Fancy SSH Tunneling for a Highly Restrictive Environment
For my penetration testing work, I frequently leave a Mac Mini hooked up to a client site so that I can remote into it to run any scans or manual validation while not on site. Very often, I will ship one pre-configured to the client without going on-site. This minimizes travel expenses for the clients and minimizes airport time for me. Somewhat recently, I had a client who was strongly opposed to making any temporary firewall changes for me to SSH into the Mac Mini. They also informed me that due to their highly restrictive firewall rules, I wouldn't be able to create an outgoing SSH tunnel, either.
First is a shell script that uses some of the SSH Control Channel features (intended for connection sharing) to determine if the connection is already up and if not, start it back up. I run this script every 5 minutes out of cron. I'm also tunneling back to port 22 from the destination box so I can connect back.
With the "highly restrictive" proxy at this clients location, outbound SSH did not work out of the box. I also tried running SSH on port 443 and 80 which usually works, but needed something more to "hide" the connection. I made some changes to my Apache config making it a proxy for SSH connections two specific hosts.
Fork my Gist for yourself.
blog comments powered by Disqus