SSH SOCKS Tunnel with an HTTP Proxy (Burp)

You have an Internet connection but there’s restrictions on what sites you can visit etc. To get around this you can use an SSH SOCKS tunnel.


SSH Server

First off make sure you have an Internet facing SSH server. You can grab a pretty cheap VPS for ~€10 a year –

SSH should be set up on the server. If not you’ll have to set it up.

Change the port its listening on to reduce the amount of bots scanning port 22. Edit the following file with your fav text editor (vim);


Change the port to something other than port 22.

port 22 -> port 40001

Restart the SSH server (Debian/Ubuntu)

service ssh restart


SSH Client config

For passwordless login, on your client generate an SSH key

ssh-keygen -t rsa

Upload it to your remote SSH server

ssh-copy-id user@x.x.x.x

Create a SOCKS proxy

ssh -p 40001 -D 9999 -CqN user@x.x.x.x

-p: Specify the port the SSH server is listening on (if not running on port 22)
-D: Sets up a SOCKS tunnel over SSH on a specified port number
-C: Compresses the data before sending it
-q: Set quiet mode
-N: No command to be sent over SSH – we just want a tunnel

You can put all this in your .bashrc to quickly run it from a terminal.

alias sshtunnel="ssh -p 40001 -D 9999 -CqN user@x.x.x.x"

Now simply type sshtunnel to run!

Note: ssh -D opens a local port without having a specific endpoint like with -L. Running ssh -L and in the browser if you hit localhost:9999 you’ll go to

With ssh -D 9999 you’re telling the browser to use localhost:9999 as a SOCKS proxy. Everything your browser requests goes through the ssh tunnel. It’s as if you were browsing the web from your ssh server instead of from your computer.


Browser Set up

Using Firefox with FoxyProxy (to quickly switch between proxies) set up the browser to route through the proxy.

Proxy Type: SOCKS5
IP: localhost
Port: 9999


Go to to verify your IP is that of your SSH server.


HTTP Proxy setup (Burp / ZAP)

Now if you want to use an HTTP proxy with the browser instead of;

Browser -> SOCKS proxy (SSH tunnel) -> Internet

you’ll have to set up

Browser -> HTTP proxy (Burp) -> SOCKS proxy (SSH Tunnel) -> Internet

Firstly create a new FoxyProxy profile for HTTP

Proxy Type: HTTP
Title: Burp
IP: localhost
Port: 9999


Now configure Burp suite to go through the SSH SOCKS tunnel

User options -> SOCKS Proxy

Use SOCKS proxy: ✓
SOCKS proxy host: localhost
SOCKS proxy port: 9999



Again go to to verify your IP is that of your SSH server. Check the Proxy -> HTTP History tab to verify the traffic is running through Burp.




Setting a Proxy in Android


I use Charles proxy to debug my network traffic. This requires setting the device or emulator proxy to point to my local ip address where Charles is running. Charles can then intercept the device’s network traffic. This post outlines how to set the proxy for android devices and emulators.

View original post 170 more words

HTTP2 traffic in Wireshark

Since HTTP/2 is supported in Firefox 36 and there is a partially functional http2 dissector in Wireshark I thought I’d take a look at what HTTP/2 packets look like in Wireshark. I’m using Kali where I needed to grab the following;

  • Wireshark dev – 1.99.2
  • Firefox 36

Firefox 36 by default uses TLS 1.2 when communicating over HTTP/2 you can view HTTP/2 traffic in the ‘Network’ tab in Firefox’s developer tools (f12).


To see these packets in Wireshark you need to point Wireshark at the SSLKEYLOGFILE that is written by NSS. This enables you to see the http2 packets and decrypt any encrypted data over SSL, TLS etc. Here’s a quick set up to get that up and running;


  • wget -O /opt/
  • tar -jxf wireshark-1.99.2.tar.bz2

Install dependencies

  • apt-get install libpcap-dev

Configure and install

  • cd wireshark-1.99.2
  • ./configure --with-gtk2
  • make && make install

Edit /etc/

Add the line > include /usr/local/lib

Then run the command ldconfig

Run Wireshark > ./wireshark


  • wget firefox -O /opt
  • tar -jxf firefox-36.0.tar.bz2

Make a file on the file system and set an environment variable enabling NSS to write key logs so that Wireshark can decrypt any TLS traffic.

  • mkdir ~/tls && touch ~/tls/sslkeylog.log
  • export SSLKEYLOGFILE=~/tls/sslkeylog.log

Run Firefox (within the same terminal you set the environment variable or add the env. variable to your .bashrc) > ./firefox


Point Wireshark to the sslkeylog.log so that it can decrypt TLS traffic.

  • Edit -> Preferences -> Protocols -> SSL
  • (Pre)-Master-Secret log filename -> /root/tls/sslkeylog.log


Start a new live capture in Wireshark and in Firefox navigate to an HTTP/2 enabled website e.g. and view the HTTP/2 packets.