Hinky’s Proxy Obsession

The other day I was on a support call with a techie from a vendor that will remain nameless (go ahead… guess!).  We were watching some HTTP packets fly by with tcpdump when he suddenly said, “WTF is that?”

“That” was along the lines of this:

http://72.246.30.118/idle/Ga0mdz02wSLOaQ5Q/250
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/44
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/121
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/200
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/251
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/310
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/359
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/422
http://72.246.30.118/idle/Gx0mdz02xSLWq-NW/481

More or less.  Lots of these suckers.  I see millions of them in my proxy logs every day.

This fellow had never seen these URLs before.  Odd because his company deals with URLs every day.  I just told him to add “not host 72.246.30.118″ to his tcpdump command line and that got rid of it.

Well, the support call eventually ended.  Nothing was resolved, as usual.  But this article is not about him anyway.

That crap is Flash.  The URL never has a hostname.  It’s always an IP address and that address usually belongs to a CDN (Content Distribution Network).  The address above belongs to Akamai.  The second part of the URL is one of open/send/idle.  The third is some sort of content or user or session identifier.  The last part is obviously a sequence number.

If you frequent some sort of Internet Radio station while you’re at work and you play it all day and you leave work with your browser open to that site, you will generate tens of thousands of these URLs.  I’ve seen a single user drop a half a million of these a day.

Now, all you blackhat spooks out there listen up, because this is important.  If you don’t get it already, I’m going to spell it out.

This is a perfect covert channel.

Just faking these URLs offers excellent cover.  The “idle” URLs are all http POSTs.    You can send data out without raising red flags as long as you keep the packet size down.  A single /idle/ URL packs about 215 bytes, but the user will hit a single /idle/ URL 600-700 times, for a total of ~150K.  In the logs, looking for that kind of crap in a multi-user environment boils down to the “needle in a needlestack” problem.

You get the picture.

It gets better if you can do it over a CDN.  This is what I like to call “The Chinese Radio Station Problem”.  It’s a deep pockets hack, because you have to control the server.  The CDN serves to mask the real destination. In my small little mind I see it as something an adversarial government has the resources to do.  Hence, Chinese.

Think about it.  It’s Flash, so there are plenty of known, unknown, and, shall we say,  ”private label” vectors that can be leveraged to add a little some-some to an end-user’s PC.

What that some-some is, is up to you.  You are only limited by your imagination.

If you control the server, the user can still listen to Internet Radio while he sends you his company’s intellectual property.  Logged or not, it still looks like streaming media.

I would conjecture that most companies that block streaming media leave it open for CxOs, which is even better because they get the juiciest details on intellectual property.  You just need to know what kind of media they like.

And for employers who don’t block streaming media, there’s people like Shirley in Accounts Payable, who has all the bank passwords and likes to listen to Christian music all day long.  Double cover.  Anything with “Christian” in it is above suspicion, right?

And what about that Asian dude in Engineering, Tony Lee?  What is he listening to?

Endless opportunity.

You may notice the “PoTTY” link above. There’s nothing there yet. That is/was a test for the “Visit Web site” button on the PoTTY “About” box. Right now I’m mulling over where to put the files. I think they’ll end up on www.mrhinkydink.com (not the BlogSpot redirect), if only for “branding” purposes.

Today I obfuscated PLINK and PSFTP (I did PSCP over the weekend), but I haven’t tested them yet, so the entire PoTTY Suite is almost ready to rock’n'roll.  As far as the source code goes, I could zip the entire directory structure up as is, but I need to do something about my idiosyncratic, highly non-standard search paths so you can just import it into VCE 2008 with minimum hassle.  I agree VC6 would be a better format, but I don’t have VC6.

I have had a few hiccups using my own obfuscated-openssh server (Debian 4.0r0).  I have four instances of ObfuscatedPort in sshd_config, but only two of the ports are working.  This is probably something unique to this system (i.e., something I screwed up) since I also have it installed and running on four ports on my CentOS laptop (long story – it’s the only distro that works on a SONY Vaio PCG-K27) with zero problems.

The simple Cyqwin fix continues to shine.  Right now I have Cygwin oossh running in a loop back at my office in the Salt Mine, back-tunneling RDP.  There have been a few connection drops due to proxy issues – it goes out through a very busy proxy – but it reconnects fine.

If you use a proxy with Cygwin oossh (or any ssh client), be sure to set the ServerAliveInterval to something less than a minute.  In my case, the Microsoft ISA proxy back at the office drops all TCP connections after two minutes of inactivity, so you have to keep that pipe flowing if you want to stay connected.  Be it SOCKS or HTTP, it doesn’t matter.  You get two minutes.  Shit or get off the pot.

This is usually not an issue if you can get out through a firewall hole, but YMMV.

I don’t recommend using oossh through a proxy, but sometimes you have no choice.  I have a choice, but I use a proxy because I have this… obsession with proxies.

Did I ever mention that?

I had a question about the copyright of obfuscated-openssh so I dropped the author a note.  He wrote back saying since it was a patch to OpenSSH, the same copyright applied.

I thanked him and added a BTW about the fix I made to oossh to get it to work with proxies.

He posted it to github with a thanks!

Aw shucks, folks, ’tweren’t nuthin!

On the PoTTY front, my first attempt at static linking to the OpenSSL libs taught me more than I ever wanted to know about Microsoft C compilers.  In other words, it was a Total Fail.  And it made my dinky little brain hurt.  I’m not sure if I can pull it off but I’m going to dick around with the compiler flags and rebuild OpenSSL to see if that helps.  Another option would be yanking the RC4 code out completely and shoving it down the PoTTY, so to speak.  Either way, it looks like tough hack.

Otherwise, testing is going well.  I built a private version with my Secret Sauce and tested against my workplace firewall/IDS.  It worked beautifully.

As it turns out, Obfuscated PuTTY was a three-day weekend hack.

Last night I was banging away and things were looking good.  I got past the “corrupt packet” errors and I was getting all the way through the obfuscated key exchange when I realized my problem was that I wasn’t turning off obfuscation in the right place.  At that moment everything that needed to be done was all clear to me.

I had an epiphany!!!!

Right then, at that Stunning Moment of Clarity, there was a bright flash, a clap of thunder, and the fucking power went out!

It was as if my efforts had enraged the Gods Themselves.

It lasted all of five seconds, but Visual C++ Express blinked out and suddenly I was staring at a power-on self test on my monitor.  I couldn’t help but wonder if I had saved my work recently.  I didn’t want to deal with that possibility (they call it “denial”) or the possibility that the power would go out again, so I did other stuff for a couple of hours and hit the sack early.

I woke up at 4AM (my own personal “Magic Hour” these days) and loaded up the code to see what I had lost.  But it was all there!  I made the changes and after a few tests and a couple cups of coffee, the damned thing worked!

Now, the clean-up phase begins.  I still have some unfinished business:

• Statically link OpenSSL to make PoTTY a standalone executable.
• Fix up and test the obfuscated-openssh password stuff
• Add some spit and polish
• Test!  Test!  Test!

As you can see, I haven’t given up on PoTTY yet.

This morning I woke up at about 4AM and decided to go at it.  I have found the spot in the PuTTY code where (I think) the obfuscated handshake should go, but at the moment I’m not sure how to implement it.  But with that insight I cut the network routines out of  obfuscate.c and set about to just getting it to compile.

With that issue on the back burner, the only piece that had to be hacked out of nowhere was the arc4random() function.  I was lucky enough to find that, and other WIN32 goodies, here.

I shoehorned it all in and compiled it with VCE 2008 and it worked.

Or, rather, it “worked”.

Even though obfuscate.c is dead code (there’s nothing calling it right now), PoTTY choked because it couldn’t find the OpenSSL DLLs (libeay32.dll & ssleay32.dll).  I put them in the system PATH and PoTTY fired up.  Since nothing but the obfuscation code and arc4random() includes the OpenSSL headers that error was an obvious sign that the code was in there.

I’d prefer it if all the OpenSSL routines were statically linked, but at this point I’ll take what I can get.

The primary reason I want to statically link the code is that there are quite a few vendors in the non-FOSS world who have their own, proprietary versions of these two DLLs for Windows.  That’s not a problem when there’s only one of these vendors in your system, but when you have two of them the incompatibles DLLs start causing problems.

I discovered that years ago after compiling my own SSL-enabled WIN32 version of wget.  Somewhere along the line I installed a McAfee product of some sort and it stomped on my SSL DLLs (McAfee also has a version of wpcap.dll that will ruin your day sooner or later).

So that will be the next step.  I have all the OpenSSL static libs but I can’t get VCE to link them.  Not sure what the issue is there.

Another small victory…

The options are in there, ready to rock’n'roll whenever I finally figure out how to use them!