The Patsy Proxy

1,666
-1

Published on

How to use systems not designed for use as proxies to pass traffic for you.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,666
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Jen, Dan
  • Dan, Jen
  • Dan
  • Jen
  • Jen
  • Dan
  • Jen
  • Dan
  • Jen
  • Jen
  • Jen
  • Dan
  • Jen
  • Dan
  • The Patsy Proxy

    1. 1. The Patsy Proxy Getting Others To Do Your Dirty Work
    2. 2. Who we are  Jen Savage ◦ Software Developer ◦ @savagejen  Dan Crowley ◦ Managing Consultant at Trustwave SpiderLabs ◦ @dan_crowley
    3. 3. What is a patsy proxy?  Patsy (noun): A person who is easily taken advantage of  Proxy (noun): A person authorized to act on the behalf of another  A patsy proxy is anything that can be used to unwittingly perform an attack on the behalf of another.
    4. 4. Advantages of a patsy proxy  Proxy owner is unaware of proxy  Target is unaware that victim acts as proxy ◦ Not publicly listed as a proxy ◦ No traditional proxy service on victim  Logging unlikely  IP may be privileged
    5. 5. Disadvantages of a patsy proxy  Attack capabilities may be limited ◦ May be blind ◦ May change the traffic ◦ May have a time delay ◦ May pass only certain types of traffic  What is inside the black box? ◦ May be logged
    6. 6. On patsy limitations  Patsy only allows GET params ◦ Many applications accept POST params in GET  Patsy only makes HEAD requests ◦ Many applications process HEAD/GET the same  No data will be returned  DoS capability severely limited  Patsy is blind ◦ Many attacks can be launched blind
    7. 7. Malicious uses of a patsy proxy
    8. 8. Frame Someone  Post threats, harass people, etc  Access illegal materials  Launch attacks
    9. 9. Anonymize an attack  Attack will trace back to the patsy ◦ Is the patsy logging?  Traditional attacks ◦ SQLi ◦ RFI ◦ DoS
    10. 10. Bypass IP address filtering  Evade IP blacklist ◦ IP ban ◦ Sites which disallow proxies  Exploit IP trust relationships ◦ Business partnerships ◦ Proxies usually disallow internal access  Not the case with unintentional proxying
    11. 11. Methods to achieve a patsy proxy
    12. 12. Automated Services  URL shorteners & un-shorteners  Web Spiders  Twitter bots  “Upload from URL” functionality  Webpage translation utilities  Link preview functionality
    13. 13. GOOGLE TRANSLATE “Translate” a web page
    14. 14. FACEBOOK Status update preview
    15. 15. Automated Services  Malware Scanning Utilities  Mail Gateway Scanners ◦ Thanks to Jcran for his Project Tuna data: tuna.pentestify.com/emails  Other  Good job Google on the Google Safe Browsing Database!
    16. 16. CLAMAV In certain configurations, URLs in emails are checked for malware
    17. 17. GEOCITIES-IZER Hack like it’s 1996
    18. 18. UNKNOWN MAIL GATEWAY AV With ROT13 power
    19. 19. Traditional Vulns  XSS / HTML Injection  XML injection (XXE)  SQLi  RFI
    20. 20. Social Engineering  Worth mentioning  Not worth in-depth explanation
    21. 21. Could it be a vulnerability?
    22. 22. Recursive DoS  Point the patsy back at itself  Traffic amplification factor: ◦ MAX_URI / patsy URI length * 2  Tack a large resource onto the last iteration  20 requests resulted in 30 minutes downtime ◦ Over the LAN!
    23. 23. RECURSIVE DOS “If it’s stupid but it works, it isn’t stupid.” patsy.php contained fopen($_GET['site'], 'r');
    24. 24. WAF bypass  Recurse once  Double encode attack Web Server WAF Mal
    25. 25. DDoS through patsies  I have 2MB up  I have 30 patsies, each 15MB up  I have Python  By your powers combined…  …I AM CAPTAIN DOWNTIME
    26. 26. Access to Internal Networks  Modern proxies enforce boundaries between internal / external  Unintentional proxies may allow boundary violation ◦ http://patsy.com/?site=http://10.0.0.1/admi n.htm
    27. 27. Conclusion  Attribution is Hard(er) ◦ An IP address is not a person  IP address filtering is ineffective  Think before generating traffic for users  User education is valuable for users, too ◦ Don’t Take Candy from Internet Strangers
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×