Safe browsing from hacker cons: Running a personal proxy.

23 July 2008

Whenever I plan on using my laptop at a convention, in particular at hacker cons, it's practically assured that an unknown number of attendees will be monitoring the wireless network in some manner for nefarious purposes. Because many application protocols in use do not use cryptographic systems to protect traffic (like instant messenger and webmail), it's possible to record what people are doing as they do it, or worse record the credentials used to log in. The software to do this is trivially easy to acquire because protocol analyzers (more commonly called packet sniffers) have legitimate uses when troubleshooting networks.

To do this, you'll need a trusted machine that you can log into remotely (preferably behind a firewall), a way to log in remotely (such as OpenSSH - anything will work so long as your link will be encrypted and you can use it to forward ports to the other machine), and proxy software of some kind, which is just as freely available as packet sniffers. Configure your firewall so that your means of remote access can hit the trusted machine. I forward a port on my firewalls to port 22/TCP on my shell machines so I can SSH in; for other methods, you'll have to do some research to see if your remote admin software of choice can forward ports (VNC doesn't, for example). Here's what I did: Before leaving for New York, I set up a copy of 3proxy on Leandra, which is a lightweight HTTP/HTTPS proxy server. If you've never used a proxy before, they are applications which accept connections to other sites or services on your behalf and complete them for you in a transparent manner. Usually, if you don't know that you're going through a proxy server it's doing its job properly. Sometimes this is done as a security measure (say, to filter traffic going both ways); sometimes this is done to restrict outgoing access attempts in conjunction with firewalls. By default, 3proxy sits on port 3128/TCP on the box you set it up on. While at HOPE, I would SSH back to Leandra (using public key authentication rather than a passphrase to log in) with the command ssh -L 3128:localhost:3128, which then dropped me to a shell. Once connected, my SSH client would open port 3128/TCP on Windbringer and transparently forward it through the encrypted SSH tunnel to port 3128/TCP on Leandra where the 3proxy daemon was listening. I then reconfigured Firefox to use the forwarded port as its active proxy server (Linux: Edit -> Preferences -> Advanced -> Network tab -> Settings -> tick 'Manual proxy configuration' and enter 'localhost', port 3128 in the fields for HTTP and SSL Proxy (leave the rest blank); Windows: replace "Edit -> Preferences" above with "Tools -> Options" but otherwise the instructions are the same).

To ensure that my network gymnastics were doing what I needed them to do, I then went to in my web browser and saw that my IP address of origin, insofar as that website was concerned, was that of Dante, the Network access node I'd SSH'd through, meaning that my web traffic was going through my encrypted connection and thus my trusted proxy server. Now, anyone eavesdropping would only record the encrypted traffic which can't be decrypted without the proper key and thus is useless.

Warning: This won't do anything for instant messenger traffic (say, if you run the Google Chat application or Adium); this will require a different technique, which I'll write up in another article. I don't know if the GChat applet that is part of GMail will work using this technique, I didn't try at HOPE, though I'll give it a try tonight and report back.

To put things back the way they were, log out of the machine you SSH'd into (Leandra runs Linux, though you could also do this with a BSD machine that you had an account on) and set your web browser's proxy settings to "No proxy" or "Direct connection to the Internet".

This work by The Doctor [412/724/301/703] is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.