This time on the show, can an SSH Proxy become a VPN? We're bridging networks with a wicked python script.. It's what happens when a transparent proxy gets together with a VPN and SSH. That's like a networking threesome! Plus, secure chat in Linux! All that and more, this time on Hak5!
"VPN" with this SSH hack!
Sshuttle bills itself as "where transparent proxy meets VPN meets ssh"It's not exactly a VPN, nor is it port forwarding. It's like a VPN in that it forwards every port on the network - not just ports you specify like with an SSH tunnel. This is nice because you don't have to remember which port is mapped to which service.
That said it is sort of like port forwarding since it's a stateful connection, where as a VPN traditionally forwards your data one packet at a time. The sshuttle authors explain that it's similar to an old program by the nsma oe Slirp, which was a userspace TCP/IP implementation that operated on a packet-by-packet basis. It would encapsulate the packet and send it over to the server on the other side. The problem with this is that TCP inherently needs packet loss to function. That's how a TCP connection knows to slow down. When each individual TCP packet is encapsulated in a second TCP packet, only the outside layer will adjust to packet loss, and any connection errors will be unbeknownst to the first packet.
So what sshuttle does is to statefully assemble packets into logical TCP streams on your computer before sending them out to the remote host over an SSH connection. For those who are into useless trivia there's plenty of tech lore on the project's Github page. Suffice it to say, if you're running Linux, FreeBSD or MacOS, you have SSH access to the remote machine "in da cloud" (whether you have admin access on it or not), and you want to make an easy VPN like tunnel without getting into all of the port-forwarding fu we extensively got into last season - Sshuttle is for you!
To get started you'll need root privs on your client machine. You'll also need both python and iptables installed - which is the default on most distros. The server on the other hand doesn't need either of these, just any plain-jane VPS will do.*Start by cloning the git repository with git clone git://github.com/apenwarr/sshuttle From the sshuttle directory you can envoke sudo ./sshuttle I like to use the options --dns (which keeps my DNS queries from leaking out) and -vvr (for very verbose and r for remote) user@host (email@example.com) 0/0 (which is a shortcut for 0.0.0.0/0, or all connections) If you wanted only some traffic to go through this ssh tunnel vpn thingy you could provide CIDR notation here.
That's it! If I do the ol' ipchicken.com before and after you'll see all of my traffic is going through the sshuttle instance without any special configuration of my browser. You don't need to install sshuttle on the remote host - it envokes it remotely for you! You can get as advanced as you like with it since it's using iptables on the backend. For example: You can exclude certain TCP traffic using -x option. sshuttle --dns -vr ssh_server -x 18.104.22.168/24 -x 22.214.171.124 0/0 -x option to excludes IP addresses.*To tunnel only certain TCP traffic, specify the IP addresses or IP ranges that need tunneling. sshuttle -vr ssh_server 126.96.36.199/24 188.8.131.52
VPN to office network sshuttle -NHvr office_ssh_server -N flag tells sshuttle to figure out by itself the IP subnets to forward, and -H flag to scan for hostnames within remote subnets and store them temporarily in /etc/hosts.
Using Talk in Linux
First add a user on your machine: sudo adduser hak5darren, follow on screen directions. Have Darren SSH into my machine's ip address using OpenSSH (apt-get install openssh-server) Install talkd and talk. Type talk hak5darren@localhost to chat w/ Darren. Make cute characters for your friends."First add a user on your machine: sudo adduser hak5darren, follow on screen directions. Have Darren SSH into my machine's ip address using OpenSSH (apt-get install openssh-server) Install talkd and talk. Type talk hak5darren@localhost to chat w/ Darren. Make cute characters for your friends.
"Cory from Tennessee says: Looking back on some previous episodes and I wanted to give a call out for the pagekite setup. (which I love BTW!). Remember to set your SSH proxy to HTTP 443! (required by PUTTY)"
"Martin from Louisville asks: I have backtracked and watched a few episodes of Hak5 concerning multi-boot USB's. What is your current favorite to date ...xBoot or Katana? ...or is there another one that you suggest?"
"James from Salem says:
Darren, glad to see you finally getting into Tasker. It's a wonderful program where your imagination is the limit. When I started getting into the pineapple I discovered that Tasker would give me an automated way of making sure I wasn't a victim. The profile I am using is:
If wifi near ""Jasager_Attack_aBc132""
Alarm volume level 7
wifi set to off
play loudest, most obnoxious alarm I have
pop-up a notification ""Warning! Pineapple within range!""
I also reduced the scan time for wifi to make sure I was alerted faster than the default time (60 seconds vs. 3 minutes)."