Details

This time on Hak5: We begin a special series on proxies. Caching, filtering, security or anonymity -- whatever your reasons may be Darren and I are exploring the in's and out's of this great technology from the ground up. All that and more, this time on Hak5!

 

Download HD | Download MP4

 

What is a Proxy

Basically a proxy is a technology that enables one to bounce their Internet traffic off, or tunnel Internet traffic through, a third party server. Typically this is a linux box running a daemon, but there are plenty of types of proxies, as well as reasons to use 'em. So why do we have proxies? Well, this won't cover everything, but here's a few examples:

Why would you want to proxy?

Security - keep your web traffic encrypted
For me it's all about security. Most proxies employ encryption, encapsulating each packet into a private tunnel so that would be eavesdroppers can't peer in on your surfing. I don't care if it's open wifi at the airport or a wired hotel LAN -- if it isn't my network I don't trust it.

Filtering

I hate it when network operators do this, and I'm sure you've encountered it. It turns out there's porn on the Internet. That, um, isn't what I've encountered -- I'm talking about when sysops use Proxies to filter content. Whether it's a DNS blacklist or content keywords, proxies can be used to shut down browsing to sites the operator deems inapproporiate. Whether that's porn or blogs criticizing a draconian government.

Bypassing Censorship

Likewise proxies are a great weapon against censorship. During the 2011 Egyptian Revolution, and following the January 25th protest, access to Twitter and Facebook from within the country were blocked.

Caching

Speed up web browsing with a caching proxy like Squid which is implemented in a lot of the more advanced open source routers we like, including Smoothwall and Untangle. The idea being that it holds copies of a web page or other resource in its cache, so if Darren visits Zombo.com in the morning then I go there in the afternoon I grab a local copy, thus saving bandwidth and speeding up the network.

Eavesdropping

Like a WiFi Honeypot or a Man-in-the-middle attack, a proxy can facilitate eavesdropping by routing traffic from a client, or victim in this case, through an eavesdropper's server. This enables the kind of packet sniffing mischeif you might imagine -- password snooping, URL snarfing, stealing of cookies and session hijacking, even altering content in transit. You know, the same kind of stuff your ISP could do - but doesn't... Or do they? Nah.... But SRSLY.

Private Networks

Traveling abroad and need access to resources on your office network? There's a proxy for that. Basically bridging two or more networks a proxy can enable access to stuff like printers, internal web servers, even private peer to peer networks or Darknets. Who doesn't like a little privacy with their file sharing?

Anonymity

Network Proxies can provide some level of anonymity by making it difficult to trace internet activity. The most notable examples include The Onion Router and I2P or the Invisible Internet Project. We're working up a special episode on these, but suffice it to say if you're a fan of freedom and privacy these are for you. Just, be aware that they aren't fool proof. In design these networks don't account for a global passive adversary, you know - like the NSA.

There are more proxy types and implementations than you can shake a stick at, but we’ll cover a few of the more popular ones and get into the practice soon.

Types of Proxies

Forwarding Proxies: Typically speaking a forwarding proxy is a private service setup for one or more users that forwards or relays Internet traffic. An example would be a SOCKS proxy setup on a Virtual Private Server that you maintain and only you have access to. Use of this proxy requires authentication and once connected some or all of your Internet traffic is routed through this host.

Open Proxies: which is similar to a forwarding proxy, except that authentication isn’t required. These open proxies or anonymous proxies are generally available to anyone on the Internet. Most HTTP or web based proxies don’t require a whole lot of skill or network configuration to use. For example visiting the open proxy darkbrowsing.com allows a user to pull up pages like twitter and facebook without actually going to those domains. As far as a network operator is concerned the user is only visiting the proxy, and the subsequent web pages are requested on the proxies behalf.

Reverse Proxies: one that facilitates connections between two networks, often making it possible to access an internal resources which is otherwise inaccessible from the Internet. A good example of this would be a WiFi Pineapple in the wild connecting back to my VPS in the cloud allowing me to proxy through the VPS and into my pineapple. We’ll get into this in practice soon.

The nice thing about your reverse proxy setup is that it’s able to overcome NAT.

NAT, or Network Address Translation, is a gateway (typically your home router) which assigns private IP addresses to each connected client, then allows all of those clients to access the Internet through a single public IP address. Since each machine on a NAT’ed network doesn’t actually have it’s own public IP address it makes it more difficult to run a server, like SSH. Typically port forwarding is necessary to allow incoming connections to get routed to the right machine inside the network. But outgoing traffic doesn’t have this limitation. Thus the reverse proxy is able to establish its connection without any special network configuration, a lovely technique we know as "NAT Traversal".

SOCKS Proxy: Our favorite implementation

SOCKS stands for SOCKet Secure and it’s an Internet protocol that allows you to route your network traffic through a proxy server.

  • Originally developed by David Koblas, a sysadmin at MIPS in ‘92
  • Later extended to version 4 by Ying-Da Lee at NEC
  • And finally version 5 was approved by the Internet Engineering Task Force in ‘96
  • Can be used with Secure SHell - a network protocol for secure communication to remote shells
  • Operates at a lower level than HTTP proxying
  • Able to be used for any TCP or UDP connection
  • Two mainstream types of SOCKS proxies, SOCKS4 and 5
  • SOCKS5 allows for use of IPv6, UDP and DNS lookups so it is preferred

Basic Client Setup in Linux

ssh -D 8080 user@host

The -D option, from the man pages

-D [bind_address:]port

Specifies a local dynamic application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine

.

Keep in mind this option requires superuser privileges so you may need to use sudo or similar root execution utility.

Warning: The basic client setup illustrated here uses password based authentication, which goes against security best practices. The next episode in this series will address this setup. Use of password based authentication is not advised.

Basic Client Setup in Windows

Begin by downloading putty, the gold standard in SSH on Windows.

Open putty, enter your host information, then expand SSH > Tunnels. Enter a port between 1025 and 65535, check Dynamic and enter localhost or 127.0.0.1 as the IP address. Click Add, then Open. An SSH session will open, typically prompting for username and password. Note: We will expand on this shortly with key based authentication.

If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let's not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Youtube Description (No HTML):

This time on Hak5: We begin a special series on proxies. Caching, filtering, security or anonymity -- whatever your reasons may be Darren and I are exploring the in's and out's of this great technology from the ground up. All that and more, this time on Hak5!

If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out http://www.revision3.com/haktip

Whether you're a beginner or a pro, http://www.revision3.com/haktip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let's not forget to mention that you can follow us on http://www.twitter.com/hak5 and http://www.facebook.com/technolust, http://revision3.com/hak5/subscribe to the show and get all your Hak5 goodies, including the infamous http://hakshop.com/collections/frontpage/products/wifi-pineapple over at http://hakshop.com . If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

21 Comments

  • bigbeck89 3 years ago

    Great Episode! Loved having Snubs asking all those questions, they were exactly the questions floating around in my head!

    Excited to see this Proxies series move forward.

  • Fredrik 3 years ago

    Thumbs up for this “new” kind of episode. I was actually just surfing around thinking about browser security and this will be really helpfull.

    Keep up the good work!
    Sweden

  • Would proxies be a possible work around for accessing local resources while connected to a corporate VPN?

    I have heard this complaint from many people, that whenever they want to print or access a file on their local network they have to disconnect from VPN and use that resource, then reconnect.

    Thanks for the great show!

    Adam

  • Damon 3 years ago

    This was one of your best episodes, thanks.

  • Missed one point that I find useful from a holistic pov, proxies and NAT and essentially one in the same. OSI is the general and useful 7 layered design of encapsulation and should be the basis and descriptor of all network technologies.

    NAT or Network Address Translation is essentially the replacement of layer 1-4, physical, data link, network, and transport. Proxies do the exact same however depending on software they may record the information, relay it, replace the NAT portions dynamically and such. Same goes for IDS’s, web publishing servers, and all intermediate devices.

    Even your pineapple is the same concept. I think you got something for flipping images in HTTP traffic right. Well now your reading layer 1-7 and altering 6, and 7. Its just more processing of packets.

    The concept and OSI is golden and very underrated. The IT world is flooded with terminology and categorization and process. This is flawed. Please try and incorporate OSI into the show more often. You and intrinsically understand this but for myself is what the holy grail to my understanding of these network technologies.

    • TuffRank 3 years ago

      m8! you are well-off with your OSI understanding /concept … first thing first;

      Quote; “proxies and NAT and essentially one in the same” that is incorrect… Go back to your study guides or your youtube vids & refresh your Knowledge r follow on…

      However, I do agree with you with using the OSI and TCP/IP layer Blueprint for explaining how Internetworking Works…

      Think about NAT & Proxy this way.

      Do not confuse a proxy server with a NAT (Network Address Translation) device. A proxy server connects to, responds to, and receives traffic from the Internet, acting on behalf of the client computer, while a NAT device transparently changes the origination address of traffic coming through it before passing it to the Internet…

      OSI concept;

      For those who understand the OSI (Open System Interconnection) model of networking, the technical difference between a proxy and a NAT is that the proxy server works on the transport layer (layer 4) or higher of the OSI model, whereas a NAT works on the network layer (layer 3).

      Oh yeah!!

      >> SOCKS performs at Layer 5 of the OSI model—the session layer (an intermediate layer between the presentation layer and the transport layer).

      Great work Mr. Kitchen and pretty girl Shannon… Give-Thx

  • tomscrat 3 years ago

    Hello,
    I am a great fan of hak5 and watching the video of the show each week from Germany ;D

    I tried out the ssh proxy thing and found a surprising fact:

    I did “ssh -D 8080 user@host” to a ssh server of mine, opened chrome and installed Switchy as Shannon explained. Works fine!
    Then I changed to Firefox, and when I go here to http://www.whatismyip.com I see the same as in Chrome with Switchy and proxy use enabled …
    Hmm, I thought, then I figured out Firefox provides the options “Use system proxy settings”, which automatically uses the setup ssh tunnel. So no need to change with Foxyproxy the use of a proxy.
    Find the setting in Firefox > Edit > Preferences > Advanced > Network > Connection > Settings
    That is the normal way to provide proxy information, but with set on “use system proxy settings” no need to change anything 😀

    I am looking forward for to the next episode of Hak5,
    cheers form Germany ;D

  • Martin 3 years ago

    Awesome show! Very well explained and covered! I Love HAK5

    Martin

  • Pixelated Dwarf 3 years ago

    Outstanding! Love the in depth look at proxies. Hope you will also be getting into VPN’s.

    Short correction – it is IP v6 not 5 :) 65,535 for the number of ports.

    Keep up the great work – looking forward to future parts of this!

    Remember

    Spaces_Are_Evil

  • Great episode! I’ve been struggling with proxies for a long time (out of need and desire to learn). I can’t wait for the next episodes. I’m hoping for some techniques to maintain anonymity, and safe guard a particular email account that’s been compromised by a vicious hacker.

  • Mario 3 years ago

    Great Episode, wish i knew about this show from when it started!
    Iv managed to stay up to date with all the latest episodes.

    All the way from South Africa

    Thank you guys!!

  • dortizesquivel 3 years ago

    Great video! waiting the next!! :)

  • signal7 3 years ago

    That was a very Interesting presentation on using proxies and I must
    admit, I learned a few things along the way. However, some packet
    captures of the session using a dynamic port shows that all of the DNS
    requests still go to the locally defined DNS server. So, even though
    the information itself is tunneled and encrypted, *where* you’re going
    online is not protected. It would be trivial to defeat this proxy
    with a filtering DNS provider or even a firewall that can do deep
    enough packet inspection. At the very least, your provider could log
    the DNS queries for later use, whatever that may be.

  • Slickkk 3 years ago

    I guess the tools that are out are coming out are being developed slower than your episodes. They used to be way longer and better; must be running out of material. And btw Darrin you screwed up big time with not being with that chick, you must take a lot of showers lol.

  • What’s the ETA on the next part? Leaving for China in 10 days!!!!

  • Cobolt 3 years ago

    shannon Just love your boobs in those tight T-shirt’s…
    More tight tops please, 😀

  • PROXIES ago!
    Totally digging this. Can’t wait to re-watch and see what comes next.
    Great show.

  • rami_info 3 years ago

    Hi hak5 crew

    Is it possible to go back to metasploit with new modules of 2012.

    Thnx and hope goooooooooooooooood luck

  • Kincaid 3 years ago

    Howdy,

    I am excited about starting to use proxies. So since we don’t know if the free proxy servers out there are logging the traffic for their evil purposes and if we go with the same line of thought that vps could in theory also log your info, I was wondering if i could run my own proxy server at home.

    Then the question becomes, if i am at my favorite wifi location and I connect to my proxy at home so i can safely check my 2 emails i get a week, connecting to the proxy server would give the “man in black” the ip address of my home proxy server and they can start doing the evil things they do.

    I am guessing there is no way around this?

    • Sure you can run a proxy server at home. We actually cover setting these up in both Windows and Linux over the next two episodes. If there was a MITM at the coffee shop you would indeed be giving up the IP of your home server. Also keep in mind what you’re doing here is shifting the trust from the open WiFi network (low trust IMHO) to your home or VPS. Sure your VPS provider could be sniffing, but then again so can your ISP so at the end of the day you just have to ask yourself, who do you trust?

  • Hey man…..

    itz awsum… I mean to say that this show is ultimate for

    all who want to Learn Security(also other) from BASIC —–> ADVANCE…

    I really Like it ….. and mostly “GO THROUGH IT”
    …..

    Thanks …to all

  • People from the gaming industry generally rely on cheats all the time in order to make significant progress in the game.

  • Excellent beat ! I would like to apprentice even as you amend your web site, how could i subscribe forr a blog website?
    The account helped me a acceptable deal. I were a little bit familiar of this your broadcast offered
    brilliant clear idea

  • Unquestionably imagine that that you said. Your favourite justification seemed to bbe on the net the simplest thing to have
    in mind of. I say to you, I definitely get annoyed while other folks think about
    concerns that they just do not recognise about. You controlled to hit the nail upon thee highest and also defined out the whole thing with
    no need side-effects , folks could take a signal. Will
    likely be back to get more. Thanks

  • You realize that if that’s really as bad as I can get, well why not try again?

  • [url=http://www.abercrombiean http://whzgwy.com/shownews.asp?id=14726 dfitch4s.us/]Abercrombie and fitch outlet US.[/ur http://blog.leica-camera.com/photographers/interviews/alfred-schopf-inspiration-behind-ninety-nine-years-leica/comment-page-1/#comment-350199 l][url=http://www.abercrombieandfitchoutlet.us/]Abercrombie And Fitch Outlet[/url][url=http://www.abercrombiefitch.nl/]Abercrombie http://www.diamondpizza.ca/site Fitch Nederland[/url][url=http://www.abercrombieoutlet.ca/]Abercrombie Outlet[/url][url=htt

  • Woah this website is actually fantastic i like learning the articles you write. Maintain the nice artwork! You already know, loads of person’s usually are shopping around just for this details, you could possibly help these people considerably.. bigtits

  • 19, 2015 not include standard hedging strategies behind it.

    Quick introduction video to stock orders.

  • Yes, strictly logically speaking it is “OK” (no funny actions, no Russion mob).

  • At this time it looks like WordPress is the preferred blogging
    platform available right now. (from what I’ve read) Is
    that what you are using on your blog?

  • I’m not certain in which you are obtaining your facts, having said that very good issue.. T'ai Chi Ch'uan (Martial Art), Chen-style T'ai Chi Ch'uan, explicación de Tai Chi, aplications of Taichi, Style, Martial Arts (Sport), Combat (Media Genre), Tai Chi, Pushing Hands, Chen Xiao Wang, Ma Hong, Chen Zhaokui, feng zhi qiang, Fighting, Estilo Chen, Fight, Taiji, Taiji Quan, Pan zhencai, Chen Fake, forma 83, defense, chen fake, Freestyle, Combat, fighting, taiji, Karate, Master, qigong, health, martai, power, Arts, Free, yang, tsao, self, kung, arts I’ve got to expend a bit examining a lot more or being familiar with much more. Appreciate your wonderful facts I’d been looking for this info for my goal.

  • My sister proposed I may such as this website. He / she seemed to be absolutely perfect big busty boobs. This article basically created my personal time. An individual can not take into account precisely how considerably period I had used due to this information! Appreciate it!

  • ???? vpn,???? ?? ?? ??

  • Hi there, I discovered your blog by way of Google even as looking for a similar topic, your website got here up, it looks great. I’ve bookmarked it in my google bookmarks.

  • ???????????????????????????????? ??? aux ???? ??????????????????????????????????? ??? aux ???? ??????????????????????????????????????????????????????????????????????????????????????????????????? https://youtu.be/mYaLJ2nlwFE ??????????????????????? ??? aux ???? ??????????????????????? ???????????????????????????????????????????????????

  • Cena se concentre désormais sur le tournoi pour le titre de champion US, mais ce fait battre dès le premier tour par
    Billy Gunn.

  • Yes, you heard it well, there is no limit in generating items!

  • My pal encouraged I’ll in this way site. He / she was once completely suitable.. big tits cam This particular create basically produced our working day. You should not envision merely how the ton moment I did expended because of this information and facts! Cheers!

  • ???? vpn,???? ?? ?? ??

  • Very interesting,thank you

  • But it wasn’t even till the 1980s when the United States passed laws banning the manufacturing of meth and possession of meth-creating equipment.

  • Great info. Lucky me I discovered your site by chance (stumbleupon).
    I have book marked it for later!

  • Hey, just simply converted into aware about ones blog site by means of Google, and discovered that it is actually informative. I’m just planning to watch out for the town. I’ll get pleasure from if you happen to go on this particular in the future seo google top. Lots of other men and women can be taken advantage of your publishing. Cheers!

  • You could absolutely visit your expertise within the perform you’re writing. The entire world hopes for a lot more enthusiastic internet writers just like you whom usually are not afraid to mention how they believe that. Constantly follow your soul.

  • surely just like your web-site nevertheless, you have to analyze this punctuational upon a number of of your respective discussions. A lot of them usually are rife by using punctuation troubles i to seek out the idea quite worrisome in all honesty having said that I will unquestionably revisit once more.

  • Hey all. I found your blog utilizing bing. This is usually a very logically written document yang tai chi,24 yang style,yang style taichi,yang style tai chi,yang style tai chi short form,yang style tai chi long form. I will be absolute to take a note of this are available back to learn more of the strategies. Many thanks for the particular posting. I am going to surely go back.

  • Woah this particular weblog can be amazing i enjoy learning your site content.. Aikido,Karate,Taichi,qigong,gongfu,fajing,neijia,fajin,bagua,wushu,Pakua,taiji,Wushu,Taolu,gong,kung,fali,IWUF Sustain the favorable pictures! You realize, loads of person’s are generally shopping around just for this facts, you may assist these tremendously.

  • ?hat a information of un-ambiguity and preserveness of preci?us familiarit? concerning
    unexpected emotions.

  • Incredibly great publish chen taijiquan music,chen taijiquan form,Tai chi – Martial Art,tai chi chuan,hai chi tai,tai chi quan. I recently became aware of the web site and desired to mention that I’ve got genuinely adored looking a person’s blog page discussions. At any rate We will be opt-in for ones supply that i’m intending you’re writing just as before quickly!

  • ???? vpn,???? ?? ?? ??

  • I’ll promptly grab your own feed as I can not locating your current e-mail registration link or even newsletter services. Conduct you’ve got virtually any? Generously allow me recognize so that I could truthfully sign up. Thanks porn time.

  • I am a bunch connected with volunteers and also starting a new scheme within our area. Your website provided us valuable info in order to pictures upon. You may have performed an extraordinary occupation along with each of our total group should be grateful back.

  • It really is best the perfect time to produce a handful of programs for the future plus its time and energy to feel special. I’ve truly see this placed and in case I could simply I need to suggest you actually few exciting concerns or maybe points. You could compose up coming reports regarding this post.. article source We would like to find out all the more problems over it!

  • Incredible, great site shape! Just how long are you writing a blog intended for? you’re making writing a blog appearance quick. The complete appearance of one’s site is great, . fashion bloggers and styleaside from the information!

  • You actually make it show up really easy with the powerpoint presentation on the other hand to locate this theme for being definitely something I believe We would by no means have an understanding of. It sort of feels also complex and also huge in my situation LEARN MORE . I am getting excited about the following submit, I am going to try and have the stick from it!

  • Way cool! Some very valid points! I appreciate you
    penning this write-up plus the rest of the website is really good.

  • Wow….it’s nice article.
    I hope.. I can still information like this from you

  • Useful info. Fortunate me I found your website by accident, and I am surprised why this coincidence didn’t happened earlier! I bookmarked it.

  • It’s really a great and useful piece of information. I’m happy that you just shared this
    helpful information with us. Please stay us informed like this.
    Thank you for sharing.

  • You really make it seem so easy with your presentation but I find this
    topic to be really something which I think I would never
    understand. It seems too complicated and extremely broad for me.
    I am looking forward for your next post, I will
    try to get the hang of it!

  • Personalised Hollywood Walk Of Fame Star The Hollywood Walk of Fame Star can feature a name of
    your choice The Personalised Hollywood Walk Of Fame
    Star print comes complete with a mock presentation certificate at the bottom that can feature a name, date and personal message The Personalised Hollywood Walk
    Of Fame Star comes already framed. Don’t continue putting off your lifestyle
    change. Lefton has a bit of big-screen exposure herself, having played the role of three-year-old Annie in the 1991 comedy, “Father of the Bride.

  • Which means that it is actually manufactured on line.

  • Thank you for the auspicious writeup. It in reality was once
    a leisure account it. Look complicated to more brought agreeable from you!

    However, how could we keep up a correspondence?

  • Wow, outstanding weblog structure! The time have you been blogging with regard to? you’ve made blog glance easy. The complete start looking free movies,porn brazzers of one’s web-site is fantastic, and also the articles!

  • I plan on staying in the house for no more than 5 yrs biboui these loans don’t prove useful
    in cases when someone needs instant cash.

  • This post will help the internet people for setting up new web site or even a blog from
    start to end.

  • The official trailers of the interlude are quite tempting because they reveal a lot
    about upcoming events. These types of workouts are what allow Matthew Mc – Conaughey to keep his body lean and sculpted.
    It is no secret that a boost in confidence and having a positive self-image can contribute to a woman’s over
    all well being but the majority of women do not have cosmetic surgery for anyone other than themselves.