RE: Tool to find hidden web proxy server

From: Jeff Gercken (JeffG_at_kizan.com)
Date: 09/03/04

  • Next message: Chad: "RE: Any caveats for linux under VMware, pen testing?"
    Date: Fri, 3 Sep 2004 16:42:01 -0400
    To: "Gary E. Miller" <gem@rellim.com>, "Jose Maria Lopez" <jkerouac@bgsec.com>
    
    

    This thread has probably gone on for too long but I thought I'd add a
    different approach.

    Instead of looking at the workstations as black boxes from the network
    you could look inside them for processes that have bound themselves to
    sockets. You do have admin permissions right?

    Microsoft (finally) has a good utility called Portqry (version 2 by Tim
    Rains) that can do this. They also have a larger app called port
    reporter that runs as a service and periodically reports on port usage.

    portqry
    http://support.microsoft.com/default.aspx?scid=kb;en-us;310099

    GUI for portqry
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4
    569-aabb-f248f4bd91d0&DisplayLang=en

    port reporter
    http://support.microsoft.com/?id=837243

    log parser for port reporter
    http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f4
    77a74186f/PRParser.exe

    also try fport from foundstone

    You could be especially sneaky and just routinely do remote kills of any
    instances of IE, Firefox, etc you find on non-browsing hosts.

    Pskill by Sysinternals
    http://www.sysinternals.com/ntw2k/freeware/pskill.shtml

    Or if you don't want to fuss with it you could just roll out group
    policy and lock the things down. Or are you still using windows 98?

    Lastly, you might just consider revoking the Internet restriction. If
    you deny a thing, that's what people will want. By playing the game
    you're actually encouraging people (at least ppl like me) to try and
    defeat your control mechanisms. Open it up and you'll probably see
    that, after a few weeks, it'll loose its luster.

    -jeff

    -----Original Message-----
    From: Gary E. Miller [mailto:gem@rellim.com]
    Sent: Thursday, September 02, 2004 8:04 PM
    To: Jose Maria Lopez
    Cc: pen-test@securityfocus.com
    Subject: Re: Tool to find hidden web proxy server

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Yo Jose!

    On Thu, 2 Sep 2004, Jose Maria Lopez wrote:

    > But if you allow in and out from specific ports you have at least a
    > second level of security over what the original poster said it had.
    > Only allowing out from some IPs it's possible, but I find it very
    > difficult to make rules for the outer IPs, having in mind the original
    > poster wants to have internet connection from the LAN for that
    > machines.

    If you leave just ONE port open, then an insider can use it to tunnel
    out. That one port is often DNS/udp. You have to work very, very,
    hard to filter out IP over DNS/udp. You could force the use of
    an internal DNS server, but if it allows any recursive lookups out
    of the firewall then game over.

    This /. describes how to do it:
            http://slashdot.org/articles/00/09/10/2230242.shtml

    The insider does not even need an open port. Only TCP/IP (proto 6) and
    TCP/UDP (proto 17) use "ports". The insider can just use a "portless"
    protocol like TCP/ICMP (proto 1), TCP/ESP (proto 50), TCP/AH (proto 51),
    etc.

    There are several IPSEC stacks available as freeware that use TCP/ESP
    and TCP/AH.

    RGDS
    GARY
    -
    ------------------------------------------------------------------------

    ---
    Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
    	gem@rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (GNU/Linux)
    iD8DBQFBN7T48KZibdeR3qURAm4gAJ9GXYH6eeVS55+ai8SLOT93raeBKACg2BGf
    QUxTOF4ZbKCUlGm33D2r0+w=
    =HiIK
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------
    ------
    Ethical Hacking at the InfoSec Institute. All of our class sizes are
    guaranteed to be 12 students or less to facilitate one-on-one
    interaction
    with one of our expert instructors. Check out our Advanced Hacking
    course,
    learn to write exploits and attack security infrastructure. Attend a
    course
    taught by an expert instructor with years of in-the-field pen testing
    experience in our state of the art hacking lab. Master the skills of an
    Ethical Hacker to better assess the security of your organization.
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    -------
    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. All of our class sizes are
    guaranteed to be 12 students or less to facilitate one-on-one interaction
    with one of our expert instructors. Check out our Advanced Hacking course,
    learn to write exploits and attack security infrastructure. Attend a course
    taught by an expert instructor with years of in-the-field pen testing
    experience in our state of the art hacking lab. Master the skills of an
    Ethical Hacker to better assess the security of your organization.
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------
    

  • Next message: Chad: "RE: Any caveats for linux under VMware, pen testing?"

    Relevant Pages

    • RE: EC-Counsil (Book Review) Can we wrap this thread up?
      ... >>>Ethical Hacking at the InfoSec Institute. ... >>>with one of our expert instructors. ... >>>learn to write exploits and attack security infrastructure. ...
      (Pen-Test)
    • RE: Securing web site with redundancy ?
      ... In 2000 with IIS5 you can do webserver clustering from within IIS ... > Ethical Hacking at the InfoSec Institute. ... > learn to write exploits and attack security infrastructure. ... interaction with one of our expert instructors. ...
      (Pen-Test)
    • Re: EC-Counsil
      ... >>Ethical Hacking at the InfoSec Institute. ... >>with one of our expert instructors. ... Check out our Advanced Hacking ... >>learn to write exploits and attack security infrastructure. ...
      (Pen-Test)
    • RE: [ok] Windows 2003 HAck
      ... Ethical Hacking at the InfoSec Institute. ... with one of our expert instructors. ... learn to write exploits and attack security infrastructure. ...
      (Pen-Test)
    • Re: EC-Counsil (Book Review) Can we wrap this thread up?
      ... I don't think you can go far wrong with the Hacking Exposed books, ... >> Ethical Hacking at the InfoSec Institute. ... >> with one of our expert instructors. ... >> learn to write exploits and attack security infrastructure. ...
      (Pen-Test)