Simple SSH port forward in Golang - go

I'm trying to create (and later close) a simple TCP port forward over SSH with Go. I'm new to Golang and statically typed languages. (Coming from Ruby.)
In a terminal I would simply run ssh -L 9000:localhost:9999 user#server.com and this accomplishes what I need. I want to do the same, programmatically with Go.
I have tried using this example as a starting point and this recent test to try to understand what to do, but now I have a pile of confusing jumbled code when it seems like this is actually a very simple thing to do.
Any help would be very much appreciated! :-)

I finally figured out how to do this, I got hints from schmichael in an IRC channel. Thanks to all!
EDIT: A little explanation:
A big part of the problem I was having was that I did not realize a local net.Listener (not just a local net.Conn) needed setup to receive a local request and create the net.Conn before forwarding the bytes.
Also, there exist both port forwards and reverse port forwards and I hadn't previously thought in detail about the fact that a regular port forward also sends bytes back, so copying the remote reader to local writer was not something I had implemented, yet it's very much needed.
Here is an attempt to relate the essence of what this code does:
Listen on local port 9000.
Upon attempted read from local port 9000: (listener.Accept()),
Accept connection and return a local io.Reader and io.Writer and,
Connect to remote server and,
Connect to remote port 9999 returning a io.Reader and io.Writer.
Continually copy local io.Reader bytes to remote io.Writer,
Continually copy remote io.Reader bytes to local io.Writer.
Here is the code:
package main
// Forward from local port 9000 to remote port 9999
import (
"io"
"log"
"net"
"golang.org/x/crypto/ssh"
)
var (
username = "root"
password = "password"
serverAddrString = "192.168.1.100:22"
localAddrString = "localhost:9000"
remoteAddrString = "localhost:9999"
)
func forward(localConn net.Conn, config *ssh.ClientConfig) {
// Setup sshClientConn (type *ssh.ClientConn)
sshClientConn, err := ssh.Dial("tcp", serverAddrString, config)
if err != nil {
log.Fatalf("ssh.Dial failed: %s", err)
}
// Setup sshConn (type net.Conn)
sshConn, err := sshClientConn.Dial("tcp", remoteAddrString)
// Copy localConn.Reader to sshConn.Writer
go func() {
_, err = io.Copy(sshConn, localConn)
if err != nil {
log.Fatalf("io.Copy failed: %v", err)
}
}()
// Copy sshConn.Reader to localConn.Writer
go func() {
_, err = io.Copy(localConn, sshConn)
if err != nil {
log.Fatalf("io.Copy failed: %v", err)
}
}()
}
func main() {
// Setup SSH config (type *ssh.ClientConfig)
config := &ssh.ClientConfig{
User: username,
Auth: []ssh.AuthMethod{
ssh.Password(password),
},
}
// Setup localListener (type net.Listener)
localListener, err := net.Listen("tcp", localAddrString)
if err != nil {
log.Fatalf("net.Listen failed: %v", err)
}
for {
// Setup localConn (type net.Conn)
localConn, err := localListener.Accept()
if err != nil {
log.Fatalf("listen.Accept failed: %v", err)
}
go forward(localConn, config)
}
}

I have used your (damick) example code to build a tiny open source tool: SSHTunnel
https://github.com/SommerEngineering/SSHTunnel
Therefore, the code is freely available at GitHub for anyone: Please feel free to use it for learning purposes or for anything else :) I have mentioned your nickname and also linked to this question.
Best regards,
Thorsten.

I'v finished a simple SSH port forward tool called mallory.
It provides HTTP proxy instead of SOCKS proxy, which is really similar to ssh -D.
The core code is similar to damick's answer.
Create ClientConfig
ssh.Dial to remote SSH server with the config and return Client
Now you can use Client.Dial to forward anything you like.
Dial initiates a connection to the addr from the remote host. The resulting connection has a zero LocalAddr() and RemoteAddr().
If you want to serve a SOCKS proxy server, use Client.Dial to connect to the remote server.

I Wrote a tool,Called gosshtool,with this tool,you can easy to create a simple TCP port forward over SSH with Go.https://github.com/scottkiss/gosshtool
I use this tool implemented a port forward server example project:
https://github.com/scottkiss/gooverssh

Related

False positives during asynchronous TCP scanning through the Socks5 Proxy relay

I am learning golang and wanted to build a TCP port scanner with SOCKS5 proxies as a relay for mass scanning.
Although all of the S5 proxies are being checked for every target scan, sometimes there are some False positives - and I cannot find the reason why.
Preparing proxyDialer:
func create_socks5_tcp_dialer(socks5_addr string) proxy.Dialer {
//socks5_dialer_tcp, err := proxy.SOCKS5("tcp", socks5_addr, nil, proxy.Direct)
socks5_dialer_tcp, err := proxy.SOCKS5("tcp", socks5_addr, nil, &net.Dialer{Timeout: 5 * time.Second, KeepAlive: 5 * time.Second})
if err != nil {
fmt.Println("Error connecting to proxy:", err)
}
return socks5_dialer_tcp
}
Validating socks5 address:
func socks5_validator(socks5_addr, vps_opened, vps_closed string) (bool, string) {
/* Check if SOCKS5 proxy is valid.
1. Connect to the open port on the server under my control using proxy.
2. Connect to the closed port on the server under my control using proxy.
- If both checks are true then, SOCKS5 proxy is considered as valid.
- If one of the check is false, SOCKS5 proxy is considered as invalid.
3. Returns true/false and s5_addr.
*/
// Create SOCKS5 dialer
socks5_dialer_tcp := create_socks5_tcp_dialer(socks5_addr)
// Make connection using SOCKS5 proxy to the opened port on the vps.
conn_1, err := socks5_dialer_tcp.Dial("tcp", vps_opened)
// If it was successful and not generate any error then check1 is passed.
if err == nil {
//fmt.Println("CHECK 1: PASSED")
conn_1.Close()
// If error was generated then check is not passed and do not make check2.
} else {
//fmt.Println("CHECK 1: NOT PASSED")
return false, socks5_addr
}
// Make connection using SOCKS5 proxy to the closed port on the vps.
conn_2, err := socks5_dialer_tcp.Dial("tcp", vps_closed)
// If it was unsuccessful and error was generated then check2 is passed.
if err != nil {
//fmt.Println("CHECK 2: PASSED")
// If both checks were passed then return false.
return true, socks5_addr
// If error was not generated then check2 is not passed.
} else {
//fmt.Println("CHECK 2: NOT PASSED")
conn_2.Close()
return false, socks5_addr
}
}
Port scanning
s5_dialer_tcp := create_socks5_tcp_dialer(socks5_addr)
// Scan target using s5
conn, err := s5_dialer_tcp.Dial("tcp", target)
if err != nil {
//open
} else {
//closed
}
My question is:
Do I correctly scan TCP services through the SOCKS5 proxy and do I validate this proxy properly?
Link to the full code:
https://github.com/Karmaz95/crimson_prober
I don't think that these are actual false positives. Instead you are having the wrong assumptions of how these proxies will work: You assume that if the single check for a specific port open (connect success) and a specific port closed (connect failure) on a specific server at a specific time succeeds, then the proxy can be used to reliably check many arbitrary ports on arbitrary servers at arbitrary times.
This assumption is likely not valid, especially given that you seem to use proxies which are outside of your control.
A common behavior of such proxies is that they provide only restricted access, i.e. common ports like HTTP and HTTPS will work while other ports will be blocked. Proxies might also employ rate limiting, so they will simply deny access through the proxy after a while. And free proxies available in some lists often cease to work after a while.

How to configure wg0 interface on Windows 10?

I am not able to manage the wireguard interface using wgctl on Windows (10). I have used it on linux and all is fine. I'm using Windows 10 latest updates, wireguard.exe latest, go 1.17.3 latest.
I am using a tunnel created with wireguard.exe /installtunnelservice /path/wg0.conf. If I manage the tunnel with the wireguard GUI, it all works fine. But I need to do it programatically.
C:\>wg
interface: wg0
public key: K0BZ3Bk...5tCWo=
private key: (hidden)
listening port: 57538
peer: 7W6tOXI...F7zAo=
endpoint: 159....105:51820
allowed ips: 100.127.128.0/18
latest handshake: 43 seconds ago
transfer: 31.61 KiB received, 115.69 KiB sent
persistent keepalive: every 25 seconds
...
The following code exits with "file does not exist". Having stepped the code into the library, I think that wireguard.exe is using NT Kernel mode and the library does not support it? Can someone please confirm? What is the best way around this?
package main
import (
"log"
"golang.zx2c4.com/wireguard/wgctrl"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)
func main() {
wgc, err := wgctrl.New()
if err != nil {
log.Printf("wgctrl.New: %s", err)
}
defer wgc.Close()
cfg := wgtypes.Config{}
port := 51822
cfg.ListenPort = &port
err = wgc.ConfigureDevice("wg0", cfg)
if err != nil {
log.Printf("wgc.ConfigureDevice: %s", err)
}
}
After escalating the issue on GitHub, it turned out to be a bug in the library which was promptly fixed not long after I posted this.

How to connect to a remote socket in docker/engine-api?

I want to retrieve all docker images of a remote machine, so I am using docker/engine-api: https://github.com/docker/engine-api
I was successful in returning the docker images of my local machine
with the following code:
package main
import (
"fmt"
"github.com/docker/engine-api/client"
"github.com/docker/engine-api/types"
"golang.org/x/net/context"
)
func main() {
defaultHeaders := map[string]string{"User-Agent": "engine-api-cli-1.0"}
cli, err := client.NewClient("unix:///var/run/docker.sock", "v1.22", nil, defaultHeaders)
if err != nil {
panic(err)
}
options := types.ContainerListOptions{All: true}
containers, err := cli.ContainerList(context.Background(), options)
if err != nil {
panic(err)
}
for _, c := range containers {
fmt.Println(c.ID)
}
}
But now does anybody know how can I retrieve the docker images of a remote machine given its address,username, and password
That kind of Unix socket is only accessible through proccesses in the same machine.
To access your docker from a remote machine you need to run it with a special configuration to run over ip.
This configuration is DOCKER_OPTS="-H <ip_address>:<port>" (or -H 0.0.0.0:<port> if you whant it to listen on all interfaces), and it depends the version you are running of docker where you must configure it.
Here you can find more information on where to configure DOCKER_OPTS depending on the operation system version.
Hope it helps!

How to ping an IP Address in golang

How can you ping an IP address from a golang application? The ultimate goal is to check if a server is online.
Does go have a way in the standard library to implement a network ping?
As #desaipath mentions, there is no way to do this in the standard library. However, you do not need to write the code for yourself - it has already been done:
https://github.com/tatsushid/go-fastping
Note, sending ICMP packets requires root privileges
I needed the same thing as you and I've made a workaround (with exec.Command) for my Raspberry Pi to check if servers are online. Here is the experimental code
out, _ := exec.Command("ping", "192.168.0.111", "-c 5", "-i 3", "-w 10").Output()
if strings.Contains(string(out), "Destination Host Unreachable") {
fmt.Println("TANGO DOWN")
} else {
fmt.Println("IT'S ALIVEEE")
}
#jpillora's answer suggests using go-fastping, but that library hasn't been updated since Jan 8, 2016. It may not be an issue as the logic of pinging is quite simple, but if you want a more recent package then there's go-ping.
Although not a real ICMP ping, this is what use to probe my servers using the TCP protocol:
host := "example.com"
port := "80"
timeout := time.Duration(1 * time.Second)
_, err := net.DialTimeout("tcp", host+":"+port, timeout)
if err != nil {
fmt.Printf("%s %s %s\n", host, "not responding", err.Error())
} else {
fmt.Printf("%s %s %s\n", host, "responding on port:", port)
}
No.
Go does not have any built-in way to ping a server in standard library.
You need to write code by yourself.
For that, you can look into icmp section of golang library. And use this list of control messages, to construct icmp message properly.
But, keep in mind that some server administrator shuts down ping service on their server, for security reason. So, If your goal is to ultimately check if server is online or not, this is not 100% reliable method.
package main
import (
"fmt"
"os/exec"
)
func main() {
Command := fmt.Sprintf("ping -c 1 10.2.201.174 > /dev/null && echo true || echo false")
output, err := exec.Command("/bin/sh", "-c", Command).Output()
fmt.Print(string(output))
fmt.Print(err)
}

smtp.Dial("ASPMX.L.GOOGLE.COM:25") connection error; but putty connections work

When using Go and smtp.Dial,
or even net.Dial,
I get the error:
dial tcp 64.233.169.27:25: ConnectEx tcp: A connection attempt failed
because the connected party did not properly respond after a period of
time, or established connection failed because connected host has
failed to respond.
From this code:
mxClient, err := smtp.Dial("ASPMX.L.GOOGLE.COM:25")
if err != nil {
fmt.Println(err)
}
What I don't understand is that I can connect and send commands (HELO, etc) using putty on port 25 without TLS.
If it's a limitation of the package not able to make the connection,
is there a recommended way to make a raw socket connection like putty in Go?
I don't see any error on my machine.
package main
import (
"fmt"
"net/smtp"
)
func main() {
mxClient, err := smtp.Dial("ASPMX.L.GOOGLE.COM:25")
if err != nil {
fmt.Println(err)
}
fmt.Printf("%#v", mxClient)
}
gives
&smtp.Client{Text:(*textproto.Conn)(0xc208074000), conn:(*net.TCPConn)(0xc20802c018), tls:false, serverName:"ASPMX.L.GOOGLE.COM", ext:map[string]string(nil), auth:[]string(nil), localName:"localhost", didHello:false, helloError:error(nil)}
Your ISP might be blocking port 25. I have to use port 587 to googles smtp server to connect.

Resources