Penetration Testing mailing list archives
Re: Netcat through Squid HTTP Proxy
From: James Kearney <jamesjohnkearney () gmail com>
Date: Tue, 19 Apr 2005 16:19:52 +0100
Henderson, Dennis K. wrote:
It seems like he was looking for information on how to prevent this. You can configure squid to only allow tunneling on certain ports like 443 and 80. You'll have to figure out what your safe ports are toprevent legitimate traffic from being impacted.I usually make sure the usual ports like ssh, telnet, irc are not allowed. CheersDennis
although of course, they may just have the sshd running on 443... or be using a httptunnel client and server etc etc... stopping someone getting out when they are already inside is v difficult - what if they tunnel over dns/write a custom server and client over port 80 etc? I would think that generally if the individual knows enough to try tunneling ssh over https, then they probably can put an ssh server on 443, or using some transport mechanism over http.
Of course thats not to say that you should not block the connect options for ssh/imap/whatever... but don't assume this will stop anyone getting out.
maybe you could have a tcpdump dumping the open and close connections for https connect on port 443, and record the amount of usuage/time it is used, and it may indicate someone using a shell through the https proxy or something like that?
- jk
Current thread:
- Netcat through Squid HTTP Proxy Rod S (Apr 17)
- Re: Netcat through Squid HTTP Proxy Joachim Schipper (Apr 17)
- <Possible follow-ups>
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 18)
- RE: Netcat through Squid HTTP Proxy Otero, Hernan (EDS) (Apr 19)
- RE: Netcat through Squid HTTP Proxy Henderson, Dennis K. (Apr 19)
- Re: Netcat through Squid HTTP Proxy James Kearney (Apr 19)
- Re: Netcat through Squid HTTP Proxy Chris Kuethe (Apr 19)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)
- RE: Netcat through Squid HTTP Proxy JB (Apr 22)
- RE: Netcat through Squid HTTP Proxy Todd Towles (Apr 19)