# 3128 - Proxy ### Overview The `TCP` port 3128 is commonly used by web proxy servers, such as `Squid`. A proxy server is simply a component that acts as an intermediary relay for clients accessing network resources. Instead of connecting directly to the resource, the client makes requests to the proxy server that fulfil, or not, the requests and transmit the result back to the client. Web proxies, also known as HTTP proxies, forward `HTTP` requests or `TCP` sessions. The later are tunnelled using the `CONNECT` `HTTP` verb. As stated in the `Squid` documentation for `CONNECT` tunnel: "the proxy establishes a `TCP` connection to the specified server, responds with an `HTTP 200` (Connection Established) response, and then shovels packets back and forth between the client and the server, without understanding or interpreting the tunneled traffic". **Open proxies** An open proxy is a proxy server that will forward unauthenticated client's requests, which may be leveraged to access services exposed on the proxy server's loopback interface or network resources otherwise inaccessible. ### Network enumeration `nmap` can be used to scan the network for exposed Proxy services: ``` nmap -v -p 3128 -sV -sC -oA nmap_proxy ``` ### Open proxies detection Multiple techniques may be used to detect open web proxies, each one having its own advantages and disadvantages. The usage of some of the tools associated with each techniques is detailed below. | Description | Pros | Cons | Possible tool(s) | | -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Attempt to access a well known website through the proxy. | Only requires a single request. |

Requires the proxy server to have Internet access.

Forwarding of internal traffic may be authorized while sending of Internet going traffic restricted.

|

nmap's NSE script http-open-proxy.
By default the script will attempt to access [www.google.com](http://www.google.com).

masscan + Masscan-Proxies-Tester.
By default the script will attempt to access .

Detailed in the "Access attempt to a well known website" section below.

| | Attempt to access localhost services (of the proxy server) through the proxy. | Requires a maximum of 65535 requests to exhaustively attempt to access every possible localhost `TCP` services. | Forwarding to remote hosts may be authorized while access to the loopback interface restricted. |

proxychains + nmap full TCP connect scan.

Metasploit.

Detailed in the "HTTP(S) proxy usage" section below.

| | Attempt to access well known ports / services (or all ports) of remote internal hosts. | The more ports / hosts are scanned, the more thorough the approach will be. | May requires a tremendous amount of time depending on the number of ports / hosts scanned. |

proxychains + nmap full TCP connect scan.

Detailed in the "HTTP(S) proxy usage" section below.

| **Access attempt to a well known website** The `nmap`'s `NSE` script `http-open-proxy` or `masscan` followed by `Masscan-Proxies-Tester` Python script can be used to detect open proxy servers that can reach the Internet. `Masscan-Proxies-Tester` takes as input a `masscan` scan output in the `List` format. ``` # Masscan-Proxies-Tester masscan -p <3128,8080,5555,8000 | PORTS> -oL # Parameters default: 10 threads, queue size of 10000, 6s timeout. process.py [--thread=] -m # nmap's http-open-proxy.nse nmap -v -sT -p <3128,8080,5555,8000 | PORTS> --script http-open-proxy.nse ``` ### HTTP(S) proxy usage Tools may natively support the specification of a proxy to channel `HTTP` / `HTTPS` requests or `TCP` sessions through a web proxy server. For tools that do not offer such mechanism natively (such as `nmap`), `proxychains` can be used to force the `TCP` connections made by the given application to pass through the specified proxy. Note that a number of restrictions apply when conducting ports scan through a proxy (usage of full `TCP` connections, no forwarding of `ICMP` requests, etc.). Refer to the `[General] Ports scan` note for more information on how to conduct a ports scan through a Proxy server. In additions to `HTTP(S)` proxies, `proxychains` also supports `SOCKS4` / `SOCKS5` and `TOR` proxies. For more information on `SOCKS` proxies, refer to the `[General] Pivoting` note. ``` # Specification of the HTTP/HTTPS proxy address in /etc/proxychains.conf or passed as argument to proxychains using the CLI "-f" option. [ProxyList] # Execution of commands through proxychains. proxychains [...] ``` The `Metasploit`'s `auxiliary/scanner/http/squid_pivot_scanning` module can also be used to directly conduct network scan through an exposed `Squid` proxy: ``` msf> use auxiliary/scanner/http/squid_pivot_scanning ```