Re: Tool to find hidden web proxy server

From: Martin Mačok (martin.macok@underground.cz)
Date: Thu Sep 02 2004 - 05:36:07 EDT

• Next message: Christine Kronberg: "Re: Tool to find hidden web proxy server"
• Previous message: Kara, Pravesh: "RE: Tool to find hidden web proxy server"
• In reply to: vinay mangal: "Re: Tool to find hidden web proxy server"
• Next in thread: Christine Kronberg: "Re: Tool to find hidden web proxy server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, Sep 02, 2004 at 09:06:44AM +0530, vinay mangal wrote:

> In a company, policy for Internet access says it is through IP only.
> The others can not browse the internet. This policy is implemented
> on firewall. Few smart guys have installed free proxy server running
> on non default ports and distributed the internet access to their
> friends.

There is not a single way of hiding the proxy and so there is not
a single bulletproof tool to find it.

If they are not so smart, they are running the proxies on ports 3128
or 8000-8888.

$ nmap -sSV -p3128,8000-8888 suspected [...]

(of course, double check the proxy with netcat/telnet or amap)

If they are less smarter they run it on obscured port but with
unrestricted access.

$ nmap -sSV -p- suspected [...]

(I recommend nmap-3.70 or later, it scans much faster)

If they are smarter they limit access to proxy by IP and/or
user:password. Try sniffing the LAN traffic for HTTP communication
between the stations (ethereal or ngrep, exclude the IP of gateway).

Smart guys will tunnel HTTP through SSH or similar and the proxy will
not be accessible on external interfaces (only loopback). Then analyze
the outgoing HTTP traffic. Look for X-Forwarded-For: headers,
User-Agent: headers, cookies, POST requests values (names) etc. so you
can see that the requests from on IP are actually from 2 different
people and/or 2 different browsers.

Good luck.

Remember, they can always be smarter and they could be subscribed too :-)

Martin Mačok
IT Security Consultant

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Christine Kronberg: "Re: Tool to find hidden web proxy server"
• Previous message: Kara, Pravesh: "RE: Tool to find hidden web proxy server"
• In reply to: vinay mangal: "Re: Tool to find hidden web proxy server"
• Next in thread: Christine Kronberg: "Re: Tool to find hidden web proxy server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT