Penetration Testing mailing list archives

Re: [PEN-TEST] Proxy Penetrated

From: Vanja Hrustic <vanja () RELAYGROUP COM>
Date: Fri, 25 Aug 2000 00:46:35 +0700

"Proxy Penetrated"!?

Gotta love that one.

What happens is that you proxy allows 'proxying'. It's not a
'vulnerability', especially if you are doing the test from your internal
network, and your proxy is setup to allow traffic going out.

Basically, you have a proxy. What proxy does is to 'proxy' (redirect,
forward, whatever you want to call it) the traffic. So, you connect to
proxy (let's say, port 8080), issue a command like:

GET http://www.av.com HTTP/1.0

You should be able to get output from www.av.com. If you are doing this
from your network, and on your proxy, it is not a vulnerability. It is
expected behaviour.

However, if you are doing the scan 'remotely', and proxy still accepts
your traffic, it might be a small problem. That's what all those script
kiddies are abusing in order to 'hide' the real source of the scans.

If your proxy is supposed to let only traffic to certain ports, you might
want to verify that by issuing something like:

CONNECT some.ip.address:port HTTP/1.0

And seeing if connection will be established. Make sure that remote ip
address and port are reachable (you can connect to them) before you test
this. This is how people quite often bypass firewall restrictions.

There are also variations possible, depending on the proxy...

GET http://address:port/ HTTP/1.0
CONNECT http://address:port/ HTTP/1.0
CONNECT address:port HTTP/1.0

Hope this helps.

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

On Wed, 23 Aug 2000, Roberto Poblete wrote:

I?m using Internet Security System 6.0.1 to test Windows NT machines.

In one test to and email and web server this application (IS) says that my
machine is vulnerable "Proxy Penetrated"

I ask about this to ISS support and they give this exercise to probe the
vulnerability:

You should be manualling checking for this vulnerability in this manner.
1. Telnet to port 80 on the address of the scanned host.
2. Type "HEAD http://<proxy target IP address> HTTP/1.0" and hit ENTER
twice.
3. If the first digit of the return code is a 2, 3, or 4, the web server on
the scanned host is configured to act as a proxy (httpproxy "Proxy Found"
vulnerability).
4. If the first digit of the return code is a 2, the web server allows
access to the specified proxy target (wwwproxypen "Proxy Penetrated"
vulnerability).

I do this and I have the code 2 as result, but I don?t know if exist a way
to exploit this vulnerability??

any idea???


regards,

_________________________________
Atte,
Roberto Poblete / email: roberto () orion cl
fono: 6403943 / Fax: 6403990
Orion 2000
Servicios Profesionales en Seguridad Inform?tica

Current thread:

[PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 21)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)
  - [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
    - Re: [PEN-TEST] Proxy Penetrated Vanja Hrustic (Aug 24)
    - Re: [PEN-TEST] Proxy Penetrated Max Vision (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 22)
  - Re: [PEN-TEST] Auditing for Malicious Tools H Carvey (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Brian Pennington (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Knowledgebase i-Net Security (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Steve (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 23)