Penetration Testing mailing list archives
Re: [PEN-TEST] Proxy Penetrated
From: Max Vision <vision () WHITEHATS COM>
Date: Thu, 24 Aug 2000 11:18:23 -0700
On Wed, 23 Aug 2000, Roberto Poblete wrote:
I?m using Internet Security System 6.0.1 to test Windows NT machines.
FYI there is an upgrade available to 6.1.
In one test to and email and web server this application (IS) says that my machine is vulnerable "Proxy Penetrated" 3. If the first digit of the return code is a 2, 3, or 4, the web server on the scanned host is configured to act as a proxy (httpproxy "Proxy Found" vulnerability). 4. If the first digit of the return code is a 2, the web server allows access to the specified proxy target (wwwproxypen "Proxy Penetrated" vulnerability).
This method of determining proxy vulnerability is flawed. In most cases an error response such as "HTTP/1.0 403 Forbidden" will indicate that proxy capability is not available, however "HTTP/1.1 200 OK" does not necessarily indicate success. For example, I have seen many apache configurations where this technique would give 200 code for the localhost only (and they do not allow proxy). Note also that a "HTTP/1.0 502 Connection refused" may be specific to the address tested and could still be a functional proxy. A very common example is if you test a proxy that listens to port 8080 only - if you send a request for the proxy IP, the proxy will try to connect to itself, see that nothing is listening (at port 80) and return the 502 error message. A more accurate test should be to try to exploit the proxy to request data from a known site and see if the results match. Ideally the scanner would listen at tcp 80 for the test and see then request the equivelent of http://proxy.to.test/http://ip.of.scanner/ and then listen to see if the proxy visits the "Site". IMHO, the scanner should also work the proxy and see if it will support alternate ports, or realtime proxying of arbitrary binary connections (such as some Squids/PUT command), etc.
I do this and I have the code 2 as result, but I don?t know if exist a way to exploit this vulnerability??
The idea is that by using the proxy you will be able to reach addresses that are visible to the proxy that you normally could not. For example, if a company had an open proxy, you might find interesting intranet or workstation web sites at http://10.x.x.x or http://192.168.x.x etc. This can also circumvent ip-based access restrictions if the proxy is a trusted host. Max Vision http://whitehats.com/
Current thread:
- [PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 21)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)
- [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
- Re: [PEN-TEST] Proxy Penetrated Vanja Hrustic (Aug 24)
- Re: [PEN-TEST] Proxy Penetrated Max Vision (Aug 24)
- [PEN-TEST] Proxy Penetrated Roberto Poblete (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools H Carvey (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Netsecure (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Brian Pennington (Aug 22)
- Re: [PEN-TEST] Auditing for Malicious Tools Knowledgebase i-Net Security (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Steve (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Curphey, Mark (ISS Atlanta) (Aug 23)
- Re: [PEN-TEST] Auditing for Malicious Tools Max Vision (Aug 22)