8/5 It looks like my company has started blocking HTTPS tunneling.
I used to do this by tunneling SSH through the HTTP/HTTPS proxy
server, but this seems to have stopped working. Does anyone know
how the implementation of tunneling detection works, and whether
there are widely available implementations? We run a bunch of MS
stuff, so I imagine we're running an MS proxy server or something.
It seems to me that the most straightforward tunnel detection method
would be to first check if the requested site actually talks HTTPS,
and perhaps check whether the SSL cert is valid and all that,
optionally rejecting self-signed certs. Has anyone encountered the
same block at work and found a way to circumvent it? Thanks.
\_ Take a look at stunnel. Thought about using it a while back but
then the block got removed.
\_ Thanks, that might conceivably work. Will look into it...
\_ You can SSH tunnel through any open port so just find one.
\_ Amen. Try port 25.
\_ There are no open ports. I'm behind a firewall. The only way
out that I'm aware of is through the HTTP/HTTPS proxy. Telnet
used to be open, but not anymore.
\_ Use nmap or ethereal to look for open ports.
\- if dns is allowed, there is kind of a crufty way to run ssh
over dns, but really if there is a business case for this,
you should lobby for what you need. i've circumvented cafes,
hotels, WAPs etc and what you need to do depends on doing a
bunch of diagnosis to reverse engineer what is going on so
you know what your options are. and in some cases, you have
to pre-arrange to have some infomation on hand [like ip addresses]
or pre-arrage some listening servers of some kind on the outside.
those last two things shouldnt be an issue if you commute to
and from work everyday and have admin access to an external
networked box. BTW, you can do some kind of dynamic porotocol
detection to quash this kind of thing. see e.g.
http://www.icir.org/robin/papers/usenix06.pdf
\_ Yes, I've used IP over DNS before, but it's not really something
I'd want to use on a regular basis, for performance and
reliability reasons. Thanks for the suggestion, though.
\_ Maybe work at a company that doesn't block ports? Do you think
subverting your company's IT policy is a good idea?
\_ Maybe later. No, but I'm skeptical that any somewhat nerdy
person who works at a large company can get by without breaking
some IT policy or other. |