{"id":140,"date":"2013-12-13T08:31:12","date_gmt":"2013-12-13T08:31:12","guid":{"rendered":"http:\/\/tastaturkind.ch\/?p=140"},"modified":"2013-12-13T08:31:12","modified_gmt":"2013-12-13T08:31:12","slug":"traverse-a-www-proxy-via-ssl-connect-with-basic-or-digest-authentication","status":"publish","type":"post","link":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/2013\/12\/13\/traverse-a-www-proxy-via-ssl-connect-with-basic-or-digest-authentication\/","title":{"rendered":"Traverse a www-proxy via SSL Connect with Basic or Digest authentication"},"content":{"rendered":"

#!\/usr\/bin\/perl<\/p>\n

# Ross Lonstein
\n# This program is free software; you can redistribute it and\/or
\n# modify it under the same terms as Perl itself.<\/p>\n

=head1 NAME<\/p>\n

tunnel-auth.pl - traverse a www-proxy via SSL Connect with Basic or Digest authentication.<\/p>\n

=head1 DESCRIPTION<\/p>\n

This non-forking script can be used to traverse a www-proxy that
\nsupports the HTTP CONNECT command. It negotiates HTTP authentication,
\nif necessary, then steps aside and acts as a simple port forwarder. It
\nreports a User-Agent string so that nothing suspicious appears in the
\nlogs.<\/p>\n

=cut<\/p>\n

use IO::Socket::INET;
\nuse IO::Select;
\nuse Getopt::Std;
\nuse strict;<\/p>\n

my $VERSION=0.01;<\/p>\n

# check for MD5 support
\nmy $md5avail=1;
\neval {'use Digest::MD5;'};
\nif ($@) {
\n $md5avail=0;
\n}
\nif ($md5avail) {
\n print \"MD5 Avail. Enabling support for Digest Authentication\\n\";
\n use Digest::MD5 qw(md5_base64);
\n}<\/p>\n

my ($dport,$dhost,$proxyhost,$proxyport);
\nmy ($remotehost,$remoteport,$auth,$useragent);
\nmy ($fhin,$fhout,$server,$proxy);<\/p>\n

#
\n# handle args
\n#
\nmy %opts;
\ngetopts('a:l:p:r:u:',\\%opts);
\nusage('Missing remote host:port') unless $opts{'r'};
\nusage('Missing local host:port') unless $opts{'l'};
\nusage('Missing proxy host:port') unless $opts{'p'};<\/p>\n

($proxyhost,$proxyport)=split(':', $opts{'p'});
\n($remotehost,$remoteport)=split(':', $opts{'r'});<\/p>\n

if ( $opts{'l'}=~\/:\/ ) {
\n # use specific interface & port
\n ($dhost,$dport) = split(':',$opts{'l'});
\n}
\nelse {
\n # use localhost and specified port
\n $dport=$opts{'l'};
\n $dhost='127.0.0.1';
\n}<\/p>\n

$auth=$opts{'a'};<\/p>\n

# sample user agent identifiers:
\n #
\n # Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT)
\n # Mozilla\/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
\n # Mozilla\/4.73 [en] (Win98; U)
\n # Mozilla\/4.76 [en] (WinNT; U)
\n # Mozilla\/4.7 [en] (X11; I; Linux 2.2.12-20 i686)
\n # Mozilla\/4.5 (compatible; iCab Pre2.4; Macintosh; I; PPC)
\n #
\n # choose one appropriate for your environment so as not to
\n # arouse suspicion in the logs...
\n$useragent = $opts{'u'} || 'Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT)';<\/p>\n

#
\n# Set up network communication
\n#
\nif ( $dport ) { # do \"daemon\" thing.
\n $server = IO::Socket::INET-> new( Proto => 'tcp',
\n LocalAddr => $dhost,
\n LocalPort => $dport,
\n Listen => SOMAXCONN,
\n Type => SOCK_STREAM,
\n Reuse => 1 )
\n || die \"Error creating daemon socket: $!\";
\n $fhin = $server->accept() || die \"Socket accept failed: $!\";
\n $fhout = $fhin;
\n}
\nelse { # STDIN\/STDOUT used for ProxyCommand support
\n\t$fhin = \\*STDIN;
\n\t$fhout = \\*STDOUT;
\n}<\/p>\n

#
\n# connect to proxy server ...
\n#
\nmy %socket_hash=( PeerAddr => $proxyhost,
\n PeerPort => $proxyport,
\n Proto => 'tcp',
\n Type => SOCK_STREAM);<\/p>\n

$proxy = getPeerSocket( \\%socket_hash );<\/p>\n

# Force flushing of socket buffers... (not necessary >5.005 on sockets? --rl)
\nforeach ( \\*$proxy, $fhin, $fhout ) {
\n\tselect($_);
\n $|=1;
\n}<\/p>\n

#
\n# Negotiation with Proxy
\n#<\/p>\n

print $proxy \"CONNECT $remotehost:$remoteport HTTP\/1.0\\r\\n\";
\nprint $proxy \"User-Agent: $useragent\\r\\n\" if $useragent;
\nprint $proxy \"\\r\\n\";<\/p>\n

# Wait for HTTP status code
\nmy $status;
\n($status) = (split(\/\\s+\/,<$proxy>))[1];<\/p>\n

#
\n# handle authenticating proxy
\n#
\nif ($status=407 && $auth) {<\/p>\n

# skip lines waiting for type of authentication
\n $_ = <$proxy> while ($_ =! \/Proxy-authenticate: (\\w+) \/);
\n print STDERR \"Proxy authentication required...\";<\/p>\n

# ignore rest, close connection and try again
\n $proxy -> close() || die(\"Error closing proxy connection: $!\");
\n print STDERR \"Closed proxy.\\n Reconnecting...\";
\n $proxy = getPeerSocket( \\%socket_hash );
\n print $proxy \"CONNECT $remotehost:$remoteport HTTP\/1.0\\r\\n\";
\n print $proxy \"User-Agent: $useragent\\r\\n\" if $useragent;<\/p>\n

# determine type of authentication...
\n CASE: {
\n auth_basic(), last CASE if $1 =~ \/basic\/i;
\n auth_digest(), last CASE if $1 =~ \/digest\/i && $md5avail;
\n # add support for other auth schemes here...
\n auth_unsupt(), last CASE;
\n }<\/p>\n

print $proxy \"\\r\\n\";<\/p>\n

# get new status
\n ($status) = (split(\/\\s+\/,<$proxy>))[1];
\n}<\/p>\n

die \"Bad status code \\\"$status\\\" from proxy server.\"
\n if ( int($status\/100) != 2 );<\/p>\n

# Skip through remaining part of HTTP header (until blank line)
\n1 until ( <$proxy> =~ \/^[\\r\\n]+$\/ );<\/p>\n

#
\n# Shuffle packets between sockets
\n#
\nmy $s = IO::Select->new($fhin,\\*$proxy);
\nmy $num;
\nLOOP: for (;;) {
\n\tforeach my $fh ( $s->can_read(10) ) {
\n\t\tlast LOOP unless ( defined($num = sysread($fh,$_,4096)) );
\n\t\tlast LOOP if $num == 0;
\n\t\tlast LOOP unless ( defined(syswrite( ((fileno($fh)==fileno($fhin))?
\n\t\t\t$proxy:$fhout),$_,$num)) );
\n\t}
\n}
\n# good housekeeping seal...
\n$proxy -> close() || die \"Error closing connection to Proxy: $!\";
\n$server-> close() || die \"Error closing local connection: $!\";
\nexit 0;<\/p>\n

#
\n# SUBROUTINES
\n#
\nsub auth_basic {
\n print STDERR \"using BASIC authentication.\\n\";
\n print $proxy \"Proxy-Authorization: Basic \",encode_base64($auth),\"\\r\\n\";
\n}<\/p>\n

sub auth_digest {
\n print STDERR \"using DIGEST authentication.\\n\";<\/p>\n

# skip lines waiting for challenge
\n $_ = <$proxy> while ($_ =~ \/digest\/i);
\n my ($challenge) = (split(':',$_))[1];<\/p>\n

# send response
\n my ($user,$pass) = split(':',$auth);
\n my $response=md5_base64(\"$user:$pass:$challenge\");
\n print $proxy \"Proxy-Authorization:$response\\r\\n\";
\n}<\/p>\n

sub auth_unsupt {
\n print STDERR \"Unsupportted authentication type '$1' requested!\\n\";
\n}<\/p>\n

sub getPeerSocket {
\n my $hash_ref=shift;
\n my $socket = IO::Socket::INET->new( PeerAddr => $$hash_ref{'PeerAddr'},
\n PeerPort => $$hash_ref{'PeerPort'},
\n Proto => $$hash_ref{'Proto'} || 'tcp',
\n Type => $$hash_ref{'Type'} || SOCK_STREAM)
\n || die \"Socket setup failed: $!\";
\n return $socket;
\n}<\/p>\n

sub encode_base64 {
\n# stolen from MIME::Base64, thanks Gisle Aas
\n# note we don't bother with requirement of line length < 76 chars\n use integer;\n my $res=\"\";\n pos( $_[0] )=0;\n while ( $_[0] =~ \/(.{1,45})\/gs ) {\n $res .=substr( pack('u',$1), 1 );\n chop($res);\n }\n $res =~ tr |` -_|AA-Za-z0-9+\/|;\n my $padding = ( 3-length($_[0]) % 3) %3;\n $res =~ s\/.{$padding}$\/'=' x $padding\/e if $padding;\n return $res;\n}\n\nsub usage {\n print \"\\n!! \",@_,\" !!\\n\";\n print <: -l [:] -r : [-a ] [-u ]
\n Connect to a remote host through a proxy supporting CONNECT.\n : -- ip or hostname and port of your http proxy
\n : -- port to listen on. ip\/hostname optional.
\n : -- remote host and port (likely port 443\/563)\n : -- userid\/password for authenticating proxies
\n -- header string send to proxy. Defaults to
\n 'Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT)'
\nExample:
\n $0 -p proxy.example.com:8080 -l 2222 -r myhost.nowhere.com:443 \\
\n -a joe:h4ckm3 -u 'Mozilla\/4.76 [en] (WinNT; U)'<\/p>\n

USAGE
\n exit 1;
\n}<\/p>\n

=head1 README<\/p>\n

tunnel-auth.pl - traverse a www-proxy via SSL Connect with Basic or
\nDigest authentication.<\/p>\n

This script can be used to traverse a www-proxy that supports the HTTP
\nCONNECT command as is done for SSL. It negotiates HTTP authentication,
\nif necessary, then steps aside and acts as a simple port forwarder.
\nIt reports a User-Agent string during negotiation so that nothing
\nsuspicious appears in the proxy logs. Compatibility with Win32 was
\nretained by not forking, limiting it to a single connection per
\ninstance.<\/p>\n

Should work against any RFC-compliant proxy. Tested against:
\n Netscape Enterprise\/3.52
\n Squid 2.2<\/p>\n

Note: Properly configured proxies that allow CONNECT will only permit
\nconnection to standard SSL ports (443 and 563 according to squid). You
\ncan expect they will also have connection and idle timeout limits.<\/p>\n

=head2 EXAMPLE<\/p>\n

Assuming that you have a machine on the public internet accepting
\nSSH connections on port 443 you can do the following:
\n tunnel-auth.pl -p proxy.example.com:8080 \\
\n -l 2222 -r myhost.nowhere.com:443 \\
\n -a joe:h4ckm3 \\
\n -u 'Mozilla\/4.76 [en] (WinNT; U)'<\/p>\n

And in another window:
\n ssh -p 2222 blockhead@localhost<\/p>\n

Which will, if all goes well, negotiate the proxy and connect to
\nthe remote machine via secure shell.<\/p>\n

=head1 PREREQUISITES<\/p>\n

Requires the C, C, C modules.<\/p>\n

=head1 COREQUISITES<\/p>\n

Digest Authentication support uses C.<\/p>\n

=head1 TODO<\/p>\n

In no particular order:<\/p>\n

- Logging. An ASCII\/HEX dump would be nice for diagnosis.<\/p>\n

- Forking for each connection now that Perl 5.6-Win32 supports it.<\/p>\n

- Support for NTLM authentication with Microsoft Proxy Server (that's a
\nhole with no bottom).<\/p>\n

=head1 AUTHOR<\/p>\n

Ross Lonstein <\/p>\n

based upon work by Urban Kaveus, Theo Van Dinter, Gisle Aas, and
\nprobably others but don't contact them because the bugs are all mine.<\/p>\n

=head1 COPYRIGHT<\/p>\n

This program is free software; you can redistribute it and\/or modify it
\nunder the same terms as Perl itself.<\/p>\n

=pod OSNAMES<\/p>\n

any<\/p>\n

=pod SCRIPT CATEGORIES<\/p>\n

Networking<\/p>\n

=cut
\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

#!\/usr\/bin\/perl # Ross Lonstein # This program is free software; you can redistribute it and\/or # modify it under the same terms as Perl itself. =head1 NAME tunnel-auth.pl – traverse a www-proxy via SSL Connect with Basic or Digest authentication. … Weiterlesen →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-140","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=140"}],"version-history":[{"count":0,"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/140\/revisions"}],"wp:attachment":[{"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oliver-frick.ch\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}