RE: Netcat through Squid HTTP Proxy

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 04/19/05

  • Next message: lista: "SV: ZoneAlarm" 
    Date: Tue, 19 Apr 2005 10:59:20 -0500
To: "Rene Amirkhanian" <rene.amirkhanian@nbs-system.com>, "Henderson, Dennis K." <Dennis.Henderson@umb.com>

     Joachim,

    You have your network setup correctly. You have layers of security (not
    just a all-in-one ISA proxy/firewall). You have a real firewall that
    blocks all outbound traffic from the client subnet (or however you ware
    blocking them). This makes all internet bound traffic have to go thru
    the proxy. Now throw in proxy gateway AV and a IPS system if you have
    the money. If you have it setup this way and don't have the proxy
    misconfigured in a huge way, you sound better than a lot of people in
    the world. Some proxies allow internet people access back into the
    network, etc.

    Can you stop a person from setting a server up at their house with TS
    enabled, or a custom SSL interface...maybe not, but that will try a
    employee or hacker that is targetting you and has prepared. I have found
    employees doing SSL webchat, because of the increases traffic to a
    certain SSL site that was alos owned by the employee.

    You can't stopped everything, but the less doors you have, the less
    locks you have to watch. Now keep a eye out on any weird SSL traffic or
    anything out of the normal...and you are on your way to a better
    network.

    > -----Original Message-----
    > From: Rene Amirkhanian [mailto:rene.amirkhanian@nbs-system.com]
    > Sent: Tuesday, April 19, 2005 10:47 AM
    > To: 'Henderson, Dennis K.'
    > Cc: Todd Towles; 'Joachim Schipper'; pen-test@securityfocus.com
    > Subject: RE: Netcat through Squid HTTP Proxy
    >
    >
    > Out of curiosity, how would one prevent access to a remote
    > ssh server listenning on port 443?
    >
    > That always did the trick for me whenever it's allowed.
    >
    > Rene
    >
    > -----Original Message-----
    > From: Henderson, Dennis K. [mailto:Dennis.Henderson@umb.com]
    > Sent: lundi 18 avril 2005 18:28
    > To: Todd Towles; Joachim Schipper; pen-test@securityfocus.com
    > Subject: RE: Netcat through Squid HTTP Proxy
    >
    > It seems like he was looking for information on how to prevent this.
    >
    > You can configure squid to only allow tunneling on certain ports like
    > 443 and 80. You'll have to figure out what your safe ports
    > are to prevent legitimate traffic from being impacted.
    >
    > I usually make sure the usual ports like ssh, telnet, irc are
    > not allowed.
    >
    > Cheers
    >
    > Dennis
    >
    > > -----Original Message-----
    > > From: Todd Towles [mailto:toddtowles@brookshires.com]
    > > Sent: Monday, April 18, 2005 8:20 AM
    > > To: Joachim Schipper; pen-test@securityfocus.com
    > > Subject: RE: Netcat through Squid HTTP Proxy
    > >
    > > There is a POC shell program that uses XML-RPC called Monkey shell
    > > (http://www.securiteam.com/tools/6L00F0KBFE.html). It looks like it
    > > might require a re-code to be fully used as a pen-test tool. But it
    > > something to look at. -
    > >
    > > You can try HTTPTunnel as well.
    > >
    > > httptunnel creates a bidirectional virtual data connection
    > tunnelled
    > > in HTTP requests. The HTTP requests can be sent via an HTTP
    > proxy if
    > > so desired.
    > >
    > > This can be useful for users behind restrictive firewalls. If WWW
    > > access is allowed through a HTTP proxy, it's possible to use
    > > httptunnel and, say, telnet or PPP to connect to a computer outside
    > > the firewall.
    > >
    > > http://www.nocrew.org/software/httptunnel.html
    > >
    > > -Todd
    > >
    > > > -----Original Message-----
    > > > From: Joachim Schipper [mailto:j.schipper@math.uu.nl]
    > > > Sent: Sunday, April 17, 2005 10:13 AM
    > > > To: pen-test@securityfocus.com
    > > > Subject: Re: Netcat through Squid HTTP Proxy
    > > >
    > > > On Fri, Apr 15, 2005 at 10:40:31AM -0400, Rod S wrote:
    > > > > Hello,
    > > > >
    > > > > I have a squid proxy server running, caching and filtering
    > > > web access.
    > > > > User workstations on my network are only allowed http
    > > > access through
    > > > > this proxy server. The firewall (Cisco PIX) will not let
    > > > them connect
    > > > > outbound to any ports.
    > > > >
    > > > > I've done some testing and was successful in running netcat
    > > > to connect
    > > > > to a remote server listening with netcat on port 80 and get
    > > > a command
    > > > > prompt for an internal machine (which is allowed to
    > > connect to any
    > > > > outgoing ports) on that remote server. I'm wondering if
    > > > it's possible
    > > > > for netcat to connect through our proxy server to a remote
    > > > machine and
    > > > > send a cmd.exe shell in the same way? Any tips on
    > > > preventing this or
    > > > > any other information you care to share is appreciated.
    > > > >
    > > > > Thanks!
    > > > > Rod
    > > >
    > > > Dear Rod,
    > > >
    > > > if I understand correctly, you can get a shell on a remote
    > > machine and
    > > > want to allow a remote machine to get a shell on a local
    > host. This
    > > > can be achieved quite easily - search for 'reverse shell'.
    > > One example
    > > > which looks nice is rrs (*nix
    > > > only) - see freshmeat.net. This one cannot do HTTP
    > > proxying, though,
    > > > so it should be augmented or wrapped in something that can.
    > > >
    > > > The Hacker's Choice (www.thc.org) has just run an article
    > on this,
    > > > including an example in Perl. If you desire something more
    > > > Windows-specific, you may want to ask Google, or any
    > > > shades-of-grey-hat site you can find. ;-)
    > > >
    > > > However, simply, yes, this is possible. Quite a few of
    > > these kinds of
    > > > reverse shells rely on HTTP CONNECT, so limiting that may
    > > help - but
    > > > there are some seriously scary things out there,
    > including reverse
    > > > shells that communicate over DNS or ICMP (pings etc).
    > > >
    > > > A good I(P|D)S may help a little. Locking down the network
    > > further may
    > > > help. However, it is almost impossible to keep a smart
    > > attacker in -
    > > > make sure to keep him out.
    > > >
    > > > Joachim
    > > >
    > >
    >
    >

  • Next message: lista: "SV: ZoneAlarm"

    Relevant Pages

    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ...
      (comp.security.firewalls)
    • Re: Kids bypassing firewall via web proxy sites
      ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ...
      (comp.security.firewalls)
    • voip on vmware guest os (win2000)
      ... I amusing a voip soft phone, a variaty of x-lite (mynetfone). ... Under the same network system (behind firewall without proxy), ...
      (Fedora)
    • Re: Proxy & Firewall Implementation
      ... could easily bypass your firewall to attack other systems. ... (if it's a small-mid size network, i would probably go for a packetfilter ... Subject: Proxy & Firewall Implementation ... why expose my services outside the network ...
      (Security-Basics)
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)