Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Rogue activity methodology (was: Tool to find hidden web proxy server)
From: Shashank Rai <shashrai () emirates net ae>
Date: Wed, 08 Sep 2004 08:25:25 +0400

On Sun, 2004-09-05 at 13:52, Chris Brenton wrote:
I have to say, I'm a bit surprised at how many people chimed in with
"scan your whole network". This seems like a lot of work (and traffic)
given the situation Vinay described. Just to go back over the "facts" he
has given us:

* Only certain IP's are permitted outbound HTTP access
* Suspects one or more of these IPs have setup a rogue proxy
* Unauthorized users may be accessing the Internet via the proxies
* Suspects the proxies are on a non-standard ports (implies he might
have already checked the standard ports)
* No indication if the internal network is switched or repeated
* No indication of the OS being used
* No indication of whether he has admin access to these systems
* No indication of how big the internal network may be
* No indication of how many systems are permitted outbound HTTP access

Finally, a good assessment of the facts!! 
"scan your network, run nessus/nmap" or "mirror the ports on the
switch"..... really nice pieces of advice but how practical?? We don't
know what kind of network the guy is talking about. The domain of the
original poster is "eil.co.in" ... well from what you can make out of
the company's website (www.engineersindia.com), the network might be
spread across the whole length and breadth of India!!! Agreed, Vinay
should have supplied more information or at the least replied to the
various suggestions that have been given in the thread; on how feasible
these solutions are?

IMHO, scanning the systems or sniffing for traffic within the network
can only work for a small organization. Catching the rouge proxy can be
done in two ways:

1) if PCs comprise of windows based systems, part of a domain, then as
domain admin, you can find what applications are installed by any user.
Preferably, have a policy on what users can do with their workstations
and impose it domain wide. And installing proxies or for that matter any
unauthorized software should be a big NO NO.

2) Secondly, if you have a single point of exit from the corporate
network to the Internet (which i can safely assume, as you have
mentioned about the firewall having IP based access list), then as
suggested by Chris, sniff the traffic at the exit point. Look for proxy
give away like "X-FORWARDED-FOR". Look for traffic patterns: which of
the allowed IPs generates most HTTP traffic. Look at the patterns for a
day or so and then port scan the machines of the top 10 IPs. Then again
if the IPs are given using DHCP, you'll have to make an extra effort in
co-relating the IPs with the workstations in order to limit your

unless of course port scanning your whole network with "version scan"
suits you :) .. BTW nmap 3.7 is *really* fast.

Shashank Rai
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523   Office
    +971-50-6670648  Cell
GPG key:

Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]