TCP
connection to X host, y port, and if I must, this is my authentication".

The proxy responds with "200 OK", or not, depending on auth, etc, and
establishes the TCP connection to the desired host. It then gets out of the
way, and forwards bytes received to the other party. In this way, an SSL
session can be proxied, without the proxy being a weak link (having to
decrypt and reencrypt), as the browser negotiates the SSL connection with
the actual server, not with the proxy.

There is nothing fundamentally preventing ANY other application from using
the same proxy to connect to a port of its choice, and tunnelling any
arbitrary protocol over that TCP connection, after the CONNECT request has
succesfully completed. That is, other than the proxy's access control lists
(authorised ports, authorised hosts, authorised users, etc)

So if I were to run an SSH daemon on port 443 on a host that the proxy would
let me connect to, I could use corkscrew to request a connection to that
server, and then handshake an SSH session over that "negotiated" TCP
connection. If the proxy would let me connect to port 22, I would not have
to sun the daemon on port 443, obviously. Most proxies (squid for example)
DO have restrictions as to the permitted ports for a CONNECT method, I think
https and snews, or some such.

OpenSSH would just use corkscrew as a means of establishing a TCP connection
instead of doing its own TCP connect call, and once established, would
simply start negotiations. OpenSSH can apparently even operate over a direct
serial connection if you have sshd listening in "inetd mode" instead of a
getty, and use some "corkscrew equivalent" code to perform the serial part
of the connection.

Rogan

-----Original Message-----
From: Marco de Vivo [UCV] [mailto:mdevivo@reacciun.ve]
Sent: 28 September 2001 01:59
To: pen-test@securityfocus.com
Subject: CORKSCREW 2.0

Hi,

Can somebody address me to where to find some CORKSCREW (tunneling ssh via
HTTP proxies) documentation?. If there isn't any, can at least somebody
explain me the basic architecture of this tool? I mean an overall
explanation of the way it works.

TIA

Marco de Vivo

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... The graphed 'events' are individually and asynchronously provided from the server to the client over a persistent connection and each respective graphical element is equally asynchronously updated. ... However it can emulate asynchronous, raw network streams via a Web Socket server / raw IP network proxy. ... If you mean Web Sockets can't through existing HTTP proxy then the ...
    (comp.os.vms)
  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... other requests while it's streaming its long-poll (or words to that effect ... If you mean Web Sockets can't through existing HTTP proxy then the ... Orbited is a service used to accept Web-style socket connection ...
    (comp.os.vms)
  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... Isn't asocket proxy that doesn't explicitly talk HTTP during setup a one-to-one NAT router? ... And if accepting external connection requests, a static port mapping NAT router, into/through the DMZ and onto internal services? ... Of course it's a bit more than that Until Web Sockets become commonplace it uses a number of approaches to *emulate* asynchronous comms with current browsers. ... Mandatory Upgrade ...
    (comp.os.vms)
  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... originated by the proxy. ... Mandatory Upgrade ... Connection: Upgrade ... I had the most success using GET without a Connection: Upgrade header. ...
    (comp.os.vms)
  • Re: Internet Connection Error
    ... When I created this installation I added the proxy settings, ... Look under Internet ...
    (microsoft.public.windowsxp.security_admin)