Re: Netcat through Squid HTTP Proxy

From: Joachim Schipper (j.schipper@math.uu.nl)
Date: Sun Apr 17 2005 - 11:13:28 EDT


On Fri, Apr 15, 2005 at 10:40:31AM -0400, Rod S wrote:
> Hello,
>
> I have a squid proxy server running, caching and filtering web access.
> User workstations on my network are only allowed http access through
> this proxy server. The firewall (Cisco PIX) will not let them connect
> outbound to any ports.
>
> I've done some testing and was successful in running netcat to connect
> to a remote server listening with netcat on port 80 and get a command
> prompt for an internal machine (which is allowed to connect to any
> outgoing ports) on that remote server. I'm wondering if it's possible
> for netcat to connect through our proxy server to a remote machine and
> send a cmd.exe shell in the same way? Any tips on preventing this or
> any other information you care to share is appreciated.
>
> Thanks!
> Rod

Dear Rod,

if I understand correctly, you can get a shell on a remote machine and
want to allow a remote machine to get a shell on a local host. This can
be achieved quite easily - search for 'reverse shell'. One example which
looks nice is rrs (*nix only) - see freshmeat.net. This one cannot do
HTTP proxying, though, so it should be augmented or wrapped in something
that can.

The Hacker's Choice (www.thc.org) has just run an article on this,
including an example in Perl. If you desire something more
Windows-specific, you may want to ask Google, or any shades-of-grey-hat
site you can find. ;-)

However, simply, yes, this is possible. Quite a few of these kinds of
reverse shells rely on HTTP CONNECT, so limiting that may help - but
there are some seriously scary things out there, including reverse
shells that communicate over DNS or ICMP (pings etc).

A good I(P|D)S may help a little. Locking down the network further may
help. However, it is almost impossible to keep a smart attacker in -
make sure to keep him out.

                Joachim



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT