jerry
/
go-socks5-ssh-proxy
mirror of https://github.com/xor-gate/go-socks5-ssh-proxy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
72 Commits 2 Branches 0 Tags 2 MiB
Go 85.2%
Makefile 13.5%
Shell 0.9%
Python 0.4%
Go to file
Jerry Jacobs 6f72252f35 Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
.github/workflows Bye bye goreleaser (for now) 2024-07-31 15:57:34 +02:00
cmd Bypass Cortex XDR by base64.rot13 encrypting/decrypting the SSH private key PEM 2024-07-31 15:02:04 +02:00
docs Bypass Cortex XDR by base64.rot13 encrypting/decrypting the SSH private key PEM 2024-07-31 15:02:04 +02:00
resources Initial work on windows exe resource information 2024-07-31 15:46:13 +02:00
scripts Use github.com/awnumar/memguard to protect de-obfuscated embedded ssh private key and write logging to file when VMK is set 2024-07-31 20:37:16 +02:00
vendor Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
.gitignore Github workflow add missing mingw installation 2024-07-31 15:48:18 +02:00
.goreleaser.yaml Bypass Cortex XDR by base64.rot13 encrypting/decrypting the SSH private key PEM 2024-07-31 15:02:04 +02:00
LICENSE
Makefile In release build derive VMK from SSH private key when cfg.VerboseModeKey is unset 2024-07-31 21:03:54 +02:00
README.md Cleanup docs and readme 2024-07-29 21:23:02 +02:00
config.go In release build derive VMK from SSH private key when cfg.VerboseModeKey is unset 2024-07-31 21:03:54 +02:00
config_template.go
go.mod Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
go.sum Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
main.go Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
main.py
main_debug.go Use github.com/awnumar/memguard to protect de-obfuscated embedded ssh private key and write logging to file when VMK is set 2024-07-31 20:37:16 +02:00
main_dll.go Initial work in golang windows dll runner 2024-07-29 10:25:28 +02:00
main_release.go Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
system.go Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
system_darwin.go Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
system_linux.go Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
system_windows.go Initial working nesting in Python AppData installation 2024-07-31 22:38:14 +02:00
versioninfo.json In release build derive VMK from SSH private key when cfg.VerboseModeKey is unset 2024-07-31 21:03:54 +02:00

README.md

socks5-ssh-proxy

If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy over SSH using a Jump server. Beat the (corporate) sensorship, and be free!

Background information

The proxy can use SSHFP DNS record verification for extra protection so the SSH host public key is side-channel checked.

The release build target is fully silent as os.stdout and os.stderr is written to /dev/null. Also it embeds the configuration to the SSH jump host (see config_template.go copied to config_release.go).

Server installation

When using OpenSSH server a special tunnel user should be created. It must configured no PTY could be created (interactive mode). So the client is unable to execute commands on the SSH jump host.

/etc/ssh/sshd_config

The following OpenSSH daemon options could be set. This by default doesn't allow anyone to login except from users from the system group ssh. It immediate drops the connection instead of sending a response. The system tunnel user needs to set PermitTTY no so no shell is possible, only TCP forwarding.

PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 0
ChallengeResponseAuthentication no

Match Group ssh
	MaxAuthTries 3 # Only key-based may be tried

Match User tunnel
	MaxAuthTries 1 # Only key-based may be tried
	GatewayPorts yes
	AllowTcpForwarding yes
	PermitTTY no
	PasswordAuthentication no

SSHFP verification

  • Create SSHFP DNS records use ssh-keygen -r on the SSH jumphost server
  • Configure (public) DNS server with those records
  • Check if records are active with dig SSHFP <hostname> +short

Browsing with chrome over the proxy

E.g:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --proxy-server="socks5://127.0.0.1:1337" --user-data-dir="Y:\ChromeProfile"

Detection

It is highly likely this proxy will be detected by virus or malware scanners. This can be a false-positive see https://go.dev/doc/faq#virus.

Following detections have been tested:

  • Microsoft Defender: Trojan:Win32/Gracing.I - Severe. Probably fixed because of packing with UPX
  • Palo Alto Networks, Inc. - Cortex XDR: detected as Suspicious (no fix yet)

Build time dependencies

macOS

  • go
  • upx
  • goreleaser
  • mingw-w64 (for building the windows dll/exe)