Penetration Testing mailing list archives

RE: bypassing employer's proxy to surf anonymously

From: "Erin Carroll" <amoeba () amoebazone com>
Date: Tue, 13 Jun 2006 18:14:27 -0700

Request from the Moderator:

Could we focus on what uses bypassing a proxy would serve in regards to
pen-testing specifically? 

Thanks.

-----Original Message-----
From: gimeshell () web de [mailto:gimeshell () web de] 
Sent: Tuesday, June 13, 2006 3:18 PM
To: pen-test () securityfocus com
Subject: Re: bypassing employer's proxy to surf anonymously

On Tue, 13 Jun 2006 12:49:22 -0400
Karyn Pichnarczyk <karyn () sandstorm net> wrote:

Hi,


If a network is being used to transfer traffic, and something is 
physically monitoring all traffic (regardless of source/destination 
port, regardless of protocol, etc) then there's no way to

prevent them

from monitoring your traffic over that network.  You're

talking about

bypassing something in a lower network layer (physical)

with something

in a higher network layer (i.e. Data or Network).  It's not

going to

happen.


I got hint to try out hidden data in dns traffic. That's not 
using any of local proxy's ports and thus might stay 
unrecognized in log files.
Local proxy does only log proxy traffic coming in on ports 
3128, 2121, 1080. There is no low-level 'packet-filter-logging'.


Now hiding data in unsuspicious packets....depends on your

definition

of "unsuspicious" and the level of detail of the network admins are 
who are monitoring the traffic. If the net admins are using

a network

forensics analysis product you have to get fairly creative to hide 
your data.


There is no packet capturing done. I like to call 
unsuspicious traffic all traffic which don't go through 
proxy's ports 3128, 2121, 1080. e.g. hidden data in DNS traffic.

regards,
gimeshell

--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win 
the Analyst's Choice Award from eWeek. As attacks through web 
applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most 
comprehensive solutions to meet your application security 
penetration testing and vulnerability management needs. You 
have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help 
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm your results from other product. Contact us at 
request () cenzic com for details.
--------------------------------------------------------------
----------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.4/363 - Release 
Date: 6/13/2006


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 6/13/2006
 


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------

Current thread:

Re: bypassing employer's proxy to surf anonymously, (continued)
- Re: bypassing employer's proxy to surf anonymously Hubert Seiwert (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously alan (Jun 13)
    - Re: bypassing employer's proxy to surf anonymously jm (Jun 14)
  - Re: bypassing employer's proxy to surf anonymously (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously dajackman (Jun 13)
    - Re: bypassing employer's proxy to surf anonymously (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously (Jun 14)
    - Re: bypassing employer's proxy to surf anonymously jm (Jun 14)
- Re: bypassing employer's proxy to surf anonymously Karyn Pichnarczyk (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously (Jun 13)
    - RE: bypassing employer's proxy to surf anonymously Erin Carroll (Jun 13)
    - Re: bypassing employer's proxy to surf anonymously Ivan Arce (Jun 13)
- Re: bypassing employer s proxy to surf anonymously misiu (Jun 13)
  - Re: bypassing employer s proxy to surf anonymously Mario Platt (Jun 13)
  - Re: bypassing employer s proxy to surf anonymously gimeshell (Jun 14)
    - Re: bypassing employer s proxy to surf anonymously Gary E. Miller (Jun 14)
    - Re: bypassing employer s proxy to surf anonymously (Jun 15)
- RE: bypassing employer's proxy to surf anonymously Craig Wright (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously Paul Robertson (Jun 13)
  - RE: bypassing employer's proxy to surf anonymously alan (Jun 13)
  - Re: bypassing employer's proxy to surf anonymously Aaron (Jun 14)

(Thread continues...)