Feeds:
Posts
Comments

Posts Tagged ‘ssh’

DISCLAIMER: DEAR READER, AS BY THE TIME YOU ARE READING THIS ARTICLE, THE PROVIDER MENTIONED AS “SHELLMIX” MAY NOT BE PROVIDING THE DISCLOSED SERVICE AS MENTIONED IN THE ARTICLE. NEVERTHELESS, THE ARTICLE STILL STANDS VALID FROM THE THEORETICAL POINT OF VIEW.

By default, Skype uses techniques that preserve the security of the information and internet connections, and protect the user confidential data (i.e. Text Messages, Voice, Video, Personal Profile Data) from being compromised …

If some ISP want to censor the data of Skype client, they would naturally go into troubles and find these techniques an obstacle in their way … a naïve ISP then, would simply block traffic of Skype by known blocking techniques. In this tutorial we will demonstrate how to tunnel Skype (actually, similar clients other than Skype can benefit from this tutorial the same way) through encrypted tunnels over the internet so the ISP can’t even know whether we are on Skype or not.

Introduction:

For the purpose of not making this tutorial a close-brain-and-click tutorial … I’ll try to explain some terms and concepts along the way, that gives us better realization of what we are doing here.

First, I want to explain the term “SSH”.

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. (Wikipedia).

Note: “Channel” and “tunnel” will be used interchangeably.

This protocol ensures the transmission of data in an encrypted form, thus, the ISP won’t be able to recognize the data, and thus, won’t be able to sniff our personal data or block it after recognizing it.

For some people with intermediate knowledge in internet technology or some computer network programming, the idea of a “Tunnel” won’t be very clear for them because they would be thinking of a probable implementation of the word of what they know already. If you can’t find one, don’t worry. Actually, the word is just an abstract idea, so you need not to think about it’s implementation, you just accept it in the abstract form for now.

Our strategy here is to acquire 2 things:

1- A piece of software on our computer that can encrypt the data and put it on the tunnel, and later, receive the data sent it from the other end of the tunnel and decrypt it and give it to us.

2- A piece of software that receive our encrypted data (after it has passed the ISP undetected), decrypt it, and send it to the internet ( to where it originally was destined ), later, receive the data coming from the destination to us, encrypt it and forward it to our side so we can read it.

Traffic passing throug SSH tunnel

First, we will be heading to acquire the 2nd piece. Someone may ask why we are conflicting with the order of pieces, well, the second piece is the service we want to consume so we need to get it first.

The 2nd Piece:

Actually, we won’t install a SSH server, rather, we will use a FREE service provided from Shellmix : www.Shellmix.com.

In the website of Shellmix, you can find instructions for how to create a new FREE account … nevertheless, some users may find it rather tough and technically professional set of instructions, so I decided to give shed about how to create a FREE account with Shellmix.

To make a new account with Shellmix, we first need to download a tool called “Putty”:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

(download putty.exe)

Note: in the mean time, Shellmix provide an alternative way to register a new account from their website directly. Putty still works. The interface of registration is the same whether we use Putty or the alternative method.

After the main screen of Putty show up, fill the details shown below:

Capture

Press “Open” … now you will get a black scree and be asked for a user name and password.

Username: newuser
Password: newuser

Now you read “Enter your login name => “, you enter the user name you want, and press Enter.

Now you read “Enter your password => “, you enter the password of the account.

The password again for confirmation.

The services includes a free MySQL database, which isn’t useful for the regular user. Now you read “Enter new password to MySQL database => “, you enter what ever password you want.

Now you read “Your email address => “, enter a “valid” email address, you’ll receive emails to it.

Now you read “Choose editor (Press ? to see list) => [pico]: ”, just press Enter.

Now you read “Choose language (Press ? In order to see list): ”, you enter “us” for English and press Enter. You can see other options by pressing ‘?’.

Now you read “Choose your vhost (Press ? In order to see list and help):”, you type “shell” and press Enter, or ‘?’ for other options.

Now you read “Choose your HARD DISK (Press ? In order to see list):”, you type “hdd1” and press Enter, or ‘?’ for other options.

By now, you have completed your data entry, and now the server need to create your account. The screen shows a summery of your data, and waits for your Enter key, press it.

After some processing the server completes your registration and the account is ready to be used.

The 1st Piece:

Now that we have the 2nd piece covered, we aim to the 1st piece that we will use for connecting to the SSH service.

What I didn’t mention till now is that “Putty” IS the 1st piece of software. What I didn’t mentioned also is that we already CONNCTED to the SSH Server once. But the purpose back then wasn’t to access the internet, rather, to register our new account.

This time we will use “Putty” with shellmix in a similar way … but for accessing the internet, and because of this, we need to find out how we can hook programs that need to access the internet to putty, so the traffic generated and received by these programs goes in and out through Putty which is connected to the SSH service.

We will do that by using a very nice feature in Putty, which is SOCKS5 Proxy.

Untitled

Most of us are familiar with proxies. usually we use HTTP/HTTPS proxies. But this time we will use a SOCKS5 (SOCKS v5) proxy which is almost the same for the normal user as HTTP/HTTPS proxy but with some different considerations and technical details. As long as Skype supports SOCKS5 proxies, we don’t need to discuss it so much here, we can just go on.

Connecting Skype to the Internet using Shellmix and Putty:

After we have completed the registration on Shellmix, we will use those credentials to login to the server again but this time with different port, and some additional configuration in Putty.

First, we open Putty and enter the details shown below:

Capture1

Now, in the “Category” tree on the left, we go to ( Connection –> SSH –> Tunnels). Here we will enter the information for the SOCKS proxy:

Capture2

Note here that we configured the “port” on which the SOCKS5 proxy will listen on, to (9090) … This isn’t mandatory, and you can put any port depending on your preference. Note also, that some ports could be already opened by other programs on the same computer, so be sure to choose a free port. 9090 works well for me since none of my programs uses it.

After entering the shown data, and pressing “Add” … a new record in the “Forwarded ports:” list will appear as “D 9090”.

(OPTIONAL)
You can save these settings you have just made so you don’t have to enter them every time you want to connect to Shellmix. To do that, go to the main screen in Putty, type a name for the configuration (e.g. Shellmix) and press “Save”.
Capture4
Now, when you want to connect to Shellmix, you only have to double-click on the name “Shellmix”. Alternatively, you can choose “Shellmix” from the list, and press “Load”, then click “Open”.

Connecting to shell mix:

Now we are ready to go “SECURED” …

First we will initiate the connection to Shellmix. Considering you still have “Putty” opened with the data setup, click “Open” to start the connection.

After the connection is initiated with the Shellmix server, the server asks for the user name and password:

image

Note that password will not show on screen as you are typing it for security reasons.

After entering the required data, a notification will appear to us from Shellmix indicating a good successful login.

image

Press the Enter key and you get some info on Putty black console, and we are just ready to go and open Skype.

Configuring and running Skype:

This is the Skype interface due to the date of publishing of this post. We need to go to the “Connection options …”.

image

I don’t remember that the “Connection options …” interface has ever changed since the day I “discovered” Skype. Now we need to connect the Skype with Putty by entering the following information:

Capture6

Press “Save” … restart Skype … log in Skype … and we are DONE!!

Note: that the console window of Putty should remain open as long as you are using Skype.

Note: the SOCKS5 proxy we setup with Putty isn’t dedicated to Skype alone. That means, any program that can connect to the internet using a SOCKS5 proxy can take advantage of Putty proxy, side by side with Skype. IE and Firefox supports SOCKS5 proxy and can work well with Putty’s proxy.

Note: we didn’t even used 25% of the services that Shellmix provide. Tunneling our traffic to Shellmix is only one of 10s of features that there is no room for them here to be presented, and which may probably not be interesting for the normal internet user.

Thanks for reading and I hope you enjoyed the tutorial.

Feel free to contact on email : hassoon3@msn.com.

Update 20/Aug/2011:

You can now watch a video tutorial on YouTube:

Update 12/Apr/2012:

After some researching, I found out that Skype naturally will try to connect directly without a proxy even when provided with one, then in case it fails to establish the connection directly it will try using the provided proxy address. To prevent such behavior, it’s recommended to set rules in the Firewall of the system to prevent Skype from establishing any connection to any destination other than the computer address of our proxy. In the following lines, I provide a script that sets 2 rules in Windows Firewall in a Windows 7 platform that will prevent the executable of Skype (called Skype.exe) from generating outbound traffic ( that includes establishing connections )  of type TCP to any destination other than 127.0.0.1 which is the address that my proxy binds its self to:

netsh advfirewall firewall add rule name=”SkypeBlockTCP” dir=out action=block program=%skype% enable=yes protocol=tcp profile=any
netsh advfirewall firewall add rule name=”SkypeAllowToProxy” dir=out action=allow program=%skype% enable=yes remoteip=127.0.0.1


To use the script, create a new text file, then copy and paste the 2 lines to it, then you’d need to replace the [ %skype% ] in both lines with the path of the Skype Phone executable on your file system enclosed with double quotes (e.g. “C:\Skype.exe”). Save the file, and change the extension from (.txt) to (.bat) and then run the file “As Administrator”. No you have Skype able to connect only using a proxy.

The following 2 lines script undoes the actions of the first:

netsh advfirewall firewall delete rule name=”SkypeBlockTCP”
netsh advfirewall firewall delete rule name=”SkypeAllowToProxy”

Follow the instructions for the first script to use this one as well.

Read Full Post »