Jay Taylor's notes

back to listing index

CorkScrew: A tool for tunneling SSH through HTTP proxies | Hacker News

[web search]
Original source (news.ycombinator.com)
Tags: SSH tools proxy tunneling news.ycombinator.com
Clipped on: 2019-10-30

Image (Asset 1/3) alt=

Image (Asset 2/3) alt=
Recently on a cruise ship I found my SSH access blocked.

And HTTP proxies were blocked too.

So I used a WebSocket proxy and that worked great. I highly recommend wstunnel.


Image (Asset 3/3) alt=
Nice find! Thanks. I have some other tools for being productive from "constrained" environments. I'm running ttyd [1] exposed trough nginx (to deal with auth and ssl) which gives me a terminal in the browser (using xtermjs). It's pretty good. Another option I used before was shellinabox [2] (also trough nginx). Terminal emulation is not the greatest. For GUI access i use NoVNC (exposed trough nginx) and have a systemd unit starting vncserver session.

[1] https://github.com/tsl0922/ttyd [2] https://github.com/shellinabox/shellinabox [3] https://github.com/novnc/noVNC

"Recently on a cruise ship I found my SSH access blocked."


"And HTTP proxies were blocked too."

What would the possible rationale for this be ? I can understand these being blocked in, say, a non-western hotel inside mainland China ... or in a .gov lobby ... or ... ?

But on a cruise ship - the maintainers of that network must know that guests on the ship might have remote work to do - or just workflows that involve something beyond "the web".

Further, the bandwidth generated by web usage typically dwarfs bandwidth usage over VPNs or actual SSH ...

What are they thinking ?

They have likely blocked every port except 80 and 443, in a misguided attempt to either limit bandwidth or increase security. I have seen such systems in some hospitals, it was pretty annoying.

Wait, so how did you start the other end of the tunnel if you were already on the cruise ship with restricted access? Did you already have it running ahead of time?

I was still in cell range when I discovered that, so I tethered and set up an AWS micro with wstunnel.

Otherwise, I could have done it with my web browser, using EC2 user data scripts, but that would have taken longer to get right.

Google's cloud shell is handy for this, provided you trust them for this narrow use.

Any indication if it was deep packet inspection or just a port block?

> P.S: Please do not pay attention to Main.hs because as I hate to write command line code this file is crappy

Well thank you for directing me to the most entertaining readme I've seen in a while... Though of course we should appreciate a developer willing to admit to their weak spots; good show.

Don't get fooled, this is a maintainer's trick to make you read the code (and Main.hs is the entry point!). :-)

You may enjoy this README, written by a friend: https://github.com/tbodt/ish#a-note-on-the-jit

> So a warning: Long-term exposure to this code may cause loss of sanity, nightmares about GAS macros and linker errors, or any number of other debilitating side effects. This code is known to the State of California to cause cancer, birth defects, and reproductive harm.

Beautiful; thanks for sharing:)

Were VPN's blocked too?

Definitely. I doubt you'll ever see SSH blocked but not VPNs.

Bash only version:

  Host github.com
    User git
    ProxyCommand /bin/bash -c 'exec 3<>/dev/tcp/$PROXY_IP/$PROXY_PORT; printf "CONNECT %h:%p HTTP/1.1\n\n" >&3; cat <&3 & : ; exec cat >&3'

Some distributions don't have /dev/tcp enabled in bash, though.

socat can help in that case, if it's available. But I wonder if socat is available on the same distributions by default.

some variant of netcat (nc) is generally available on most distros.

OpenVPN can connect through http proxies as well in case if you want to tunnel all kinds of traffic


Proxychains and especially socat är really handy tools for borrowing through filtering firewalls.

Socat is somewhat difficult to use though. But IMHO the best one.

This is part of the standard toolkit at Telstra - otherwise nothing would get done.

Always great to have more tools that can do this sort of thing. I used to use desproxy for this almost 20 years ago back in my windows days:


What's the difference with `ProxyCommand nc -X connect -x proxy_ip:port %h %p` ?

whats the 'new' about corkscrew? maintainer changed? i see no recent commits with new stuff?

> Corkscrew is a tool for tunneling SSH through HTTP proxies, but... you might find another use for it.

What are some of the other uses for this?

Some companies force everything through a proxy. This is common with big telcos and banks. So even if you want to SSH into a machine from your workstation/desktop you probably want something like this. We used it for so much more though - because it's not just a proxy between your workstation - but there's many different bastion proxies situated all over the place isolating and guarding networks.

So at the end of the day it's really just a productivity tool like your calendar or email program, except this is used because corporate security is egregiously bad.

I think they are implying that the code of wrapping binary data up and going through an HTTP proxy might prove useful for another project.

It requires CONNECT method to be enabled in the proxy, am I right?

Yes you are.

There is also htc/hts HTTPTunnel.

Players tunnel SSH through DNS.

iodine is one of the many tools to do that. The best are not distributed, to avoid creation of DPI rules.

cloudflare is doing something similar on with wireguard.

A former coworker and I used to do friendly red-team/blue-team challenges with each other. He tunneled traffic through a test DNS server and my goal was to limit the usefulness or block it. Blocking it was very difficult. I had to limit window sizes. Unbound can do this native. With bind I had to use iptables. Both Unbound and Bind could limit the packet rate. Unbound had the most granular controls around limits per domain/tld/ip.

Tampering with window sizes would most certainly break some things, like DNSSEC and zone transfers.

iodine is great for getting free Wi-Fi too. Most captive portals don't block DNS, but just do HTTP redirects. You can pump all your traffic over DNS to an iodine server you have setup on a VM (it's not encrypted, so for the very paranoid, run OpenVPN or Wireguard through your iodine tunnel).

Note: this is most likely illegal .. in every jurisdiction. So .. don't actually do this.

> Note: this is most likely illegal .. in every jurisdiction. So .. don't actually do this.

Sad if true. If a service is providing public DNS access without any service agreement, I don't see how making DNS queries with it could be illegal, especially on a public radio channel.

You might be right, but how?

It's certainly within their right to ban you by filtering out certain queries though.

It's theft of service.

Remember as abstract as the law can be, the legal system is not going to be amused by contrivances like "they were offering DNS service free and clear, so tunneling youtube over DNS is fine"

The legal system is going to understand that you were trying to circumvent paying for services and treat it appropriately.

How can it be theft of service when they can deny you service at any time automatically by identifying abnormally heavy users and removing them?

This isn't like bypassing the electrical grid by running your own line from somebody else's service.

This is like saying it's theft of service to read a chapter in the bookstore. If you hang out there all day, you might get kicked out, but that's not a crime.

The courts might agree with you, but only because "computers are hard".

There's a world of difference between tunneling over DNS and compromising servers. Or at least, there should be.

That’s exactly like bypassing the electrical grid.

It’s like having a “free” street light and, instead of just enjoying the light, you pull its cables and plug your AC in.

The free service is just for the light.

Can I use my solar powered calculator under a street light? Or is that theft of service too?

The light is free. The electricity isn't.

I suppose adblock is theft too?

Opinion differs, but many ad-supported sites would say yes. I'm not sure if it has every been tested in court. "Fare dodging" might be a better concept to compare this to.

"by identifying abnormally heavy users and removing them" - That costs money, ergo, theft. It's like if someone had to hire a security guard for a vending machine.

Or even just let those users alone. Users aren't stealing service if it's not even the same service. It's much slower than buying wifi from the captive portal.

DNS tunnelling is not fast or convenient. Places deploying captive portals have probably looked at the risk to their business from it and have decided not to worry about it.

I can't believe that using a slow DNS connection, intentionally made public, to tunnel traffic would be considered theft or criminal.

How many free samples do I have to eat before I'm a theif? I don't believe I'm a thief until the offer for free samples is rescinded.

I would imagine at the very least you would degrade DNS resolution times for legitimate users since there would be a lot more requests than usual

Iirc, tunneling with iodine is somewhat slow, so

> tunneling youtube over DNS is fine

probably wasn't going to work very well anyway. (Happy to be corrected if I'm wrong, though!)

Apart from the theft angle it's also knowingly and maliciously circumventing access control systems. That's usually covered under anti-hacking laws

I'm floored that this is apparently how people are reasoning about the world now. Especially on HN.

There is no circumventing of any access control here. If a service is giving a public access point, on public spectrum, and they let you connect, and they allow you to use DNS, you should be able to use DNS however their access control systems allow you to use it.

Now if you find an exploit in their captive portal that allows you access to their service, then sure, that's illegal, because you're breaking into something.

You can't circumvent access controls if the access control list is wide open.

The intent is that you have to pay to use the WiFi. Even if you find a clever technical way to circumvent that that, the judge will see what you were trying to do: avoid paying for the service is offered. The court is not a computer and a judge will use their human brain to make a judgement of your intent.

Indeed, sometime I'm also floored about the lack of openness here.

As I often say, self-proclaimed nerds who can't imagine life without a big brother taking care of things love to complain and complain and complain.

The ages of relying on oneself and technology seems gone. Cover-your-ass for 'nerds'

I'll be happy to sell these self proclaimed 'nerds' lessons about how to secure a captive portal with iptables, so that no DNS or HTTP/S or ICMP can go through until the login is entered and the TOS validated.

>>Indeed, sometime I'm also floored about the lack of openness here.

Quite the opposite -- there is complete openness in this thread about the technical aspects of the circumvention or use of the technique, plus open and timely reminders regarding the potential legal ramifications of executing this technique in certain jurisdictions.

Why would it be illegal? Maybe unwise, or against your employer's policy, but not illegal.

> cloudflare is doing something similar on with wireguard.

The primary maintainer of Wireguard had some misgivings about that: https://lists.zx2c4.com/pipermail/wireguard/2019-March/00404...

cloudflare is not our friend, but another google/facebook in the making

Stuffing TXT messages in DNS queries inside DNS queries tends to be quite slow.

Yes but at times you can actually receive data normally it just that sending it will be blocked. So download bandwidth is MB/S and upload is relly slow. Some times port 53 to anywhere is available so you don't evwn need to tunnel over dns.

If your firewall doesn't let SSH go through, step1) different port like 81, step2) udp tunnel like openvpn (pick your port, SIP sometimes work), step3) tcp inside ssl tunnel on port 443, step4) http tunnel on port 80, step5) dns on port 53

Don't go to step5 if anything else work because yes, it's slow.

I don't use ICMP but some people do.

Been using this for years to get around silly corporate proxies

I'm not going to tell you how to live your life, but isn't that intentionally violating security policy and likely to end poorly? I suppose if we ignore ethical questions it might come down to hoping that IT departments that block stuff are also incapable of catching you, but that seems... riskier than I'd like.

yeah, purposefully bypassing corporate security policies is certainly a fire-able offense. It doesn't mean OP's company would take that action, but if they did, then no one could fault the company for enforcing their security policy.

The question is, is that proxy worth putting your job in jeopardy?

I think that's a matter of attitude. You are more risk averse then OP. My hypothesis is that programmers tend to be rule followers because programming is "making up rules for computers".

Funny thing about enterprise companies. The proxy was implemented and some developers started using it, then they hardcoded things into the applications.

I was not privy to all of the network setup but suffice to say the security team ok'd removing the proxy but doing so broke the application. They left everything in place and told everyone who was an admin and needed outside to use corkscrew.

As a note you can prevent corkscrew from getting out a proxy if you desire.

In many companies, it's either necessary to get their work done and/or increases their productivity enough to move their career forward. In those cases, it makes sense to eliminate the unnecessary obstacle that is overly-restrictive, corporate security.

>and likely to end poorly?

I would guess that in most organizations it would be rather unlikely for this to end poorly.

Most IT departments simply don’t give a shit about this stuff.

But hey, presumably you know your employer better than random internet people.

If the IT Department has time to trawl through internet access logs, the likelihood is that they're due for a headcount / productivity review.

In my experience. Further anecdotal evidence towards the previously mentioned 'corporate security is egregiously bad'.

I used this the other day - works very well.

I can’t quite tell from the readme (but I suspect the answer is probably yes) - does corkscrew need to be installed on both the client and the server for it to work?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact