Gateway Cryptography - PowerPoint PPT Presentation

About This Presentation
Title:

Gateway Cryptography

Description:

Dialpad (Voice over IP to a telephone for free over SSH! ... authorized_keys contains list of identities allowed to connect as root to the system ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 24
Provided by: cis961
Learn more at: http://alumni.cs.ucr.edu
Category:

less

Transcript and Presenter's Notes

Title: Gateway Cryptography


1
Gateway Cryptography
  • Hacking Impossible Tunnels Through Improbable
    Networks with OpenSSH et al.
  • Originally By Dan Kaminsky, CISSP
  • http//www.doxpara.com
  • Shamelessly mangled, retargeted, and reissued by
    Titus Winters

2
Summary
  • This is not how to crack SSH. This is SSH on
    crack.
  • 1) How to get there from here
  • 2) What to do once you get there
  • 3) Making getting there easier

3
The Basics
  • Bringing people up to speed
  • This is not another talk about the wonders of a
    simple local port forward
  • What OpenSSH does
  • Forwards a shell (w/ transparent X support)
  • Forwards a single command (with full stdio)
  • Forwards a single TCP port

4
SSH under Windows
  • 1) Install Cygwin from www.cygwin.com
  • 2) Create a shortcut to rxvt
  • C\cygwin\bin\rxvt.exe -rv -sl 20000 -fn
    Courier-12" -e /usr/bin/bash
  • bash doesnt work under whistler yet, so use zsh
    if you want to retain your tab-completion sanity
  • 3) Finally enjoy a usable Unix environment under
    Win32
  • Everything in this talk is cross platform, as
    long as youve made Windows cross to another
    platform
  • (Still some other things you can do, more on this
    later.)

5
Forwarding Shells
  • ssh user_at_host
  • Encryption 3DES/Blowfish/AES
  • Authentication Password, RSA/DSA
  • Key Generation
  • ssh2 ssh-keygen t dsa
  • Key Authorization
  • ssh2 cat /.ssh/id_dsa.pub ssh user_at_host
    umask 0600 mkdir .ssh cat gtgt authorized_keys2
  • SSH 1 / 2 Separate auth so remember ssh -1 and
    ssh -2

6
Forwarding Commands
  • ssh user_at_host lsssh t user_at_host top
  • Fully 8 bit clean for most commands, supports
    (unclean) TTYs for anything that wants to redraw
    screen (like top) using t
  • Full STDIO(stdin/stdout/stderr) support
  • Allows pipelines across multiple systems

7
Command ForwardingCD Burning Over SSH
  • mkisofs reads in files and spits out a burnable
    image
  • cdrecord burns the image.
  • Normal CD Burningmkisofs JR files cdrecord
    dev,, speed -
  • Remote CD Burningmkisofs JR files ssh
    user_at_host cdrecord dev,, speed -
  • Remote CD Burning From Windows mkisofs.exe JR
    files ssh.exe user_at_host cdrecord dev,,
    speed -

8
Command ForwardingFile Transfer w/o SCP
  • GETalicehost ssh alice_at_bobhost cat file gt
    file PUTfalicehost cat file gt ssh
    alice_at_bobhost cat gt file LISTalicehost ssh
    alice_at_bobhost ls MGETalicehost ssh
    alice_at_bobhost tar -cf - /etc tar -xf
    RESUME GETalicehost ssh alice_at_bobhost tail c
    231244 file gtgt file

9
Forwarding Ports
  • ssh user_at_host -L8000127.0.0.180ssh user_at_host
    -R80127.0.0.18000
  • Separates into listener vs. location
  • If local listens, the destination is relative to
    the remote location
  • If remote listens, the destination is relative to
    the local location

10
Limitations on Port Forwards
  • By default, only the systems directly hosting the
    listener can connect to it
  • Local forwards can be made public using the g
    option, but remote gateway ports must be
    enabled using GatewayPorts Yes
  • Destination locations are unrestricted

11
Accessing a Port Forward
  • Application Layer
  • Connect Directly to 127.0.0.1 or localhost
  • Operating System Layer (systemspace)
  • Pre-empt DNS lookup in hosts file
  • Unix /etc/hosts
  • Win95 \windows\hosts
  • WinNT \WINNT\system32\drivers\etc\hosts
  • All forwards must be preannounced, and share the
    same IP (127.0.0.1)

12
ProblemStatic Forwards Are Inflexible
  • Work decently only when
  • Each port is only used once
  • Passes
  • Mail(smtp, pop3, imap)
  • Simple Web(HTTP)
  • Fails
  • Web Surfing Multiple Sites (HTTP)
  • P2P File Transfer(Napster, Gnutella),
  • Ports are predictable in advance
  • Fails miserably
  • FTP, both Active and Passive

13
SolutionDynamic Forwarding w/ SOCKS
  • ssh user_at_host -D1080
  • SOCKS4/5 An in-band protocol header, nothing
    more, that allows the client to very quickly tell
    a proxy server where its actual destination was
  • SOCKS4 is extraordinarily simple
  • 9 bytes from Client, 8 byte response, and the
    client has informed the proxy where it actually
    wants to go!
  • Library Preloads are excessive
  • The idea Run a trivial SOCKS daemon in the ssh
    client use it to redirect the destination of
    each channel.

14
Dynamic ForwardingApplication Support
  • Most major Windows applications support SOCKS
    proxies directly
  • Internet Explorer, CuteFTP, IM Clients, P2P
    Clients(Napster, Gnutella)
  • Dialpad (Voice over IP to a telephone for free
    over SSH!)
  • SocksCap32 can be used to Socksify remaining
    apps on Windows
  • Outlook Express, LeechFTP, Media Player, etc.
  • Unix applications can be reasonably socksified too

15
ProxyCommandBlind Proxying w/ SSH
  • ssh -o 'ProxyCommand arbitrary_tool proxy u h
    p' user_at_10.1.0.1
  • A ProxyCommand is an arbitrary tool that, after
    it finishes executing, leads to an 8 bit clean
    path to an SSH daemon
  • OpenSSH's excuse for SOCKS support -)
  • Allows end-to-end crypto through any 8bit clean
    link
  • Like SSL over HTTP Connect

16
No Internet Accessible Bastion Proxy Now What?
  • proxy ssh user_at_client -R2022127.0.0.122client
    ssh user_at_127.0.0.1 -o "HostKeyAlias proxy"
    -L8000www-internal80
  • Turns inability to trust into irrelevancy of
    trust
  • Negative You cant trust the addresses of x,
    y, or z!
  • Positive It doesnt matter if you think youre
    talking to the addresses of x, y, or z.
  • MUST CHECK HOSTKEY itll work even if you dont

17
Cross-Connecting Mutually Firewalled Hosts
  • server ssh proxyuser_at_proxy -R10022127.0.0
    .122client ssh -o 'ProxyCommand ssh
    proxyuser2_at_proxy nc 127.0.0.1 10022'
    user_at_server or in my syntaxclient ssh
    proxyuser2_at_proxy/10022 user_at_server
  • Again, as long as IP addresses cannot be trusted,
    it doesnt matter that youre talking to the
    proxy and connecting through one of its ports.

18
Expanding Escape Syntax
  • noname ?Supported escape sequences. -
    terminate connectionR - Request rekey (SSH
    protocol 2 only)Z - suspend ssh - list
    forwarded connections - background ssh (when
    waiting for connections to terminate)? - this
    message - send the escape character by typing
    it twice(Note that escapes are only recognized
    immediately after newline.)
  • Eventual goal Port both ssh_config syntax and
    ssh command line syntax to the escape character
    mode
  • Allow on-demand things like activation of X
    forwarding

19
((Secure SUThe Battle Against Direct Root
  • Most security gurus will decry direct root
    login
  • Holdover from the battle against admins doing
    everything as root
  • SU is a painless enough context switch
  • If it hurts to switch, people will just do it all
    as root
  • Advantages to being forced to switch accounts
  • Inertia
  • Emotion significance of the action is
    emphasized
  • Accounting logs show who used root
  • Even though it essentially reduces the security
    of the root account to the security of the Alice
    account, even OpenBSD (2.7, at least) still
    exhorts users not to ssh directly to root, and
    instead to use SU.

20
Secure SUThe Near-Perfect Compromise
  • alicehost ssh alice_at_bobhost -t su l
    rootSSHD creates a secure execution environment
    when commands are explicitly specified
  • Shell configuration files not loaded
  • su, as a setuid app, cant generally be traced by
    ordinary users
  • User logs in as normal, is safely prompted for
    the root password, gets a root shell without
    having to slum in through insecure space

21
Secure SUDeveloping Individuated Root
  • Individual Public Keys For Root Access
  • Nobody learns root password
  • authorized_keys contains list of identities
    allowed to connect as root to the system
  • SSHD modified to log who connected to root
  • Scales to multiple security-critical accounts
  • Root can modify its own authorized_keys, but
    other accounts could have root owned, root
    readable authorized_keys files.
  • Individual Root Accounts
  • Multiple accounts all set to same UID, but with
    different passwords
  • Alice_Root, Bob_Root, etc.
  • Really only works for root

22
Stranded?
  • mindterm Java applet with full port forwarding
    / proxying capabilities.
  • Google for mindterm, find an available
    installation of the applet.
  • If youve got web and outgoing SSH, youve got
    access to the world.

23
Conclusion
  • ssh is powerful
  • ssh is flexible
  • ssh is fun.
  • any questions? any requests?
Write a Comment
User Comments (0)
About PowerShow.com