Proxies - Part 1
This time on Hak5, we begin a special series on proxies. Caching, filtering, security or anonymity -- whatever your reasons may be, Darren and I are exploring the ins and outs of this great technology from the ground up. All that and more!
Basically a proxy is a technology that enables one to bounce their Internet traffic off, or tunnel Internet traffic through, a third party server. Typically this is a linux box running a daemon, but there are plenty of types of proxies, as well as reasons to use 'em. So why do we have proxies? Well, this won't cover everything, but here's a few examples: Why would you want to proxy?
Security - keep your web traffic encrypted For me it's all about security. Most proxies employ encryption, encapsulating each packet into a private tunnel so that would be eavesdroppers can't peer in on your surfing. I don't care if it's open wifi at the airport or a wired hotel LAN -- if it isn't my network I don't trust it.
I hate it when network operators do this, and I'm sure you've encountered it. It turns out there's porn on the Internet. That, um, isn't what I've encountered -- I'm talking about when sysops use Proxies to filter content. Whether it's a DNS blacklist or content keywords, proxies can be used to shut down browsing to sites the operator deems inapproporiate. Whether that's porn or blogs criticizing a draconian government.
Likewise proxies are a great weapon against censorship. During the 2011 Egyptian Revolution, and following the January 25th protest, access to Twitter and Facebook from within the country were blocked.
Speed up web browsing with a caching proxy like Squid which is implemented in a lot of the more advanced open source routers we like, including Smoothwall and Untangle. The idea being that it holds copies of a web page or other resource in its cache, so if Darren visits Zombo.com in the morning then I go there in the afternoon I grab a local copy, thus saving bandwidth and speeding up the network.
Like a WiFi Honeypot or a Man-in-the-middle attack, a proxy can facilitate eavesdropping by routing traffic from a client, or victim in this case, through an eavesdropper's server. This enables the kind of packet sniffing mischeif you might imagine -- password snooping, URL snarfing, stealing of cookies and session hijacking, even altering content in transit. You know, the same kind of stuff your ISP could do - but doesn't... Or do they? Nah.... But SRSLY.
Traveling abroad and need access to resources on your office network? There's a proxy for that. Basically bridging two or more networks a proxy can enable access to stuff like printers, internal web servers, even private peer to peer networks or Darknets. Who doesn't like a little privacy with their file sharing?
Network Proxies can provide some level of anonymity by making it difficult to trace internet activity. The most notable examples include The Onion Router and I2P or the Invisible Internet Project. We're working up a special episode on these, but suffice it to say if you're a fan of freedom and privacy these are for you. Just, be aware that they aren't fool proof. In design these networks don't account for a global passive adversary, you know - like the NSA.
There are more proxy types and implementations than you can shake a stick at, but well cover a few of the more popular ones and get into the practice soon.
Types of Proxies
Forwarding Proxies: Typically speaking a forwarding proxy is a private service setup for one or more users that forwards or relays Internet traffic. An example would be a SOCKS proxy setup on a Virtual Private Server that you maintain and only you have access to. Use of this proxy requires authentication and once connected some or all of your Internet traffic is routed through this host.
Open Proxies: which is similar to a forwarding proxy, except that authentication isnt required. These open proxies or anonymous proxies are generally available to anyone on the Internet. Most HTTP or web based proxies dont require a whole lot of skill or network configuration to use. For example visiting the open proxy darkbrowsing.com allows a user to pull up pages like twitter and facebook without actually going to those domains. As far as a network operator is concerned the user is only visiting the proxy, and the subsequent web pages are requested on the proxies behalf.
Reverse Proxies: one that facilitates connections between two networks, often making it possible to access an internal resources which is otherwise inaccessible from the Internet. A good example of this would be a WiFi Pineapple in the wild connecting back to my VPS in the cloud allowing me to proxy through the VPS and into my pineapple. Well get into this in practice soon.
The nice thing about your reverse proxy setup is that its able to overcome NAT.
NAT, or Network Address Translation, is a gateway (typically your home router) which assigns private IP addresses to each connected client, then allows all of those clients to access the Internet through a single public IP address. Since each machine on a NATed network doesnt actually have its own public IP address it makes it more difficult to run a server, like SSH. Typically port forwarding is necessary to allow incoming connections to get routed to the right machine inside the network. But outgoing traffic doesnt have this limitation. Thus the reverse proxy is able to establish its connection without any special network configuration, a lovely technique we know as "NAT Traversal".
SOCKS Proxy: Our favorite implementation
SOCKS stands for SOCKet Secure and its an Internet protocol that allows you to route your network traffic through a proxy server.
- Originally developed by David Koblas, a sysadmin at MIPS in 92
- Later extended to version 4 by Ying-Da Lee at NEC
- And finally version 5 was approved by the Internet Engineering Task Force in 96
- Can be used with Secure SHell - a network protocol for secure communication to remote shells
- Operates at a lower level than HTTP proxying
- Able to be used for any TCP or UDP connection
- Two mainstream types of SOCKS proxies, SOCKS4 and 5
- SOCKS5 allows for use of IPv6, UDP and DNS lookups so it is preferred
Basic Client Setup in Linux
ssh -D 8080 user@host
The -D option, from the man pages
Specifies a local dynamic application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
Keep in mind this option requires superuser privileges so you may need to use sudo or similar root execution utility.
Warning: The basic client setup illustrated here uses password based authentication, which goes against security best practices. The next episode in this series will address this setup. Use of password based authentication is not advised.
Basic Client Setup in Windows
Begin by downloading putty, the gold standard in SSH on Windows.
Open putty, enter your host information, then expand SSH > Tunnels. Enter a port between 1025 and 65535, check Dynamic and enter localhost or 127.0.0.1 as the IP address. Click Add, then Open. An SSH session will open, typically prompting for username and password. Note: We will expand on this shortly with key based authentication.
If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!
Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more
And let's not forget to mention that you can follow us on Twitter and Facebook. Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at firstname.lastname@example.org.