Penetration Testing mailing list archives
Re: Rogue activity methodology (was: Tool to find hidden web proxy server)
From: Shashank Rai <shashrai () emirates net ae>
Date: Wed, 08 Sep 2004 08:25:25 +0400
On Sun, 2004-09-05 at 13:52, Chris Brenton wrote:
I have to say, I'm a bit surprised at how many people chimed in with "scan your whole network". This seems like a lot of work (and traffic) given the situation Vinay described. Just to go back over the "facts" he has given us: * Only certain IP's are permitted outbound HTTP access * Suspects one or more of these IPs have setup a rogue proxy * Unauthorized users may be accessing the Internet via the proxies * Suspects the proxies are on a non-standard ports (implies he might have already checked the standard ports) * No indication if the internal network is switched or repeated * No indication of the OS being used * No indication of whether he has admin access to these systems * No indication of how big the internal network may be * No indication of how many systems are permitted outbound HTTP access
Finally, a good assessment of the facts!! "scan your network, run nessus/nmap" or "mirror the ports on the switch"..... really nice pieces of advice but how practical?? We don't know what kind of network the guy is talking about. The domain of the original poster is "eil.co.in" ... well from what you can make out of the company's website (www.engineersindia.com), the network might be spread across the whole length and breadth of India!!! Agreed, Vinay should have supplied more information or at the least replied to the various suggestions that have been given in the thread; on how feasible these solutions are? IMHO, scanning the systems or sniffing for traffic within the network can only work for a small organization. Catching the rouge proxy can be done in two ways: 1) if PCs comprise of windows based systems, part of a domain, then as domain admin, you can find what applications are installed by any user. Preferably, have a policy on what users can do with their workstations and impose it domain wide. And installing proxies or for that matter any unauthorized software should be a big NO NO. 2) Secondly, if you have a single point of exit from the corporate network to the Internet (which i can safely assume, as you have mentioned about the firewall having IP based access list), then as suggested by Chris, sniff the traffic at the exit point. Look for proxy give away like "X-FORWARDED-FOR". Look for traffic patterns: which of the allowed IPs generates most HTTP traffic. Look at the patterns for a day or so and then port scan the machines of the top 10 IPs. Then again if the IPs are given using DHCP, you'll have to make an extra effort in co-relating the IPs with the workstations in order to limit your suspects. unless of course port scanning your whole network with "version scan" suits you :) .. BTW nmap 3.7 is *really* fast. HTH -- Shashank Rai ------------ Network and Information Security Team, Emirates Telecommunication Corporation, Abu Dhabi, U.A.E. Ph: +971-2-6182523 Office +971-50-6670648 Cell GPG key: http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Tool to find hidden web proxy server, (continued)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 03)
- RE: Tool to find hidden web proxy server Singh, Yashpal (Sep 03)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 07)
- RE: Tool to find hidden web proxy server okrehel (Sep 08)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 08)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 07)
- RE: Tool to find hidden web proxy server caleb . dods (Sep 03)
- RE: Tool to find hidden web proxy server caleb . dods (Sep 03)
- RE: Tool to find hidden web proxy server Christopher Adickes (Sep 04)
- RE: Tool to find hidden web proxy server BĂ©noni MARTIN (Sep 04)
- Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 07)
- Re: Rogue activity methodology (was: Tool to find hidden web proxy server) Shashank Rai (Sep 08)
- Re: Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 08)
- Re: Rogue activity methodology (was: Tool to find hidden web proxyserver) Dejan Markovic (Sep 09)
- Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 07)