InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Network enumeration
  • Open proxies detection
  • HTTP(S) proxy usage
  1. L7

3128 - Proxy

Overview

The TCP port 3128 is commonly used by web proxy servers, such as Squid. A proxy server is simply a component that acts as an intermediary relay for clients accessing network resources. Instead of connecting directly to the resource, the client makes requests to the proxy server that fulfil, or not, the requests and transmit the result back to the client.

Web proxies, also known as HTTP proxies, forward HTTP requests or TCP sessions. The later are tunnelled using the CONNECT HTTP verb. As stated in the Squid documentation for CONNECT tunnel: "the proxy establishes a TCP connection to the specified server, responds with an HTTP 200 (Connection Established) response, and then shovels packets back and forth between the client and the server, without understanding or interpreting the tunneled traffic".

Open proxies

An open proxy is a proxy server that will forward unauthenticated client's requests, which may be leveraged to access services exposed on the proxy server's loopback interface or network resources otherwise inaccessible.

Network enumeration

nmap can be used to scan the network for exposed Proxy services:

nmap -v -p 3128 -sV -sC -oA nmap_proxy <RANGE | CIDR>

Open proxies detection

Multiple techniques may be used to detect open web proxies, each one having its own advantages and disadvantages. The usage of some of the tools associated with each techniques is detailed below.

Description
Pros
Cons
Possible tool(s)

Attempt to access a well known website through the proxy.

Only requires a single request.

Requires the proxy server to have Internet access. Forwarding of internal traffic may be authorized while sending of Internet going traffic restricted.

nmap's NSE script http-open-proxy. By default the script will attempt to access www.google.com. masscan + Masscan-Proxies-Tester. By default the script will attempt to access http://perdu.com. Detailed in the "Access attempt to a well known website" section below.

Attempt to access localhost services (of the proxy server) through the proxy.

Requires a maximum of 65535 requests to exhaustively attempt to access every possible localhost TCP services.

Forwarding to remote hosts may be authorized while access to the loopback interface restricted.

proxychains + nmap full TCP connect scan. Metasploit. Detailed in the "HTTP(S) proxy usage" section below.

Attempt to access well known ports / services (or all ports) of remote internal hosts.

The more ports / hosts are scanned, the more thorough the approach will be.

May requires a tremendous amount of time depending on the number of ports / hosts scanned.

proxychains + nmap full TCP connect scan. Detailed in the "HTTP(S) proxy usage" section below.

Access attempt to a well known website

The nmap's NSE script http-open-proxy or masscan followed by Masscan-Proxies-Tester Python script can be used to detect open proxy servers that can reach the Internet. Masscan-Proxies-Tester takes as input a masscan scan output in the List format.

# Masscan-Proxies-Tester
masscan <IP | RANGE | CIDR | RANGES | etc.> -p <3128,8080,5555,8000 | PORTS> -oL <MASSCAN_OUTPUT_FILE>
# Parameters default: 10 threads, queue size of 10000, 6s timeout.
process.py [--thread=<THREAD_NUMBER>] -m <MASSCAN_OUTPUT_FILE>

# nmap's http-open-proxy.nse
nmap -v -sT -p <3128,8080,5555,8000 | PORTS> --script http-open-proxy.nse <IP | RANGE | CIDR | RANGES | etc.>

HTTP(S) proxy usage

Tools may natively support the specification of a proxy to channel HTTP / HTTPS requests or TCP sessions through a web proxy server. For tools that do not offer such mechanism natively (such as nmap), proxychains can be used to force the TCP connections made by the given application to pass through the specified proxy.

Note that a number of restrictions apply when conducting ports scan through a proxy (usage of full TCP connections, no forwarding of ICMP requests, etc.). Refer to the [General] Ports scan note for more information on how to conduct a ports scan through a Proxy server.

In additions to HTTP(S) proxies, proxychains also supports SOCKS4 / SOCKS5 and TOR proxies. For more information on SOCKS proxies, refer to the [General] Pivoting note.

# Specification of the HTTP/HTTPS proxy address in /etc/proxychains.conf or passed as argument to proxychains using the CLI "-f" option.
[ProxyList]
<http | https> <PROXY_IP> <PROXY_PORT>

# Execution of commands through proxychains.
proxychains [...]

The Metasploit's auxiliary/scanner/http/squid_pivot_scanning module can also be used to directly conduct network scan through an exposed Squid proxy:

msf> use auxiliary/scanner/http/squid_pivot_scanning
Previous1521 - ORACLE_DBNext3306 - MySQL

Last updated 3 years ago