Network recognition is the basic key to remote attacks. New scanning methods and techniques are often developed by all hat colors. Each of this methods and techniques focus on one or two features sacrificing other features. Take for example the TCP scan, the most basic form of network recognition, where a connection is opened to each scanned port. It's main feature is that its fully reliable, while it lacks an important feature, it's easily detectable by any IDS.
There are also scans such as the Null scan or the Fin scan that are stealthier than the half open scan (also known as SYN scan), but they don't differentiate between open and filtered ports.
There are many techniques used to hide port scanning, such as the usage of decoys, where the scan performed is replicated with spoofed IPs, in the intent to confuse IDS and administrators in correctly identifying which is the true source of the scan; or the usage of fragmented packets, to bypass firewalls that don't reassemble fragmented packets.
Introduction to the Proxy scanning methodProxy scanning is a brand new scanning technique developed by the author of this article which focus on two different features: firewall bypassing and blind TCP port scanning.
As it names implies, the Proxy scanning method relies on the use of proxies. Even though the implementation this article its going to use only supports HTTP 1.x proxies, the method on itself can also be used with other proxies types such as SOCKS.
The idea behind this scanning method resembles the FTP bounce attack, with the important difference that administrators all over the world have taken care to prevent exposure to this vulnerability, while the proxy scanning method is new and completely usable nowadays.
Blind TCP port scanningThis feature of the Proxy scanning method relies on the usage of public or private proxies (see the “Introduction to proxies” inset). While the mechanism is very simple it's also a very powerful way of scanning without sending a single packet from the true source to the target host or network.
The proxy scanning method simply connects to a standard HTTP proxy server and sends a GET (or any other HTTP petition) petition specifying as the web page to fetch an URI which points to the target IP and port.
# nc proxy 8080 GET http://target:port/ HTTP/1.0
Listing 1. GET petition to the proxy server
After this command is sent to the proxy server, if the proxy accepts communicating with an unauthenticated source and to connect to a non-standard HTTP port (see the “Finding proxies” inset), it will try to connect to port 22 on target. Now, from the proxy point of view, this is an standard old fashion TCP full-connect scan, the target can send a SYN/ACK back if the port is open, a RST if the port if close and no packet at all if the port is filtered or target is not reachable from the proxy's location.
502 Bad Gateway
The server, while acting as a gateway or proxy,
received an invalid response from the upstream server
it accessed in attempting to fulfill the request.
ChainsEven more secure blind TCP scanning is possible using a technique often referred as “proxy chaining” or “condon technique”. By this technique the attacker uses public or private proxies as hops to hide the real source of the connections.
Each hop added to the chain increases:
- Security for the attacker;
- Latency;
- Throughput.
Each hop adds security for the attacker (security in the sense that the attack is not going to be traced back to him/her) since a connection that jumps around the world several times requires a lot of time, effort, money and resources in order to be traced, and even with lots of all of this the connection could be practically untraceable if the attacker is smart enough to use good proxy choices (a dumb attacker would use a couple of proxies all within the country of the target, while an smart one would have to wait several hours or days for a simple scan to be completed while the packets bounce all over the world, within different countries and preferably countries that don't hold relationship with the country of the target).
With all this in mind attackers decide how many hops are to be used according to the type of target. If an attacker is working on a dangerous or powerful source (say, a government agency or militar force) most probably the
attacker will use several hops, sacrificing latency and throughput for security sake.
The theory on how to use this technique with the proxy scanning technique is straightforward, instead of directly connecting to a proxy server, the attacker connects to n proxies, and connects at last to the last proxy, where the attack its going to be launched from.
Not all proxies are good for this technique, luckly, finding valid proxies is not really hard. Proxies that can be used for this particular technique are HTTP proxies with CONNECT method (see the “Connect method” inset) and SOCKS proxies. This article is going to focus on HTTP proxies with CONNECT method.
When the attacker creates the chain each node of the chain will only know about the previous and the next node, not knowing it's being used as part of a chain.
Given this, the real source of the attack is going to be known only by the first node, and the target of the attack is going to be known only by the last proxy.
We will continue this article in the next post.
Proxy scanning technique (Part I)
