Penetration Testing mailing list archives
Re: Rogue activity methodology (was: Tool to find hidden web proxyserver)
From: "Dejan Markovic" <dejanmarkovic () hotmail com>
Date: Thu, 9 Sep 2004 15:54:39 -0400
Hi Guys, EtherApe (EtherMan) anyone...? Regards, Dan ----- Original Message ----- From: "Chris Brenton" <cbrenton () chrisbrenton org> To: "Pen-Test Mailing List" <pen-test () securityfocus com> Sent: Wednesday, September 08, 2004 1:51 AM Subject: Re: Rogue activity methodology (was: Tool to find hidden web proxyserver) Note to Moderator: It might be time to type 8 the list. My last post generated 20-30 bounces, out of office, and auto-spam filtering replies. :( On Wed, 2004-09-08 at 00:25, Shashank Rai wrote:
Finally, a good assessment of the facts!!
Thank you. :)
"scan your network, run nessus/nmap" or "mirror the ports on the switch"..... really nice pieces of advice but how practical?? We don't know what kind of network the guy is talking about.
That was my point and the reason for spawning this thread. Pen-testing is all about methodology. If you don't have a good process down, you are going to miss things. I think sometimes we fall back on the tools we are familiar with as "crutches", rather than: 1) Assessing the facts 2) Establishing goals 3) _Then_ picking the best tools for the job I obviously can't speak for anyone else that replied, but it *seemed* like people were recommending nmap, Nessus, etc. simply because they are great tools. Not necessarily because they were the best tools for the task at hand.
Agreed, Vinay should have supplied more information or at the least replied to the various suggestions that have been given in the thread; on how feasible these solutions are?
To be honest, in a way I'm glad he didn't because it gave us a chance to see what direction people would run with the limited information he provided. would be cool to get a response from Vinay at this point however to see what worked for them. You still here Vinay???? ;-)
1) if PCs comprise of windows based systems, part of a domain, then as domain admin, you can find what applications are installed by any user.
I thought of this as well. Certainly if the environment is doing some form of regular audits the rogue software would stick out like a sore thumb. The reason I didn't suggest this was because I assumed that if Vinay had a base line of the desktops he would already know what is "different" about the systems running the proxies and would not have needed to ask. I totally agree however that this process would have nixed the problem as soon as the first user tried to get away with it.
Preferably, have a policy on what users can do with their workstations and impose it domain wide. And installing proxies or for that matter any unauthorized software should be a big NO NO.
Again, totally agree. Another point I was not sure of is what level of access he had to the desktop systems. He could be the only admin for the entire network, or he could have a job title that lets him tweak the firewall and nothing else. Its one of those unclear points that would certainly change what options are available.
2) Secondly, if you have a single point of exit from the corporate network to the Internet (which i can safely assume, as you have mentioned about the firewall having IP based access list), then as suggested by Chris, sniff the traffic at the exit point. Look for proxy give away like "X-FORWARDED-FOR".
As mentioned the only caveat with this method is a "really smart" user may disable the tag. Still, its a *very* easy place to start as its a single ngrep command and you can run the tool from Windows, Linux or UNIX.
Look for traffic patterns: which of the allowed IPs generates most HTTP traffic. Look at the patterns for a day or so and then port scan the machines of the top 10 IPs.
I was banging my head on the desk when I read this earlier. I'm really big on using traffic metrics for security analysis and *totally* missed this as one of the possible options. True its possible to get false positives (get one legit user cruising a few porn archives and they'll skew the results ;-). As you said however if you pick on the top 10 or so and pull metrics from an extended period of time, chances are you will at lest pick off a few of them. Once you know what software is running and where its listening, _now_ you can pull out nmap to check the rest of the network as you have a specific target to go after. HTH, Chris ---------------------------------------------------------------------------- -- Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Tool to find hidden web proxy server, (continued)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 07)
- RE: Tool to find hidden web proxy server okrehel (Sep 08)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 08)
- RE: Tool to find hidden web proxy server Jose Maria Lopez (Sep 07)
- RE: Tool to find hidden web proxy server caleb . dods (Sep 03)
- RE: Tool to find hidden web proxy server caleb . dods (Sep 03)
- RE: Tool to find hidden web proxy server Christopher Adickes (Sep 04)
- RE: Tool to find hidden web proxy server BĂ©noni MARTIN (Sep 04)
- Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 07)
- Re: Rogue activity methodology (was: Tool to find hidden web proxy server) Shashank Rai (Sep 08)
- Re: Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 08)
- Re: Rogue activity methodology (was: Tool to find hidden web proxyserver) Dejan Markovic (Sep 09)
- Rogue activity methodology (was: Tool to find hidden web proxy server) Chris Brenton (Sep 07)