From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Thu Sep 02 2004 - 09:03:04 EDT
vinay mangal wrote:
> Dear all,
>
> Thanks for your suggestions. May be I am not able to define my question
> properly.
>
> This problem is strictly with in company internet access firewall and in the
> LAN only. In a company, policy for Internet access says it is through IP
> only. The others can not browse the internet. This policy is implemented on
> firewall. Few smart guys have installed free proxy server running on non
> default ports and distributed the internet access to their friends. The
> firewall sees the traffic coming from the authorized IP and does not stop
> them. We want to know who has installed proxy on there machine.
>
Since you say that the authorised IPs that can browse the Internet are
a known subset of your company, I suggest you could (in an increasing
level of complexity):
- port-scan those systems and determine if there are open ports on
them that act as a proxy (try using 'nmap -sV'). Of course this will
not work if they have added a firewall in the system and are blocking
access to that port to everyone save their friends.
- analyse the outgoing HTTP traffic through the firewall from those IP
addresses and look for proxy 'give-aways' in the HTTP headers
('X-Forwarded-For:' or 'Via:'). If they have configured the proxy
server to not print these headers this might not spot out any
culprits. Use ngrep for this.
- analyse the outgoing HTTP traffic through the firewall and analyse
it (you can probably use a lot of accounting tools to extract data
from tcpdump captures). This will allow you to determine which servers
are responsible for most of the outgoing HTTP traffic and that might
be an indication of a proxy in use. You can use ntop for this.
- access your switches and analyse the traffic statistics of the ports
used by the IP address that can access the Internet. Ports with a high
incoming/outgoing byte counts might allow you to distinguish
legitimate vs. illegitimate accesses. Most clients (if only used for
browsing) will generate a high incoming byte count but a low outgoing
byte cout so a high outgoing byte count might be an indication of
traffic being proxied to other clients.
- (if your switches permit) use traffic monitoring (port spanning) or
netflows to do accounting on communications between the different IP
address of your local company, discard known servers and analyse the
traffic to detect uncommon client-server relationships that generate
an uncommon ammount traffic. In most office environments you should
only see traffic going from clients to known servers (or to the
Internet) as there is rarely a need for clients to communicate amongst
themselves (unless sharing resources). That could allow you to detect
both the IP addresses of illegitimate servers and the IP addresses of
those using them. You can use ntop for this.
Good luck.
Javier
PS: You basicly need tools to do traffic analysis, but you first have
to place yourself in a position in which you know what you want to
capture, and how to analyse it to obtain your rogue users so before
thinking about tools, think about how to capture that data you need.
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT