Penetration Testing mailing list archives

Re: Netcat through Squid HTTP Proxy

From: Chris Kuethe <chris.kuethe () gmail com>
Date: Tue, 19 Apr 2005 09:32:22 -0600

On 4/18/05, Henderson, Dennis K. <Dennis.Henderson () umb com> wrote:

It seems like he was looking for information on how to prevent this.


Short answer: good luck, unless you can definatively teach squid about
what https, etc. looks like. Application layer gateways don't do you
much good if they don't watch for protcol abuses.

Limiting CONNECT is one way to do it, but that means you a) need to
sniff and decode at least the initial negotiation [is this really an
SSL session?] or b) are going to break HTTPS.

You can configure squid to only allow tunneling on certain ports like
443 and 80. You'll have to figure out what your safe ports are to
prevent legitimate traffic from being impacted.


until someone sets up a world-reachable box with every port redirected
to 127.0.0.1:22 to get around this...

I usually make sure the usual ports like ssh, telnet, irc are not
allowed.


Make sure you don't allow DNS out either. Otherwise someone will come
along with an IP-over-DNS tunneller.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Current thread:

Netcat through Squid HTTP Proxy Rod S (Apr 17)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (Apr 17)
- <Possible follow-ups>
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 18)
- RE: Netcat through Squid HTTP Proxy Otero, Hernan (EDS) (Apr 19)
- RE: Netcat through Squid HTTP Proxy Henderson, Dennis K. (Apr 19)
  - Re: Netcat through Squid HTTP Proxy James Kearney (Apr 19)
  - Re: Netcat through Squid HTTP Proxy Chris Kuethe (Apr 19)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)
  - RE: Netcat through Squid HTTP Proxy JB (Apr 22)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)