New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add client-outbound SOCKS support #78
Conversation
Thanks for the PR! I think a better user experience would be for it to work like the server's socks endpoint (e.g. |
Thanks for the feedback! I did originally consider something like you've suggested, but this was a quick solution to a problem. I'll consider implementing as you've suggested, but it may take some more time for me to understand the code (and more of golang). I do prefer the |
Awesome, no rush!
…On Tue, 12 Feb 2019 at 2:00 pm aus ***@***.***> wrote:
Thanks for the feedback! I did originally consider something like you've
suggested, but this was a quick solution to a problem. I'll consider
implementing as you've suggested, but it may take some more time for me to
understand the code (and more of golang).
I do prefer the R:socks design better. And if multiple clients connect,
then the subsequent client can simply specify a free port to listen on
(e.g. R:1081:socks).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#78 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAmr87kj-ITyEPfXrmC-9AZxRLv2RdObks5vMi5RgaJpZM4ayr3B>
.
|
Reworked the code to support the |
Sorry! You right in not needing the socks option. I should have clarified,
an attacker can send any "ExtraData" and could crash the client with a nil
pointer exception when the *socksServer is under. So the check would be for
if socksServer == nil, then reject
…On Mon, 25 Feb 2019 at 2:53 am aus ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In client/client.go
<#78 (comment)>:
> @@ -272,13 +286,19 @@ func (c *Client) Close() error {
func (c *Client) connectStreams(chans <-chan ssh.NewChannel) {
for ch := range chans {
remote := string(ch.ExtraData())
+ socks := remote == "socks"
Thanks for the feedback! I guess I'm a bit confused. My understanding of
the linked code block is that it essentially checks whether the --socks5
server option was enabled. Are you saying that the --socks5 server option
should be checked and enabled in order for client socks remotes R:socks
to work? Or are you saying there should be a client option of --socks5?
Or neither? 😄
In my original commit, I had added the client option --socks5 to enable
the client socks server. However after your suggestions, I've concluded
that the client --socks5 option is redundant if the client is also
specifying socks in the reverse remote R:socks.
I understand the security reasoning for having the server --socks5
option. Since the client specifies the remote, the server should not allow
clients with free network access unless explicitly enabled. But for client
socks, I don't really see any risk where neither the server nor client
would need to enable the --socks5 option. And the --reverse server option
already permits or denies the server-side risk.
Hopefully you can clarify things for me. Thanks!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#78 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAmr89lQpmh3r3yYG8tAfsvq8Z04-TAOks5vQrVlgaJpZM4ayr3B>
.
|
Thanks for the clarification. And good catch. I've add the nil check as suggested. (if you got an email notification on my previous comment, please ignore. I realized I did not have the |
For those following along at home, the current syntax works like this:
From the chisel server (example.com), you can access a SOCKS server on 127.0.0.1:1080 that will originate from the client chisel (12.34.56.78).
Then we see this in the server log:
|
Very cool PR, works very well. Is there a way we can request the listen IP when setting up the reverse socks proxy. Seems to default to 127.0.0.1. I can see that the port can be changed, |
Yup. This is already supported. Another example: From the server:
From the client:
And now we can see our server log that we are listening on 0.0.0.0:5000:
You cannot change the listening port on the client side, because the client does not listen with a reverse socks. |
Why wasn't this merged yet? It is awesome! |
^^^ This! ^^^ |
I have a fork here with some other useful PRs merged. Check the |
Looks good! Will test tonight and get this merged :) Sorry guys |
Awesome! Thanks for the merge @jpillora. And thanks for creating chisel! It's been really useful for me. I will test the release. Also, there were a few additional minor changes in my branch that may not be reflected in the changelog:
The DialContext is useful if you are creating a chisel client and need to modify the connect behavior. I created aus/proxyplease for this purpose. A DialContext from aus/proxyplease enables my chisel client to transparently authenticate against a Kerberos HTTP proxy via SSPI. proxyplease might be worth integrating into chisel as a dependency, but my code probably needs a bit more testing and cleanup. |
Oh yea I saw those in there, forgot to mention Cool looks good - I'm doing some Go+kerberos stuff at work at the moment actually, will take a look |
Hi @jpillora,
For chisel clients in Windows environments, the following two extra options would be awesome:
In addition to the work from @aus, maybe the Px (Python) implementation can help. Essentially, it would be pretty cool to be able to enjoy the Px features within chisel directly. :) |
In some situations, it may be useful to utilize the chisel tunnel to access the internal network of the connected client. With the recent addition of reverse port forward remotes, we can simply start a SOCKS5 server on the client and remote port forward to it.
Example:(see comment below for latest syntax)server
client