Escape your company network proxy

Your company network is "blocked"? Probably they are using a proxy to filter your outbound connections.

The usual solution is to encapsulate YOUR traffic inside the traffic your COMPANY ALLOWS.


  • I will show how to establish a ssh connection to a server over the Internet. Then you will be able to create a socks proxy and use most applications freely.
  • Before all you will need to be able to "browse" the Internet on the company assigned computer. Try opening https://encrypted.google.com/.
  • You may be breaching your employment agreement doing this. You have a read a lot of "this is just academic, don't do this a home", but I really mean it. I've used this kind of "jailbreak" in 3 different companies up to now, but on their best interest. That means this is just a shortcut for having to ask the IT people to open the exception for our computer, or to deal with "that's to complicated"-type IT administrators.
  • No method is perfect and even if the IT staff can't know exactly what are you doing over the tunnel, they can at least notice the potential high bandwidth usage from your machine to that weird server that no one else use.
  • You will need a Linux server accessible over ssh on the Internet. And in most cases you also need root privileges to bind to TCP 443. Can you do this with a Windows server? I don't know, Windows Servers are expensive and I haven't used them that much.

The proxy very probably will be a HTTP proxy(CONNECT Method) that only allows connections to TCP port 443. You might get lucky and get one that allows to TCP port 22.

Start by collecting your proxy configuration. In Windows (supposing this is your company assigned OS) go to "Internet Options->Connections->LAN settings" and you might see something as proxy.mycompany.com:8080.

Then check if you need authentication. Do you type a username and password when you open the Internet Explorer?

I assume you have a linux server with openssh daemon running at myserverontheinternet.com:22

There are at least 3 methods to try to get connectivity. Method A will probably not work on most companies, Method B have worked everywhere I tried, Method C is proxy proof as it gets but will have some processor and network overhead.

I've tested the 3 Methods both on Windows and Linux.

The only tool beside ssh client/server is ncat. Ncat is included with nmap.

To install on windows, download at http://nmap.org/download.html. On linux use your package manager, ex, on ubuntu: sudo apt-get install nmap

Method A:

Server :

(nothing to do)

Client [3]:

ncat -kl 8000 --sh-exec "ncat --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword myserverontheinternet.com 22"

ssh -p 8000 root@localhost

Method B:

Server [1]:

sudo ncat -kl 443 --sh-exec "ncat localhost 22"

Client [3]:

ncat -kl 8000 --sh-exec "ncat --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword myserverontheinternet.com 443"

ssh -p 8000 root@localhost

Method C [4]:

Server [2]:

sudo ncat -kl 443 --ssl --sh-exec "ncat localhost 22"

Client [3]:

ncat -kl 8000 --sh-exec "ncat --ssl --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword myserverontheinternet.com 443"

ssh -p 8000 root@localhost

This client instructions apply to linux with openssh ssh(1). If you are using Windows, just adapt accordingly.

There are quite a lot of other examples of doing this using other tools, probably smaller than nmap/ncat. But nmap is maintained and is available for most distributions, that's why it is my favorite.

OpenWrt have also ncat available now (package ncat and ncat-ssl), so if you are looking for a standalone linux machine for this, consider using a cheap router :).

Please comment if it worked for you.

[1] - You may bind openssh sshd directly to port 443 changing /etc/ssh/sshd_config. This is the recommend way of doing this and you shall replace it. I'm showing with ncat just to keep it similiar to the other examples.

[2] - Unless you have some kind of additional internet connection (like 3G) you can't set this from inside the company (because you haven't yet escaped the firewall). Just set it at home and create a script to start it on boot.

[3] - If you using linux you can set the ncat as a proxy command that will start each time you try to connect. Example, for method C add the following line to the end of /etc/ssh/ssh_config:

ProxyCommand ncat --ssl --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword %h %p

Now run ssh as:

ssh -p 443 root@myserverontheinternet.com

[4] - This way your traffic will look like regular SSL traffic instead of SSH traffic. This might work to go over extensive network filtering. You migh notice that we are not doing any kind of certificate checks, and that is because we are not relying on SSL security, because openssh is secure by itself.

Post a Comment