If you can­not use a SSH client to bypass the fire­wall (403 error, con­nect com­mand not allowed) you can use GNU http­tun­nel to bypass the fire­wall. I per­son­ally use http­tun­nel to bypass TRANSPARENT FIREWALLS.

As an exam­ple we for­ward again the Win­dows Remote Desk­top (port 3389).

We use the same sce­nario as in the SSH 3 arti­cle:
There is a Remote­Server in a large com­pany behind a Fire­wall. You own the Mid­dle­Server, a pub­lic avail­able SSH server. Last but not least there is your Work­sta­tion — you want to con­trol the Remote­Server from this machine.

Mid­dle­Server:
Start HTTP­tun­nel on Mid­dle­Server, for­ward port 80 (incom­ing) to local SSH Port:

1
# hts –forward-port localhost:22 80

Remote­Server:
Start HTTP­tun­nel client, for­ward local port 900 to Mid­dle­Server port 80 (make sure your Web Server is NOT running!):

1
# htc –forward-port 900 –proxy HTTPProxy:8080 MiddleServer:80

News, 18.10.2006:
———————–
New w32 pack­age avail­able, change log:
–com­piled with lat­est cygwin1.dll (v1.5.21)
–includ­ing lat­est cvs ver­sion
–included debug builds (for sta­ble and cvs build)

[ad#AdBrite-Text]

Get the updated ver­sion: Down­load GNU http­tun­nel Win­dows bina­ries (v3.3)r2.
Get the old ver­sion: Down­load GNU http­tun­nel Win­dows bina­ries (v3.3).

As GNU http­tun­nel traf­fic is not encrypted we cre­ate a SSH tun­nel in our http­tun­nel tun­nel…:Again we use the same set­tings for our Putty sessin as in the SSH 3 article:

On the Remote­Server, start a SSH ses­sion to the Mid­dle­Server. Change to the “Tun­nels Tab” and enter the REMOTE for­warded port:

BUT the SSH server is of course localhost:900 (through the httptunnel).

Now start a ses­sion from your Work­sta­tion to the MiddleServer:

And now fire-up the Ter­mi­nal Server Client (mstsc.exe):

Now you con­trol the Remote­Server with­out change any fire­wall rules…

Its impor­tant that you can use only 1 http­tun­nel per port! Another Hint: the log­ging goes to the Win­dows appli­ca­tion log!

IMPORTANT: http­tun­nel does NOT sup­port NTLM proxy authentification!

Another exam­ple:
Server (Linux):

1
# ./hts –no-daemon –D4 –forward-port localhost:22 80

Client (Win­dows):

1
> htc –no-daemon –D4PPROXYSERVER:8080 –F 8888 YOUR-PUBLIC-SERVER:80

When you use debu­glevel you migth see those keep-alive messages:

1
2
3
4
5
6
7
8
9
tunnel_write_request: TUNNEL_PAD1
tunnel_read_request:  TUNNEL_PAD1
poll() timed out
tunnel_write_request: TUNNEL_PAD1
tunnel_read_request:  TUNNEL_PAD1
poll() timed out
tunnel_write_request: TUNNEL_PAD1
tunnel_read_request:  TUNNEL_PAD1
poll() timed out

After x sec­onds, the con­nec­tion will close and re-establish itself:

1
2
3
4
5
6
7
8
9
10
11
12
13
tunnel_write_request: con­nec­tion > 300 sec­onds old
tunnel_write_request: clos­ing old con­nec­tion
tunnel_out_disconnect: warn­ing: bytes=4278 != content_length=102400
tunnel_out_disconnect: out­put dis­con­nected
tunnel_out_setsockopts: non-fatal SO_SNDLOWAT error: Pro­to­col not avail­able
tunnel_out_setsockopts: non-fatal SO_SNDLOWAT: 0
tunnel_out_setsockopts: SO_LINGER: onoff=1 linger=2000
tunnel_out_setsockopts: non-fatal TCP_NODELAY: 1
tunnel_out_setsockopts: SO_KEEPALIVE: 1
http_write_request: POST
http://1.2.3.4:80/index.html?crap=1161192374 HTTP/1.1
tunnel_out_connect: out­put con­nected
tunnel_write_request: TUNNEL_PAD1

From the httport faq:
Q: When I use SSH (or VNC, or ) over GNU http­tun­nel, the pro­gram locks up after a few min­utes (or hours). When I close the pro­gram and attempt to recon­nect, SSH times out. What’s wrong?
A: Your http­tun­nel con­nec­tion has failed on the client end (pos­si­bly due to net­work con­ges­tion), but the server end has not rec­og­nized that the con­nec­tion has been lost and won’t allow another con­nec­tion until the first con­nec­tion times out. To estab­lish a more sta­ble tun­nel, try exper­i­ment­ing with the var­i­ous options for the htc and hts pro­grams. The fol­low­ing set­tings seem to work pretty well for me, but your mileage may vary:

1
2
3
hts –S –max-connection-age 20000 –F localhost:22 8890

htc –F 8890 –strict-content-length –B 5k –max-connection-age 2000 –P proxy.mycompany.com:8080 10.1.1.1:8890

Links:
http://www.nocrew.org/software/httptunnel/faq.html (GNU http­tun­nel faq)
http://www.nocrew.org/software/httptunnel.html (GNU http­tun­nel home)
http://sebsauvage.net/punching/ (GNU http­tun­nel how-to)

GNU HTTPtunnel v3.3 Windows Binaries

21 Comments

  • 1 locusok wrote:

    haha thanks

    July 3, 2006 at 08:04 Permalink

  • 2 Thejipster wrote:

    You need to set the HTTP keepalive option in Putty to keep an HTTP ses­sion going, oth­er­wise you would loose the con­nec­tion after a pre-defined time­out inter­val set by the proxy.

    September 12, 2006 at 20:27 Permalink

  • 3 Lorenzo wrote:

    Don’t know why, but it seems the ver­sion of cyg­win that comes with the lat­est openssh does not work along with the one who comes with http­tun­nel.
    At begin­ning, i used http­tun­nel alone and it seemed to work. After that, I tried installing OpenSSH, and then http­tun­nel began com­plain­ing about it hav­ing an older ver­sion of cygwin1.dll.
    Fol­low­ing the on-screen sug­ges­tions, I’ve updated to the lat­est cyg­win from cygwin.com and updated all the .dll to the lat­est rev..
    Now .. there’s no way to make http­tun­nel to work: when I launch HTS, it just hangs.
    removing-Reinstalling cyg­win does not solve the issue.
    Please, give me some advice, thanks!

    October 11, 2006 at 04:21 Permalink

  • 4 michu wrote:

    you could use openssh and http­tun­nel in dif­fer­ent direc­to­ries, win­dows all­ways looks in the cur­rent direc­tory for the dll.

    October 14, 2006 at 13:55 Permalink

  • 5 Lorenzo wrote:

    I fixed the issue (installed on fresh machine) but…
    when­ever I use SSH or open­vpn (in tcp of course) HTC process dies.. any hint?
    (using the same cygwin1.dll that came with it)

    October 16, 2006 at 02:45 Permalink

  • 6 Michu wrote:

    You could use file­mon from sys­in­ter­nals to check if you miss some files…

    October 16, 2006 at 09:14 Permalink

  • 7 Lorenzo wrote:

    Hi
    I’m sure I’m not miss­ing any file because the HTTP­Tun­nel does actu­ally work, as long as I don’t use it for ‘com­plex’ traf­fic like SSH or Open­VPN.
    The process remains alive until I open Putty and con­nect to the localhost:forwardedport or open­vpn (same), at wich point HTC sim­ply dis­ap­pears from the process list (and the tun­nel closes of course..)
    Thanks!

    October 18, 2006 at 03:41 Permalink

  • 8 michu wrote:

    I will release a debug build of htc, this should help to trace some issues

    October 18, 2006 at 09:11 Permalink

  • 9 Lorenzo wrote:

    Thanks for the new build! I’ll try it imme­di­ately and I’ll let you know as soon as pos­si­bile.
    Again: thanks!

    October 22, 2006 at 23:06 Permalink

  • 10 Lorenzo wrote:

    It seems I had just over­looked the fact that HTTP­Tun­nel does not sup­port NTLM authen­ti­ca­tion.. and this caused all of the prob­lems.
    A shame, since most fire­walls are ISA and they do require NTLM auth.. any chance of hav­ing it imple­mented?
    Thanks again!
    Lo.

    November 19, 2006 at 17:48 Permalink

  • 11 michu wrote:

    You could try to use a NTLM proxy: http://apserver.sourceforge.net/ (old web­site: http://www.geocities.com/rozmanov/ntlm/). Good luck!

    November 20, 2006 at 10:34 Permalink

  • 12 raleks wrote:

    http://slashstar.com/blogs/dave/archive/2006/11/27/SSH-Tunneling-_2800_on-Windows_2900_-with-OpenSSH-and-Putty-through-an-HTTP-proxy-.aspx

    Just find how to tun­nel­ing with­out HTTP proxy :) Have fun! Thanks to Dave!!

    March 27, 2009 at 13:25 Permalink

  • 13 StarTroll wrote:

    I’m try­ing to get through my com­pany fire­wall. Until recently I could just use PuTTY to set-up a con­nec­tion to my home sshd and every­thing was fine. But now the proxy’s con­fig­u­ra­tion has been changed. It seems that the proxy blocks the http_connect com­mand. And it also uses NTLM authentication.

    So, I’ve installed Cyg­Win on my WinXP work PC. In Cyg­Win I’ve installed NTLMAPS, which cre­ates a ‘nor­mal’ HTTP proxy. NTLMAPS con­nects to the com­pany proxy. This sort of trans­forms the NTLM proxy into a reg­u­lar one. My plan was to use HTTP­Tun­nel to con­nect to my home server (run­ning hts) through the NTLMAPS proxy. This way, I can still use HTTP­Tun­nel (which doesn’t under­stand NTLM) to bypass the http_connect restriction.

    The NTLMAPS proxy works, I can have my Fire­fox con­nect through it and receive pages (although it’s slower of course than directly through the com­pany proxy).

    But, like Lorenzo, when I try to have ssh use the hts-htc tun­nel, the htc client dies with any error mes­sage. See­ing the htc is con­nected to NTLMAPS, it shouldn’t see the NTLM authen­ti­ca­tion at all, so I doubt Lorenzo’s con­clu­sion is cor­rect, I fear that there is a dif­fer­ent problem.

    Does any­one have an idea?

    May 14, 2009 at 11:31 Permalink

  • 14 Adam wrote:

    Hav­ing sim­i­lar prob­lems try­ing to con­nect through an ISA proxy… any chance you could post a link to your Visual Stu­dio project files & Win­dows source to allow us to debug more fully?

    July 30, 2009 at 15:49 Permalink

  • 15 michu wrote:

    hey adam, there is no vs project file as this is a cyg­win port. I guess you have some ntlm issues, you need to authen­ti­cate your­self on the isa proxy…

    July 31, 2009 at 18:01 Permalink

  • 16 h3liburton wrote:

    How can I lunch my home server behind restricted fire­wall and router to Inter­net use by your HTTP tun­nel with­out touch router and firewall.

    September 6, 2009 at 14:43 Permalink

  • 17 michu wrote:

    … lunch your homeserver?

    October 6, 2009 at 23:00 Permalink

  • 18 miser wrote:

    I per­sonal use super net­work tun­nel, can find it at http://www.networktunnel.net, it’s more easy.

    November 13, 2009 at 03:08 Permalink

  • 19 Martik Panosian wrote:

    Can I use this to bypass the fil­ter­ing? im in iran

    March 31, 2010 at 05:06 Permalink

  • 20 michu wrote:

    HTTP­tun­nel itself does NOT encrypt your net­work traf­fic — so the answer is NO. But if you use HTTP­tun­nel with SSH the answer is YES.

    March 31, 2010 at 08:49 Permalink

  • 21 Eddie wrote:

    I’ve got the server and client run­ning in debug mode and the last line in the client reads:

    http_write_request: GET /index.html?crap=1313771171 HTTP/1.1

    On the server side the last line reads:

    con­nec­tion from 123.456.789.100:12101

    …and just sits there doing noth­ing. Any idea what is happening?

    I’ve tried using Tel­net to emu­late the client and I get a full response when I man­u­ally type in an HTTP GET request.

    August 19, 2011 at 17:53 Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*