Created
October 21, 2021 01:11
-
-
Save StudioEtrange/6617840dbc7eab4d1925e7aaf87b2dfa to your computer and use it in GitHub Desktop.
open an ssl proxy over ssh and add N layer of ssh/ssl to communication between a client and a server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| # Credits : anonymous | |
| # Ouvrir un proxy SSL sur le port ssh | |
| # IE avoir X couche de cryptage ssl + ssh | |
| # Cf NBSSL nombre de couche SSL | |
| # Execute sans parametre = Usage | |
| cd `dirname $0` | |
| find_port() | |
| { | |
| ip2scan=$1 | |
| FREEPORT=$2 | |
| YEP=0 | |
| [ -z "$FREEPORT" ] && FREEPORT=1212 | |
| while [ $YEP -eq 0 ] | |
| do | |
| head -c0 - 2> /dev/null < /dev/tcp/$ip2scan/$FREEPORT | |
| [ $? -ne 0 ] && YEP=1 && continue | |
| (( FREEPORT = $FREEPORT + 1 )) | |
| done | |
| echo $FREEPORT | |
| } | |
| start_server() | |
| { | |
| SPUB=$1 | |
| > tcpsproxy.pid | |
| oldport="" | |
| for nb in `seq 1 $NBSSL` | |
| do | |
| if [ $nb -eq 1 ] ; then | |
| miport=`find_port localhost 2>/dev/null` | |
| echo -e "\nRelay localhost:22 to localhost:$miport" | |
| socat openssl-listen:$miport,bind=localhost,fork,reuseaddr,verify=0,cert=server.crt,key=server.key TCP4:localhost:22 2>&1 > /dev/null & | |
| else | |
| if [ $nb -eq $NBSSL ] ; then | |
| miport=$2 | |
| [ -z "$miport" ] && miport=`find_port $SPUB` | |
| echo -ne "\nRelay localhost:$oldport to $SPUB:$miport\n" | |
| socat openssl-listen:$miport,bind=$SPUB,fork,reuseaddr,verify=0,cert=server.crt,key=server.key TCP4:localhost:$oldport 2>&1 > /dev/null & | |
| else | |
| miport=`find_port localhost 2>/dev/null` | |
| echo -ne "\nRelay localhost:$oldport to localhost:$miport\n" | |
| socat openssl-listen:$miport,bind=localhost,fork,reuseaddr,verify=0,cert=server.crt,key=server.key TCP4:localhost:$oldport 2>&1 > /dev/null & | |
| fi | |
| fi | |
| echo $! >> tcpsproxy.pid | |
| oldport=$miport | |
| sleep 1 | |
| done | |
| echo -ne "\nTo kill all\n\tkill \`cat tcpsproxy.pid\`\n" | |
| echo -ne "\nEnd port server is $miport\n" | |
| } | |
| start_client() | |
| { | |
| SPUB=$1 | |
| SPORT=$2 | |
| > socat.pid | |
| oldport="" | |
| for nb in `seq 1 $NBSSL` | |
| do | |
| miport=`find_port localhost 2>/dev/null` | |
| if [ $nb -eq 1 ] ; then | |
| echo -e "\nConnect to $SPUB:$SPORT listen on localhost:$miport" | |
| socat -d TCP4-L:$miport,reuseaddr,fork,bind=localhost exec:"openssl s_client -host $SPUB -port $SPORT -ign_eof -quiet" 2>&1 > /dev/null & | |
| else | |
| echo -e "\nConnect to localhost:$oldport listen on localhost:$miport" | |
| socat -d TCP4-L:$miport,reuseaddr,fork,bind=localhost exec:"openssl s_client -host localhost -port $oldport -ign_eof -quiet" 2>&1 > /dev/null & | |
| fi | |
| echo $! >> socat.pid | |
| oldport=$miport | |
| sleep 1 | |
| done | |
| echo -ne "\nTo kill all\n\tkill \`cat socat.pid\`\n" | |
| echo -ne "Now you can connect to localhost:22 via\n\tssh -p $miport localhost\n" | |
| } | |
| Usage() | |
| { | |
| echo "export NBSSL=4 # default = 2" | |
| echo "$0 server <final bind IP optionally> <final bind port optionally>" | |
| echo "$0 client <connect IP> <connect port>" | |
| exit 12 | |
| } | |
| ### MAIN | |
| ######## | |
| # Get first IP not 127.0.0.1 and use it as server's default port | |
| SPUB=`ip addr | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | grep -v 127.0.0.1 | head -1` | |
| # Init NBSSL if not | |
| [ -z "$NBSSL" ] && NBSSL=2 | |
| case $1 in | |
| "server") | |
| [ ! -z "$2" ] && SPUB=$2 | |
| start_server $SPUB $3 ;; | |
| "client") | |
| [ ! -z "$2" ] && SPUB=$2 | |
| [ -z "$3" ] && Usage | |
| start_client $SPUB $3 ;; | |
| *) | |
| Usage ;; | |
| esac | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment