How-To: Rdesktop over (HTTP) Proxy

How to connect to a remote desktop host via an HTTP Proxy

In this example we will use, once again, socat. Here is how to connect to a Terminal Server which can be reach only behind an HTTP Proxy.

First, make sure that your $http_proxy environment variable is set properly.

Add the following function to your ~/.bashrc:

function rdesktop_proxy () {
 
 if [ $# -lt 1 ]; then
  echo "usage: $0 <hostname/ip>"
  return
 fi

 HOST=$1
 PROXY_HOST=$(echo $http_proxy | sed 's,http:,,;s,/,,g' | cut -d: -f1)
 PROXY_PORT=$(echo $http_proxy | sed 's,http:,,;s,/,,g' | cut -d: -f2)

 socat TCP4-LISTEN:51515,bind=127.0.0.1,reuseaddr PROXY:$PROXY_HOST:$HOST:3389,proxyport=$PROXY_PORT &

 /usr/local/bin/xfreerdp +clipboard +home-drive "/t:$1" /v:127.0.0.1:51515 "${@:2}"
}

Then re-source your shell:

source ~/.bashrc

And you can just type:

rdesktop_proxy my.rdpdomain.com /u:John

The example above use the xfreerdp client, but you can adjust it to use your favourite RDP client, you get the idea.

Intercept all HTTP + SSL Android traffic and bypass SSL Pinning

How to intercept all Android HTTP / HTTPS network traffic on Windows and bypass SSL Pinning

1.  Install ADB / Android SDK or use the AppUse VM
2. Root the android device
3. Install Android Cydia Substrate

adb install com.saurik.substrate.apk

4. Install Android SSL Trust Killer

adb install Android-SSL-TrustKiller.apk

5. Export Burp Root CA Certificate
6. Push Burp Cert to the sdcard

adb push PortSwiggerCA.cer /sdcard

7. Install Burp Cert in the Android Trust Store

Settings > Security > Install from device storage

8. On Windows, create a Wireless hotspot sharing your Internet / external connection
1. Create the hotspot:

​netsh wlan set hostednetwork mode=allow ssid=MyHotspot key=MyPassword keyUsage=persistent

2. To start the hotspot

netsh wlan start hostednetwork

3. Or to stop the hotspot:

netsh wlan stop hostednetwork

9. Enabled Internet Connection Sharing with your external connection:

Right click your connection's NIC, "Sharing" tab, check the box, select "MyHotspot". The external NIC icon should say "shared".

10. Connect the Android to the wifi Hotspot using the key configured previously.
11. Optional: If you prefer to use a static network configuration as opposed to DHCP, go to the Wifi connection advanced settings and look for the IP address attributed. Switch to a static IP and set this IP manually. The gateway should be the IP address of the Windows "MyHotspot" interface. The DNS Server should be your ISP's / corporate network one. Reconnect the Wifi with the new network configuration.
12. Try to ping the Android device's IP address from the Windows.
13. Run Burp and make it listen on the Hotspot's interface IP address.
14. You can configure this proxy in the Wireless connection advanced settings, but that would take effect only for proxy-aware apps such as the web browser. Preferably, and since your device is rooted, use an app such as ProxyDroid to make all the apps go through the proxy transparently. You should have Play Store working as well.
15. Configure your Burp's upstream proxies rules if needed.
16. You should be able to intercept all HTTP/HTTPS traffic. If not, well, go back to step 1.

NTP behind a HTTP proxy?

As NTP uses UDP port 123, of course setting the date via NTP (ntpdate) behind a proxy isn't possible without doing some tunneling/encapsulation wizardry. There is, however, a very nice solution using the time api. As it works over a Web server, the proxy problem is immediately resolved.

For example, to set your date/time according to your timezone:

# export http_proxy=http://proxy.mycompany.com:8080/
# date -s "$(wget -q -O - http://www.timeapi.org/gmt)"

Easy, right!

Using iptables + socat to tunnel outbound connections through proxy

EDIT: Here is the tool I wrote to facilitate creation of transparent tunnels over http proxies - on my GitHub account.

I've known about socat for a while, but never really got into using it until recently. Its possibilities are endless and it's always reliable. I'm thinking about writing a wrapper around it.

For now, imagine you've got the following setup: A thick/thin app, script, program, whatever with no native proxy support, connecting to an external host. You may want to tunnel the connections through your company's proxy, or maybe perform man-in-the-middle on the outbound streams. (side note: Contextis' CANAPE is excellent for that matter, but more complex to setup, and Windows only).

Obviously, you could edit your hosts file, or even possibly modify the source code to make it connect to wherever you want. But there are some situations where you can't / don't want / are too lazy to do that.

You can use an iptables rule to redirect the outbound connections to that host to your loopback interface, then have socat listening on a local port and tunnel sessions through the proxy. It can also be used to setup a local man-in-the-middle scenario, where you want to be able to put an intercepting proxy in the middle of the communication.

The network flow diagram is as follows:

You can add the "reuseaddr" command-line parameter to the socat listening local socket parameter to allow it to rebind to a previously open port. Also add the "fork" parameter if needed to prevent it from exiting after the first tunneled TCP session is finished. You don't need to enable IP Forwarding on your box.

For example, if I want to tunnel all direct connections made to google.com:443. First, you need to create the Iptables rule accordingly. As root:

iptables -t nat -A OUTPUT -p tcp -d google.com --dport 443 -j DNAT --to-destination 127.0.0.1:443

Then, you must create the socat tunnel (reuseaddr and fork are optional). As root:

socat TCP4-LISTEN:443,bind=127.0.0.1,reuseaddr,fork PROXY:proxy.mycompany.com:google.com:443,proxyport=3128

When your work is finished, kill the socat instance with CTRL+C and delete the now useless iptables rule (just use -D instead of -A):

iptables -t nat -D OUTPUT -p tcp -d google.com --dport 443 -j DNAT --to-destination 127.0.0.1:443

And because I like shell scripts, here goes:

#!/bin/bash
if [ -z $2 ]; then
 echo "usage: $0 <dest_host> <dest_port>"
 exit
fi

if [ $EUID -ne 0 ]; then
 echo "error: must be run as root"
 exit
fi


PROXYHOST=192.168.100.1
PROXYPORT=3128

# Forward all outgoing traffic directed to ext_host:ext_port to the loopback interface
echo Creating rule...
iptables -t nat -A OUTPUT -p tcp -d $1 --dport $2 -j DNAT --to-destination 127.0.0.1:$2

# use socat to tunnel connections to the local port through the proxy
echo "127.0.0.1:$2 <--> $PROXYHOST:$PROXYPORT <--> $1:$2 (stop with ctrl+c)"
socat TCP4-LISTEN:$2,bind=127.0.0.1,reuseaddr,fork PROXY:$PROXYHOST:$1:$2,proxyport=$PROXYPORT

# remove created iptables rule
echo Removing rule...
iptables -t nat -D OUTPUT -p tcp -d $1 --dport $2 -j DNAT --to-destination 127.0.0.1:$2

Enjoy ;)

How to use Socat to connect to an SSL service over a HTTP proxy

SOCAT is in my opinion one of the best networking / relaying tools out there. Within my corporate network, I need to go through a HTTP proxy to reach the outside. Today I needed to connect to a Freenode IRC channel, using of course the IRC client of choice, IRSSI. Unfortunately, whilst IRSSI supports HTTP proxies, it fails at establishing an SSL connection when using one.

At this point, there are two possible solutions:

• Connect using a clear-text IRC session over the proxy (which was out of consideration in my case)
• Relay the server's SSL port to localhost over the proxy (yay)

Socat turned out to be the most easy to setup and worked flawlessly. Here is the setup for this particular example:

All connections to the local port 6666 would then be tunneled through the proxy, and forwarded to the destination server. So if the endpoint service is SSL-enabled, connect to your local port over SSL and the session gets encrypted end to end.

Here is a small Bash script for that purpose.

#!/bin/bash
if [ -z $3 ]; then
 echo "usage: $0 <listenport> <desthost> <destport>"
 exit
fi

LOCALPORT=$1
PROXYHOST=10.0.0.1
PROXYPORT=3128
DESTHOST=$2
DESTPORT=$3

socat TCP4-LISTEN:$LOCALPORT,bind=127.0.0.1 PROXY:$PROXYHOST:$DESTHOST:$DESTPORT,proxyport=$PROXYPORT &

echo SOCAT listening on 127.0.0.1:$LOCALPORT, forwarding to $DESTHOST:$DESTPORT

Note: Should your proxy require authentication, the socat command must be changed to:

socat TCP4-LISTEN:$LOCALPORT,bind=127.0.0.1 PROXY:$PROXYHOST:$DESTHOST:$DESTPORT,proxyport=$PROXYPORT,proxyauth=$PROXYUSER:$PROXYPASS

Add Burp Root CA into a Java Trust Store

Recently during a pentest I stumbled upon a thick client in Java that came with a configuration file (*.properties) referring to a Java Trust store:

# The following property specifies where the TrustStore file
# containing the trusted CA certificates or trusted certificates 
# can be found.
javax.net.ssl.trustStore=cert/clientTrustStore.jks

An SSL trust store is basically a container that includes all the server certificates that are trusted by the client.
This client was making a SSL connection to an endpoint web service. To be able to put myself in the middle of the protocol, I had to add Burp's CA certificate into this trust store.

1. Brute force the truststore password.

Here, a good old bash loop calling keytool with a dictionary file did the trick:

$ for pwd in $(cat ~/pentest/dictionary/most_used_pwd.txt); do (keytool -list -keystore cert/clientTrustStore.jks -storepass $pwd 2>/dev/null) && echo FOUND PASSWORD $pwd; done
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): 15:37:(hidden):25:E9
(hidden), 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:(hidden):59:BE
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): CB:17:(hidden):FA:1C
FOUND PASSWORD password

2. Add Burp's CA certificate to the trust store

Well, ok, here the password was "password". So I could list the contents of my client trust store. Now, adding burp's root CA is easy. Just create a listener within Burp, use that as a proxy, browse to any https website, display the certificate chain. Save the root CA certificate to a file.

Then, to add this root CA to your trust store:

keytool -import -keystore cert/clientTrustStore.jks -file PortSwiggerCA.cer -storepass password

3. Start playing

To confirm whether your certificate has correctly been added to the trust store, list its contents with the keytool "-list" command used in the bruteforce above:

$ keytool -list -keystore cert/clientTrustStore.jks -storepass password
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): 15:37:(hidden):25:E9
(hidden), 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:(hidden):59:BE
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): CB:17:(hidden):FA:1C
portswiggerca, 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:D7:52:FB:7A:28:61:71:0F:FF:09:9A:47:59:BE

Now you can proxy your client app through Burp and start playing with the protocol!

[Debian/Ubuntu/Gnome] Set the proxy settings system-wide (apt, bash, wget, ssh, git, svn)

If you often change network locations, work with different network settings, you may find it annoying to update your proxy settings every time in all configuration files (/etc/apt/apt.conf, ~/.ssh/config, maybe proxychains, environment variables and gnome settings).

I use the following script to update the settings in every location. I may add other files to the script when required.

Currently the script with update your proxy settings for:

• Apt (if running as root)
• Proxychains (if running as root)
• Firefox
• Chrome / Gnome / System proxy
• SSH (for entries already containing "ProxyCommand")
• Bash / Wget / any program using the $http_proxy environment variable
• Git
• SVN

Note: Some proxy tunnels are configured to use socat, so you probably need to install it before.

#!/bin/bash

if [ -z $2 ]; then
 echo "usage: $0 <proxy ip> <proxy port> [ <proxy user> <proxy pass> ]"
 exit
fi

if [ $EUID -eq 0 ]; then
 # Apt.conf
 echo "updating apt.conf..."
 if [ $# -eq 4 ]; then
  echo "Acquire::http::Proxy \"http://$3:$4@$1:$2/\";" > /etc/apt/apt.conf
 else
  echo "Acquire::http::Proxy \"http://$1:$2/\";" > /etc/apt/apt.conf
 fi
 chmod 600 /etc/apt/apt.conf

 # Proxychains
 if [ -e /etc/proxychains.conf ]; then
  echo "updating proxychains.conf..."
  echo strict_chain > /etc/proxychains.conf
  echo tcp_read_time_out 15000 >> /etc/proxychains.conf
  echo tcp_connect_time_out 8000 >> /etc/proxychains.conf
  echo \[ProxyList\] >> /etc/proxychains.conf
  if [ $# -eq 4 ]; then
   echo http $1 $2 $3 $4 >> /etc/proxychains.conf
  else
   echo http $1 $2 >> /etc/proxychains.conf
  fi
  chmod 600 /etc/proxychains.conf
 fi
else
 echo "Warning: Must run as root to update all config files (skipped: apt, proxychains)"
fi

# Firefox
PREFS_FILE="${HOME}/.mozilla/firefox/$(cat ${HOME}/.mozilla/firefox/profiles.ini | grep Path | sed 's/Path=//')/prefs.js"
if [ -e $PREFS_FILE ]; then
 echo "updating firefox config..."
 sed -i '/^user_pref("network.proxy./d' $PREFS_FILE
 echo "user_pref(\"network.proxy.ftp\", \"$1\");" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.ftp_port\", $2);" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.http\", \"$1\");" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.http_port\", $2);" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.share_proxy_settings\", true);" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.socks\", \"$1\");" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.socks_port\", $2);" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.socks_remote_dns\", true);" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.ssl\", \"$1\");" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.ssl_port\", $2);" >> $PREFS_FILE
 echo "user_pref(\"network.proxy.type\", 1);" >> $PREFS_FILE
fi

# ssh
if [ -e ~/.ssh/config ]; then
 echo "updating ssh config..."
 if [ $# -eq 4 ]; then
  CFG="ProxyCommand socat - PROXY:$1:%h:%p,proxyport=$2,proxyauth=$3:$4"
 else
  CFG="ProxyCommand socat - PROXY:$1:%h:%p,proxyport=$2"
 fi
 sed -i -r "s/ProxyCommand socat (.*)/$CFG/g" ~/.ssh/config
 chmod 600 ~/.ssh/config
fi

# Bash / Wget
if [ -e ~/.bashrc ]; then
 echo "updating ~/.bashrc..."

 sed -i '/export http[s]*_proxy=/d' ~/.bashrc

 if [ $# -eq 4 ]; then
  echo "export http_proxy=http://$3:$4@$1:$2/" >> ~/.bashrc
 else
  echo "export http_proxy=http://$1:$2/" >> ~/.bashrc
 fi

 echo "export https_proxy=\$http_proxy" >> ~/.bashrc

 source ~/.bashrc
fi

# Gnome / system
echo "updating system proxy..."
if [ $# -eq 4 ]; then
 gsettings set org.gnome.system.proxy.http authentication-user "$3"
 gsettings set org.gnome.system.proxy.http authentication-password "$4"
else
 gsettings set org.gnome.system.proxy.http authentication-user ""
 gsettings set org.gnome.system.proxy.http authentication-password ""
fi
gsettings set org.gnome.system.proxy mode "manual"
gsettings set org.gnome.system.proxy.http host "$1"
gsettings set org.gnome.system.proxy.http port $2
gsettings set org.gnome.system.proxy.ftp host "$1"
gsettings set org.gnome.system.proxy.ftp port $2
gsettings set org.gnome.system.proxy.https host "$1"
gsettings set org.gnome.system.proxy.https port $2
gsettings set org.gnome.system.proxy ignore-hosts "['localhost', '127.0.0.0/8', '10.0.0.0/8', '192.168.0.0/16', '*.localdomain.com', '*.mycompany.com' ]"

# Git
if [ -e ~/.gitconfig ]; then
 echo "updating git..."
 if [ $# -eq 4 ]; then
  echo "exec socat STDIO PROXY:$1:\$1:\$2,proxyport=$2,proxyauth=$3:$4" > ~/.gitproxy
 else
  echo "exec socat STDIO PROXY:$1:\$1:\$2,proxyport=$2" > ~/.gitproxy
 fi
 git config --global core.gitproxy ~/.gitproxy
fi

# SVN
if [ -e ~/.subversion/servers ]; then
 echo "updating subversion..."
 if [ $# -eq 4 ]; then
  sed -i "s/^[# ]*\(http-proxy-username\).*/\1 = $3/" ~/.subversion/servers
  sed -i "s/^[# ]*\(http-proxy-password\).*/\1 = $4/" ~/.subversion/servers
 else
  sed -i 's/^\(http-proxy-username.*\)/# \1/' ~/.subversion/servers
  sed -i 's/^\(http-proxy-password.*\)/# \1/' ~/.subversion/servers
 fi
 sed -i "s/^[# ]*\(http-proxy-host\).*/\1 = $1/" ~/.subversion/servers
 sed -i "s/^[# ]*\(http-proxy-port\).*/\1 = $2/" ~/.subversion/servers
fi