KeyFocus - KFSensor Knowledge Base

Proxy servers allow machines on an internal network to access the Internet, and properly configured thet perform an important role within an organization's security infrastructure. However when they are badly configured and exploited they are of enormous benefit to illegitimate users.

For a hacker there are two main benefits of using a proxy server:

Firstly, a proxy server can enable access to machines that a hacker could not access directly. For example a proxy server could allow a hacker on the Internet to connect to a machine on an internal company network.
Secondly, a proxy server can provide anonymity to a hacker. It is this feature that is most prized by those with malicious intent. Of course proxy servers can log usage, but it is reasonable to assume that admins who leaves a proxy server unguarded are unlikely to monitor their logs.

Types of Proxy Server

There are many different types of proxy servers that can be exploited.
Some proxy servers are build specifically for the task, while others have proxy capabilities built in as a sub-set of their functionality.

The tests documented here are restricted to the following types of proxy server:

Proxy Port Description

SOCKS 1080 A generic proxy server designed for all types of TCP and UDP traffic. Originally it was a UNIX only system, but many Windows applications provide SOCKS support; most notably the infamous WinGate.

HTTP Proxy 80
3128
8080 HTTP servers can be used to relay HTTP requests to other HTTP servers, allowing anonymous surfing.

HTTP CONNECT 80
3128
8080 The HTTP CONNECT request was introduced to allow access to HTTPS servers, but it can also be used to relay any type of traffic to any type of service.

Finding Proxy Servers

Finding proxy servers could not be easier.
There are numerous web sites that provide lists of proxy IP/port addresses (just type "proxy list" into Google). Some of these lists are free and others charge for the best lists, as part of the support industry that has built up around spam.

For the owners of these lists and people who want to do it themselves there are a number of tools available for the job. The most basic of these is a scanner which looks for open ports where proxies can be found; e.g. 1080, 3128 and 8080.

Once a proxy server has been located, it needs to be tested to ensure it allows access for the type of connection desired and to ensure it provides anonymity.

Testing Proxy Servers

The following example proxy tests demonstrate a range of different techniques for testing proxy servers.

Each example consists of two sets of data:

Data sent by the tester to the open proxy

Data returned by the open proxy

The Examples

Example 1 - www.checker.freeproxy.ru - HTTP Proxy

This online checker checks for extra headers inserted by some proxies to identify the proxy clients.
The absense of these headers qualifies a proxy for elite status.

GET http://www.checker.freeproxy.ru/anonymous/anonshow.php HTTP/1.0 Host: www.checker.freeproxy.ru Accept: *.*, */*

HTTP/1.1 200 OK Date: Mon, 12 Jan 2004 17:59:55 GMT Server: Apache/1.3.29 (Unix) FrontPage/5.0.2.2623 mod_ssl/2.8.16 OpenSSL/0.9.7c rus/PL30.18 X-Powered-By: PHP/4.3.4 Connection: close Content-Type: text/html <pre> < !-- Mikhed Alexander : <h2>Proxy not detected</h2>HTTP_X_FORWARDED_FOR = HTTP_VIA = HTTP_FORWARDED = HTTP_X_IWPROXY_NESTING = HTTP_PROXY_CONNECTION = HTTP_CLIENT_IP = HTTP_X_AZC_REMOTE_ADDR = HTTP_X_BLUECOAT_VIA = HTTP_X_LOCKING = HTTP_MAX_FORWARDS = HTTP_CACHE_INFO = HTTP_X_CISCO_BBSM_CLIENTIP = HTTP_10_0_0_0 = HTTP_PROXY_AGENT = HTTP_X_ORIG_CLIENT = HTTP_X_SINA_PROXYUSER = HTTP_XXX_REAL_IP = HTTP_SP_HOST = HTTP_X_REMOTE_ADDR = HTTP_RLNCLIENTIPADDR = HTTP_REMOTE_HOST_WP = HTTP_CLIENTADDRESS = HTTP_CLIENT_ADDRESS = HTTP_X_ORIGINAL_HOST = HTTP_X_ORIGINAL_REMOTE_ADDR = _SERVER Array ( ) _ENV Array ( ) REMOTE_ADDR=88.88.88.88 -->

Example 2 - www.checker.freeproxy.ru - HTTP CONNECT

The freeproxy.ru checker checks for that the proxy can connect to a remote SMTP server.

CONNECT mxs.mail.ru:25 HTTP/1.1 QUIT

HTTP/1.1 200 Connection Established 220 mail.ru ESMTP Mon, 19 Jan 2004 10:59:56 +0300

Example 3 - www.checker.freeproxy.ru - SOCKS4

The freeproxy.ru online checker checks for that the proxy can connect to a remote SMTP server.

SOCKS 4 Connect: 194.67.23.20:25 [mxs.mail.ru] QUIT

SOCKS 4 Granted [0.0.0.0:0] 220 mail.ru ESMTP Mon, 19 Jan 2004 10:59:56 +0300

Example 4 - www.checker.freeproxy.ru - SOCKS5

The freeproxy.ru online checker checks for that the proxy can connect to a remote SMTP server.

SOCKS 5 Authenticate Request: No auth required SOCKS 5 Connect: 194.67.23.20:25 [mxs.mail.ru] QUIT

SOCKS 5 No auth required SOCKS 5 Succeeded 220 mail.ru ESMTP Mon, 19 Jan 2004 10:59:56 +0300

Example 5 - defcon - HTTP Proxy

The defcon online checker uses a perl script to return the proxies IP address

GET http://sit0.com/py.php HTTP/1.1 Host: sit0.com User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

HTTP/1.1 200 OK Date: Mon, 12 Jan 2004 19:24:02 GMT Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7a PHP/4.3.4 X-Powered-By: PHP/4.3.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Mon, 19 Jan 2004 09:24:02 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Transfer-Encoding: chunked Content-Type: text/html 48 ewa31#88.88.88.88###Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)# 0

Example 6 - defcon - SOCKS4

The defcon online checker uses a perl script to return the proxies IP address

SOCKS 4 Connect: 216.109.118.73:80 [p10.www.dcn.yahoo.com] GET http://www.yahoo.com/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

SOCKS 4 Granted [88.88.88.88:2758] HTTP/1.1 400 Bad Request Date: Mon, 12 Jan 2004 09:38:48 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 3de <html><head><title>Yahoo! - 400 Bad Request [Yahoo error message]

Example 7 - blackcode - HTTP Proxy

The blackcode online checker is the simplest of all simply testing the proxy port is open without sending any data.

Example 8 - Honeypot Hunter - SOCKS

Honeypot Hunter is a commercial proxy testing tools that is capable of detecting certain types of honeypot proxy servers.
The tool opens a connection back to its own IP at port 25, which it uses to send an email to itself.

SOCKS 4 Connect: 192.168.2.10:25 HELO qgyrm.edu MAIL FROM: RCPT TO: DATA From: Message-Id: <155901c3d911$7fe1ed10$5d7e0241@htdvqybem Date: Mon, 12 Jan 2004 07:39:27 -0600 Subject: lpqyc th ruv To: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit af ru v kvfl omkgkj nsscb v bb t uynecw rbmv wn xitcpppu l q ttduwxhe eb r bqkahki kb qfci .

SOCKS 4 Granted [192.168.2.9:3897] 220 qgyrm.edu (IMail 8.00 153-1) NT-ESMTP Server X1 250 hello qgyrm.edu 250 ok 250 ok its for 354 ok, send it; end with <CRLF>.<CRLF> 250 message queued [c6e3489b79ee04eb9e74a86da9de5a9b]

Example 9 - adults-host - HTTP Proxy

This site includes a PERL script that can be used for HTTP proxy testing.

GET http://www.adults-host.com/inc/trade/checkme.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; yie6_SBCDSL; sbcydsl 3.12; YComp 5.0.0.0; yplus 3.01) Host: www.adults-host.com Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Referer: http://www.will-tester.com

HTTP/1.1 200 OK Date: Sat, 10 Jan 2004 13:51:15 GMT Server: Apache/1.3.28 (Unix) mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.2 PHP/4.3.3 mod_ssl/2.8.15 OpenSSL/0.9.6b Vary: Accept-Encoding X-Powered-By: PHP/4.3.3 Connection: close Transfer-Encoding: chunked Content-Type: text/html 29 REMOTE_ADDR= 88.88.88.88 <br>HIDDEN<br> 0

Example 10 - overture - HTTP Proxy

One of the simplest and most effective test of a HTTP proxy is to request a small file from a well known web site.
This example requests a small GIF image from overture.

GET http://www.overture.com/images-affiliates/befree/ologo.gif HTTP/1.1 Referer: http://www.wallsofbelief.com/index.html Accept: image/gif, image/jpeg, application/msword, */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Pragma: no-cache X-Forwarded-For: 12.148.57.216 Host: www.overture.com

Example 11 - SMTP - SOCKS4

If a hacker wants to use a proxy to attack SMTP servers then a good test is to use the proxy to send a test email to their own throw away email account.
The message contains the proxy server's IP address in encoded form.

SOCKS 4 Connect: 66.218.86.253:25 [mta-v21.mail.yahoo.com] Helo Google.com MAIL FROM: RCPT TO: DATA From: "Jackson" To: Subject: John want you to call Jackson. Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Just wanted to remind you about our meeting at 1818187DD:1080:4 o'clock.Thanks, Rose . QUIT

Example 12 - pxytest SMTP test - HTTP CONNECT

The pxttest is freely available for people to download and use.

CONNECT 200.226.132.20:25 HTTP/1.0 HELO malbicho MAIL FROM:<info@hotmail.com> RCPT TO:<nomames@ig.com.br> DATA To: nomames@ig.com.br From: nomames@ig.com.br Date: Sat, 12 Jan 2004 12:31:47 GMT Message-Id: <pxytest-1074378707-26273@malbicho> Sender: root@malbicho Subject: open proxy test X-Mailer: pxytest v1.36 X-Proxy-Spec: 88.88.88.88:8080/http-connect This message is a test probe, passed through what appears to be an open proxy. This proxy test was initiated by <root@malbicho>. Please contact that user if you have any questions about this test. Proxy parameters: Address: 88.88.88.88 Port: 8080 Type: http-connect This test was performed with the "pxytest" program. For further information see <http://www.unicom.com/sw/pxytest/>. . QUIT

HTTP/1.0 200 Connection Established 220 email-91.ig.com.br ESMTP 250 200.226.132.20 Hello [88.88.88.88] 250 2.1.0 info@hotmail.com....Sender OK 250 2.1.5 nomames@ig.com.br 354 Start mail input; end with . 250 2.6.0 <200Lvx4efKx00008432@200.226.132.20> Queued mail for delivery 250 2.0.0 OK