Bypassing Cisco Umbrella with SSH Tunneling

There was a need to bypass Cisco Umbrella. Machine A (MA) was a locked down enterprise AD device. During a Pen Test I discovered a URL that suggested it should be hidden from the public. Navigating to it on MA’s browser resulted in the site being blocked by Cisco Umbrella. I didn’t have any quick access to any VPNs and needed to see what was on this URL.

I have a local machine (LM) but I didn’t want to expose my personal IP.

Learned about ngrok from the GCPN class. It’s port forwarding as-a-service (free or paid).

1. Turned on VPN to hide my local IP

2. Check LM for SSH Server.

   sudo systemsetup -getremotelogin

3. If off, turn on SSH Server.

   sudo systemsetup -setremotelogin on

4. Port forward LM port 22 to the internet.

   ngrok 22 tcp

5. On MA start an SSH tunnel. Setting up using dynamic port forwarding aka a socks proxy which means multiple protocols can pass through one port.

   ssh -D 1080 -N -f -C -q username@your-mac-ip

6. I used Mozilla Firefox on WSL and for some reason couldn’t open settings so I went the tab editing route.

   about:config

7. Find these settings and replace them with local host and the port we used in step 5 (1080)

   network.proxy.type 1

   network.proxy.socks 127.0.0.1

   network.proxy.socks_port 1080

   network.proxy.socks_version 5

   network.proxy.http 127.0.0.1

   network.proxy.http_port 1080

Checking whats my IP website shows my VPN so looks like it worked. I was able to hit the URL and find internal client files which is a finding.