Penetration Testing mailing list archives
Re: [PEN-TEST] Proxy Penetrated
From: Vanja Hrustic <vanja () RELAYGROUP COM>
Date: Fri, 25 Aug 2000 00:46:35 +0700
"Proxy Penetrated"!? Gotta love that one. What happens is that you proxy allows 'proxying'. It's not a 'vulnerability', especially if you are doing the test from your internal network, and your proxy is setup to allow traffic going out. Basically, you have a proxy. What proxy does is to 'proxy' (redirect, forward, whatever you want to call it) the traffic. So, you connect to proxy (let's say, port 8080), issue a command like: GET http://www.av.com HTTP/1.0 You should be able to get output from www.av.com. If you are doing this from your network, and on your proxy, it is not a vulnerability. It is expected behaviour. However, if you are doing the scan 'remotely', and proxy still accepts your traffic, it might be a small problem. That's what all those script kiddies are abusing in order to 'hide' the real source of the scans. If your proxy is supposed to let only traffic to certain ports, you might want to verify that by issuing something like: CONNECT some.ip.address:port HTTP/1.0 And seeing if connection will be established. Make sure that remote ip address and port are reachable (you can connect to them) before you test this. This is how people quite often bypass firewall restrictions. There are also variations possible, depending on the proxy... GET http://address:port/ HTTP/1.0 CONNECT http://address:port/ HTTP/1.0 CONNECT address:port HTTP/1.0 Hope this helps. Vanja Hrustic The Relay Group http://relaygroup.com Technology Ahead of Time On Wed, 23 Aug 2000, Roberto Poblete wrote:
I?m using Internet Security System 6.0.1 to test Windows NT machines. In one test to and email and web server this application (IS) says that my machine is vulnerable "Proxy Penetrated" I ask about this to ISS support and they give this exercise to probe the vulnerability: You should be manualling checking for this vulnerability in this manner. 1. Telnet to port 80 on the address of the scanned host. 2. Type "HEAD http://<proxy target IP address> HTTP/1.0" and hit ENTER twice. 3. If the first digit of the return code is a 2, 3, or 4, the web server on the scanned host is configured to act as a proxy (httpproxy "Proxy Found" vulnerability). 4. If the first digit of the return code is a 2, the web server allows access to the specified proxy target (wwwproxypen "Proxy Penetrated" vulnerability). I do this and I have the code 2 as result, but I don?t know if exist a way to exploit this vulnerability?? any idea??? regards, _________________________________ Atte, Roberto Poblete / email: roberto () orion cl fono: 6403943 / Fax: 6403990 Orion 2000 Servicios Profesionales en Seguridad Inform?tica
Current thread:
- [PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 21)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)
- [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
- Re: [PEN-TEST] Proxy Penetrated Vanja Hrustic (Aug 24)
- Re: [PEN-TEST] Proxy Penetrated Max Vision (Aug 24)
- [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools H Carvey (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Brian Pennington (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Knowledgebase i-Net Security (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Steve (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)