Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Rogue activity methodology (was: Tool to find hidden web proxy server)
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Wed, 08 Sep 2004 01:51:35 -0400

Note to Moderator: 
It might be time to type 8 the list. My last post generated 20-30
bounces, out of office, and auto-spam filtering replies. :(

On Wed, 2004-09-08 at 00:25, Shashank Rai wrote:

Finally, a good assessment of the facts!! 

Thank you. :)

"scan your network, run nessus/nmap" or "mirror the ports on the
switch"..... really nice pieces of advice but how practical?? We don't
know what kind of network the guy is talking about.

That was my point and the reason for spawning this thread. Pen-testing
is all about methodology. If you don't have a good process down, you are
going to miss things. I think sometimes we fall back on the tools we are
familiar with as "crutches", rather than:

1) Assessing the facts
2) Establishing goals
3) _Then_ picking the best tools for the job

I obviously can't speak for anyone else that replied, but it *seemed*
like people were recommending nmap, Nessus, etc. simply because they are
great tools. Not necessarily because they were the best tools for the
task at hand. 

Agreed, Vinay should have supplied more information or at the least
replied to the various suggestions that have been given in the thread;
on how feasible these solutions are?

To be honest, in a way I'm glad he didn't because it gave us a chance to
see what direction people would run with the limited information he
provided. would be cool to get a response from Vinay at this point
however to see what worked for them. 

You still here Vinay???? ;-)

1) if PCs comprise of windows based systems, part of a domain, then as
domain admin, you can find what applications are installed by any user.

I thought of this as well. Certainly if the environment is doing some
form of regular audits the rogue software would stick out like a sore
thumb. The reason I didn't suggest this was because I assumed that if
Vinay had a base line of the desktops he would already know what is
"different" about the systems running the proxies and would not have
needed to ask. I totally agree however that this process would have
nixed the problem as soon as the first user tried to get away with it.

Preferably, have a policy on what users can do with their workstations
and impose it domain wide. And installing proxies or for that matter any
unauthorized software should be a big NO NO.

Again, totally agree. Another point I was not sure of is what level of
access he had to the desktop systems. He could be the only admin for the
entire network, or he could have a job title that lets him tweak the
firewall and nothing else. Its one of those unclear points that would
certainly change what options are available. 

2) Secondly, if you have a single point of exit from the corporate
network to the Internet (which i can safely assume, as you have
mentioned about the firewall having IP based access list), then as
suggested by Chris, sniff the traffic at the exit point. Look for proxy
give away like "X-FORWARDED-FOR".

As mentioned the only caveat with this method is a "really smart" user
may disable the tag. Still, its a *very* easy place to start as its a
single ngrep command and you can run the tool from Windows, Linux or

Look for traffic patterns: which of
the allowed IPs generates most HTTP traffic. Look at the patterns for a
day or so and then port scan the machines of the top 10 IPs.

I was banging my head on the desk when I read this earlier. I'm really
big on using traffic metrics for security analysis and *totally* missed
this as one of the possible options. True its possible to get false
positives (get one legit user cruising a few porn archives and they'll
skew the results ;-). As you said however if you pick on the top 10 or
so and pull metrics from an extended period of time, chances are you
will at lest pick off a few of them. Once you know what software is
running and where its listening, _now_ you can pull out nmap to check
the rest of the network as you have a specific target to go after. 


Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]