Re: Rogue activity methodology (was: Tool to find hidden web proxy server)

From: Shashank Rai (shashrai_at_emirates.net.ae)
Date: 09/08/04

  • Next message: Nicolas Montoza: "Re: Achilles proxy for linux" 
    Date: Wed, 08 Sep 2004 08:25:25 +0400
To: Chris Brenton <cbrenton@chrisbrenton.org>

    On Sun, 2004-09-05 at 13:52, Chris Brenton wrote:
    > I have to say, I'm a bit surprised at how many people chimed in with
    > "scan your whole network". This seems like a lot of work (and traffic)
    > given the situation Vinay described. Just to go back over the "facts" he
    > has given us:
    >
    > * Only certain IP's are permitted outbound HTTP access
    > * Suspects one or more of these IPs have setup a rogue proxy
    > * Unauthorized users may be accessing the Internet via the proxies
    > * Suspects the proxies are on a non-standard ports (implies he might
    > have already checked the standard ports)
    > * No indication if the internal network is switched or repeated
    > * No indication of the OS being used
    > * No indication of whether he has admin access to these systems
    > * No indication of how big the internal network may be
    > * No indication of how many systems are permitted outbound HTTP access

    Finally, a good assessment of the facts!!
    "scan your network, run nessus/nmap" or "mirror the ports on the
    switch"..... really nice pieces of advice but how practical?? We don't
    know what kind of network the guy is talking about. The domain of the
    original poster is "eil.co.in" ... well from what you can make out of
    the company's website (www.engineersindia.com), the network might be
    spread across the whole length and breadth of India!!! Agreed, Vinay
    should have supplied more information or at the least replied to the
    various suggestions that have been given in the thread; on how feasible
    these solutions are?

    IMHO, scanning the systems or sniffing for traffic within the network
    can only work for a small organization. Catching the rouge proxy can be
    done in two ways:

    1) if PCs comprise of windows based systems, part of a domain, then as
    domain admin, you can find what applications are installed by any user.
    Preferably, have a policy on what users can do with their workstations
    and impose it domain wide. And installing proxies or for that matter any
    unauthorized software should be a big NO NO.

    2) Secondly, if you have a single point of exit from the corporate
    network to the Internet (which i can safely assume, as you have
    mentioned about the firewall having IP based access list), then as
    suggested by Chris, sniff the traffic at the exit point. Look for proxy
    give away like "X-FORWARDED-FOR". Look for traffic patterns: which of
    the allowed IPs generates most HTTP traffic. Look at the patterns for a
    day or so and then port scan the machines of the top 10 IPs. Then again
    if the IPs are given using DHCP, you'll have to make an extra effort in
    co-relating the IPs with the workstations in order to limit your
    suspects.

    unless of course port scanning your whole network with "version scan"
    suits you :) .. BTW nmap 3.7 is *really* fast.

    HTH 

    -- 
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523   Office
    +971-50-6670648  Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
  • Next message: Nicolas Montoza: "Re: Achilles proxy for linux"

    Relevant Pages

    • RE: Preventing DHCP from allocating IPs
      ... The ethernet ports in these areas will be ... These areas are ACL'ed off from our enterprise network. ... > Turn of DHCP!! ... Preventing DHCP from allocating IPs ...
      (Security-Basics)
    • Re: 2 pc network - cant see host files from pc 2 on pc 1
      ... Assuming that you have firewall protection via your internet router try ... workgroup because it will be needed for the network to work correctly. ... see if you can access TCP ports 139 and 445 on computer one of which at ... permissions. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: IPS, alternative solutions
      ... I have the impression that some of the alternatives to IPS you mentioned ... Parts of the market have matured (network ... implementations (in-line protocol decoding and blocking/active response ... an often deployed technology at this time is ...
      (Focus-IDS)
    • RE: ASIC Based IPS
      ... IPS performs on each network stream can be done in parallel, ... There are 2 ways to achieve parallelism: ... The benefits of speed come about when you start using ASICs in parallel ...
      (Focus-IDS)
    • NADS ( was RE: IPS comparison)
      ... One thing that does bother me is how IPS has been ... great at the perimeter or other "choke points" in the network. ... NADS gives much of the value of traditional network ... that detection by itself is just not enough. ...
      (Focus-IDS)