Penetration Testing mailing list archives
Re: Netcat through Squid HTTP Proxy
From: Chris Kuethe <chris.kuethe () gmail com>
Date: Tue, 19 Apr 2005 09:32:22 -0600
On 4/18/05, Henderson, Dennis K. <Dennis.Henderson () umb com> wrote:
It seems like he was looking for information on how to prevent this.
Short answer: good luck, unless you can definatively teach squid about what https, etc. looks like. Application layer gateways don't do you much good if they don't watch for protcol abuses. Limiting CONNECT is one way to do it, but that means you a) need to sniff and decode at least the initial negotiation [is this really an SSL session?] or b) are going to break HTTPS.
You can configure squid to only allow tunneling on certain ports like 443 and 80. You'll have to figure out what your safe ports are to prevent legitimate traffic from being impacted.
until someone sets up a world-reachable box with every port redirected to 127.0.0.1:22 to get around this...
I usually make sure the usual ports like ssh, telnet, irc are not allowed.
Make sure you don't allow DNS out either. Otherwise someone will come along with an IP-over-DNS tunneller. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Current thread:
- Netcat through Squid HTTP Proxy Rod S (Apr 17)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (Apr 17)
- <Possible follow-ups>
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 18)
- RE: Netcat through Squid HTTP Proxy Otero, Hernan (EDS) (Apr 19)
- RE: Netcat through Squid HTTP Proxy Henderson, Dennis K. (Apr 19)
- Re: Netcat through Squid HTTP Proxy James Kearney (Apr 19)
- Re: Netcat through Squid HTTP Proxy Chris Kuethe (Apr 19)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)
- RE: Netcat through Squid HTTP Proxy JB (Apr 22)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)