Penetration Testing mailing list archives
RE: Tool to find hidden web proxy server
From: "Jeff Gercken" <JeffG () kizan com>
Date: Fri, 3 Sep 2004 16:42:01 -0400
This thread has probably gone on for too long but I thought I'd add a different approach. Instead of looking at the workstations as black boxes from the network you could look inside them for processes that have bound themselves to sockets. You do have admin permissions right? Microsoft (finally) has a good utility called Portqry (version 2 by Tim Rains) that can do this. They also have a larger app called port reporter that runs as a service and periodically reports on port usage. portqry http://support.microsoft.com/default.aspx?scid=kb;en-us;310099 GUI for portqry http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4 569-aabb-f248f4bd91d0&DisplayLang=en port reporter http://support.microsoft.com/?id=837243 log parser for port reporter http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f4 77a74186f/PRParser.exe also try fport from foundstone You could be especially sneaky and just routinely do remote kills of any instances of IE, Firefox, etc you find on non-browsing hosts. Pskill by Sysinternals http://www.sysinternals.com/ntw2k/freeware/pskill.shtml Or if you don't want to fuss with it you could just roll out group policy and lock the things down. Or are you still using windows 98? Lastly, you might just consider revoking the Internet restriction. If you deny a thing, that's what people will want. By playing the game you're actually encouraging people (at least ppl like me) to try and defeat your control mechanisms. Open it up and you'll probably see that, after a few weeks, it'll loose its luster. -jeff -----Original Message----- From: Gary E. Miller [mailto:gem () rellim com] Sent: Thursday, September 02, 2004 8:04 PM To: Jose Maria Lopez Cc: pen-test () securityfocus com Subject: Re: Tool to find hidden web proxy server -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Jose! On Thu, 2 Sep 2004, Jose Maria Lopez wrote:
But if you allow in and out from specific ports you have at least a second level of security over what the original poster said it had. Only allowing out from some IPs it's possible, but I find it very difficult to make rules for the outer IPs, having in mind the original poster wants to have internet connection from the LAN for that machines.
If you leave just ONE port open, then an insider can use it to tunnel out. That one port is often DNS/udp. You have to work very, very, hard to filter out IP over DNS/udp. You could force the use of an internal DNS server, but if it allows any recursive lookups out of the firewall then game over. This /. describes how to do it: http://slashdot.org/articles/00/09/10/2230242.shtml The insider does not even need an open port. Only TCP/IP (proto 6) and TCP/UDP (proto 17) use "ports". The insider can just use a "portless" protocol like TCP/ICMP (proto 1), TCP/ESP (proto 50), TCP/AH (proto 51), etc. There are several IPSEC stacks available as freeware that use TCP/ESP and TCP/AH. RGDS GARY - ------------------------------------------------------------------------ --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBN7T48KZibdeR3qURAm4gAJ9GXYH6eeVS55+ai8SLOT93raeBKACg2BGf QUxTOF4ZbKCUlGm33D2r0+w= =HiIK -----END PGP SIGNATURE----- ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Tool to find hidden web proxy server, (continued)
- RE: Tool to find hidden web proxy server okrehel (Sep 08)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 08)
- RE: Tool to find hidden web proxy server caleb . dods (Sep 03)
- RE: Tool to find hidden web proxy server caleb . dods (Sep 03)
- RE: Tool to find hidden web proxy server Christopher Adickes (Sep 04)
- RE: Tool to find hidden web proxy server BĂ©noni MARTIN (Sep 04)
- Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 07)
- Re: Rogue activity methodology (was: Tool to find hidden web proxy server) Shashank Rai (Sep 08)
- Re: Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 08)
- Re: Rogue activity methodology (was: Tool to find hidden web proxyserver) Dejan Markovic (Sep 09)
- Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 07)