Penetration Testing mailing list archives
RE: Netcat through Squid HTTP Proxy
From: "JB" <pentest () jitonline net>
Date: Tue, 19 Apr 2005 18:43:48 -0400 (EDT)
I have one word... OpenVPN (http://openvpn.net/)- It can tunnel through proxies, use almost any open port, and is pretty difficult to detect... JB
Well you have to understand how they do it to prevent it. Proxy will never be totally secure, it has to be a multiple level protection idea. If you allow tunneling on 80 and 443, then Stunnel and other things will still work. But it is better than it was before, and to pass the proxy would recommend know-how and some pre-work. Packet Inspection could be used to filter known bad traffic, but that type of protection isn't cheap. 443 tunnel hide all the traffic from the proxy and most IDS/IPS system so client security becomes important. AV on the client or possible Host IPS, if money isn't a big deal.-----Original Message----- From: Henderson, Dennis K. [mailto:Dennis.Henderson () umb com] Sent: Monday, April 18, 2005 11:28 AM To: Todd Towles; Joachim Schipper; pen-test () securityfocus com Subject: RE: Netcat through Squid HTTP Proxy It seems like he was looking for information on how to prevent this. You can configure squid to only allow tunneling on certain ports like 443 and 80. You'll have to figure out what your safe ports are to prevent legitimate traffic from being impacted. I usually make sure the usual ports like ssh, telnet, irc are not allowed. Cheers Dennis-----Original Message----- From: Todd Towles [mailto:toddtowles () brookshires com] Sent: Monday, April 18, 2005 8:20 AM To: Joachim Schipper; pen-test () securityfocus com Subject: RE: Netcat through Squid HTTP Proxy There is a POC shell program that uses XML-RPC called Monkey shell (http://www.securiteam.com/tools/6L00F0KBFE.html). It looks like it might require a re-code to be fully used as a pen-test tool. But it something to look at. - You can try HTTPTunnel as well. httptunnel creates a bidirectional virtual data connectiontunnelledin HTTP requests. The HTTP requests can be sent via an HTTPproxy ifso desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall. http://www.nocrew.org/software/httptunnel.html -Todd-----Original Message----- From: Joachim Schipper [mailto:j.schipper () math uu nl] Sent: Sunday, April 17, 2005 10:13 AM To: pen-test () securityfocus com Subject: Re: Netcat through Squid HTTP Proxy On Fri, Apr 15, 2005 at 10:40:31AM -0400, Rod S wrote:Hello, I have a squid proxy server running, caching and filteringweb access.User workstations on my network are only allowed httpaccess throughthis proxy server. The firewall (Cisco PIX) will not letthem connectoutbound to any ports. I've done some testing and was successful in running netcatto connectto a remote server listening with netcat on port 80 and geta commandprompt for an internal machine (which is allowed toconnect to anyoutgoing ports) on that remote server. I'm wondering ifit's possiblefor netcat to connect through our proxy server to a remotemachine andsend a cmd.exe shell in the same way? Any tips onpreventing this orany other information you care to share is appreciated. Thanks! RodDear Rod, if I understand correctly, you can get a shell on a remotemachine andwant to allow a remote machine to get a shell on a localhost. Thiscan be achieved quite easily - search for 'reverse shell'.One examplewhich looks nice is rrs (*nix only) - see freshmeat.net. This one cannot do HTTPproxying, though,so it should be augmented or wrapped in something that can. The Hacker's Choice (www.thc.org) has just run an articleon this,including an example in Perl. If you desire something more Windows-specific, you may want to ask Google, or any shades-of-grey-hat site you can find. ;-) However, simply, yes, this is possible. Quite a few ofthese kinds ofreverse shells rely on HTTP CONNECT, so limiting that mayhelp - butthere are some seriously scary things out there,including reverseshells that communicate over DNS or ICMP (pings etc). A good I(P|D)S may help a little. Locking down the networkfurther mayhelp. However, it is almost impossible to keep a smartattacker in -make sure to keep him out. Joachim
Current thread:
- Netcat through Squid HTTP Proxy Rod S (Apr 17)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (Apr 17)
- <Possible follow-ups>
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 18)
- RE: Netcat through Squid HTTP Proxy Otero, Hernan (EDS) (Apr 19)
- RE: Netcat through Squid HTTP Proxy Henderson, Dennis K. (Apr 19)
- Re: Netcat through Squid HTTP Proxy James Kearney (Apr 19)
- Re: Netcat through Squid HTTP Proxy Chris Kuethe (Apr 19)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)
- RE: Netcat through Squid HTTP Proxy JB (Apr 22)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)