Skip to content
This repository was archived by the owner on Aug 1, 2024. It is now read-only.
/ escape-from-babylon Public archive

Standalone SOCKS5-SSH proxy written in Golang to punch firewalls where outbound SSH is allowed

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

xor-gate/escape-from-babylon

BranchesTags

Repository files navigation

socks5-ssh-proxy

If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy over SSH using a Jump server. Beat the (corporate) sensorship, and be free!

Caution

Project has been archived because Palo Alto Networks, Inc. - Cortex XDR marks it almost always as Suspicious, removes it or analyses it during runtime. Research case closed, back to WSL ssh SOCKS5 proxy then...

Background information

The proxy can use SSHFP DNS record verification for extra protection so the SSH host public key is side-channel checked.

The release build target is fully silent as os.stdout and os.stderr is written to /dev/null. Also it embeds the configuration to the SSH jump host (see config_template.go copied to config_release.go).

Server installation

When using OpenSSH server a special tunnel user should be created. It must configured no PTY could be created (interactive mode). So the client is unable to execute commands on the SSH jump host.

/etc/ssh/sshd_config

The following OpenSSH daemon options could be set. This by default doesn't allow anyone to login except from users from the system group ssh. It immediate drops the connection instead of sending a response. The system tunnel user needs to set PermitTTY no so no shell is possible, only TCP forwarding.

PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 0
ChallengeResponseAuthentication no

Match Group ssh
	MaxAuthTries 3 # Only key-based may be tried

Match User tunnel
	MaxAuthTries 1 # Only key-based may be tried
	GatewayPorts yes
	AllowTcpForwarding yes
	PermitTTY no
	PasswordAuthentication no

SSHFP verification

  • Create SSHFP DNS records use ssh-keygen -r on the SSH jumphost server
  • Configure (public) DNS server with those records
  • Check if records are active with dig SSHFP <hostname> +short

Browsing with chrome over the proxy

E.g:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --proxy-server="socks5://127.0.0.1:1337" --user-data-dir="Y:\ChromeProfile"

Detection

It is highly likely this proxy will be detected by virus or malware scanners. This can be a false-positive see https://go.dev/doc/faq#virus.

Following detections have been tested:

  • Microsoft Defender: Trojan:Win32/Gracing.I - Severe. Probably fixed because of packing with UPX
  • Palo Alto Networks, Inc. - Cortex XDR: detected as Suspicious (no fix yet)

Build time dependencies

macOS

  • go
  • upx
  • goreleaser
  • mingw-w64 (for building the windows dll/exe)

About

Standalone SOCKS5-SSH proxy written in Golang to punch firewalls where outbound SSH is allowed

Topics

proxy malware proxy-server socks5 malware-research socks5-server malware-development jumphost

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages