Chaining through proxies
Proxies, whilst being useless against a determined attacked, provide a generic level of security against stupid malware. An in-line IPS is able to stop known malware, leaving the proxy to provide a layer of security through obscurity- Internet access being unavailable through the default gateway.
Broadly the ones I've had to deal with fall into two different categories:
The second you'll come up against is something squid-based. Recently I came up against something that was using basic-auth but seemingly incompatible with the usual
Alma Mater (notes):
In trying to get this to work I tried using fiddler, burp and squid on windows.
Squid is a huge fuck-around for a quick and dirty "give me internet access" - it's not designed to be quick or easy in implementation. There are some proxy chaining features (cache_peer), but it's largely designed to deal with an upstream proxy of say an ISP rather than an enterprise's authenticated one. I found that even passing the right credentials it has issues authenticating.
Burp works, but weird stuff starts happening when you are trying to connect to SSL services through it. Even with SSL bypass enabled, NSS knew something was up and terminated the connection (this is something I'll write about later- it's not the first time I've encountered it). When tunneling HTTP in bypass mode, burp is stupidly slow and seriously not designed to even be a quick and easy proxy. I got a max of around 60kb/s.
I couldn't even get Fiddler to accept remote connections, but even if I did, I think I'd face similar issues to burp (performance, the fact it's designed to fuck with SSL means it cant help itself but screw around with frames).
In a later post I'll cover off a few of the tools I've used to prevent IPS' identifying your proxy'd traffic.
Broadly the ones I've had to deal with fall into two different categories:
- Forefront Threat Management Gateway
- Something that smells like squid.
The second you'll come up against is something squid-based. Recently I came up against something that was using basic-auth but seemingly incompatible with the usual
export HTTP_PROXY=http://user:pass@mylittleproxy.contoso.com:8080Polipo to the rescue. This tiny little tool is fantastic- blisteringly fast, IPv6 compatible, and deals with most rubbish regarding weird auth schemes that are basic (different realms and trying to shoehorn that into an existing app). The config is stupidly easy and it supports SOCKS.
Alma Mater (notes):
In trying to get this to work I tried using fiddler, burp and squid on windows.
Squid is a huge fuck-around for a quick and dirty "give me internet access" - it's not designed to be quick or easy in implementation. There are some proxy chaining features (cache_peer), but it's largely designed to deal with an upstream proxy of say an ISP rather than an enterprise's authenticated one. I found that even passing the right credentials it has issues authenticating.
Burp works, but weird stuff starts happening when you are trying to connect to SSL services through it. Even with SSL bypass enabled, NSS knew something was up and terminated the connection (this is something I'll write about later- it's not the first time I've encountered it). When tunneling HTTP in bypass mode, burp is stupidly slow and seriously not designed to even be a quick and easy proxy. I got a max of around 60kb/s.
I couldn't even get Fiddler to accept remote connections, but even if I did, I think I'd face similar issues to burp (performance, the fact it's designed to fuck with SSL means it cant help itself but screw around with frames).
In a later post I'll cover off a few of the tools I've used to prevent IPS' identifying your proxy'd traffic.
Comments
Post a Comment