|
|
| Line 1: |
Line 1: |
| − | {{expand}}
| |
| | | | |
| − | '''Proxy server''' is a server which services the requests of its clients by forwarding requests to other servers.
| |
| − |
| |
| − | == Overview ==
| |
| − |
| |
| − | Proxy servers are widely used by organizations and individuals for different purposes:
| |
| − |
| |
| − | * Internet sharing (like [[NAT]]);
| |
| − | * Traffic compression;
| |
| − | * Accelerating service requests by retrieving content from cache;
| |
| − | * and many others.
| |
| − |
| |
| − | Proxy servers are commonly used by individuals who wish to violate network policies.
| |
| − | * In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
| |
| − | * Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).
| |
| − |
| |
| − | === HTTP proxies ===
| |
| − |
| |
| − | ''These proxy servers are using HTTP.''
| |
| − |
| |
| − | Example request (direct; with relative URI):
| |
| − | <pre>
| |
| − | GET / HTTP/1.1
| |
| − | Host: cryptome.org
| |
| − | User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
| |
| − | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
| |
| − | Accept-Encoding: gzip,deflate
| |
| − | Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
| |
| − | Keep-Alive: 300
| |
| − | Connection: keep-alive
| |
| − | If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
| |
| − | If-None-Match: "e01922-62e9-45937059ec2de"
| |
| − | Cache-Control: max-age=0
| |
| − | </pre>
| |
| − | Example request (using proxy; with absolute URI):
| |
| − | <pre>
| |
| − | GET http://cryptome.org/ HTTP/1.1
| |
| − | Host: cryptome.org
| |
| − | User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
| |
| − | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
| |
| − | Accept-Encoding: gzip,deflate
| |
| − | Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
| |
| − | Keep-Alive: 300
| |
| − | Proxy-Connection: keep-alive
| |
| − | If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
| |
| − | If-None-Match: "e01922-62e9-45937059ec2de"
| |
| − | Cache-Control: max-age=0
| |
| − | </pre>
| |
| − | ''Note:'' this HTTP request was intercepted on the way to proxy server.
| |
| − |
| |
| − | According to RFC 2068 (section 5.1.2):
| |
| − | <pre>
| |
| − | The absoluteURI form is required when the request is being made to a proxy.
| |
| − | </pre>
| |
| − | ''Note:'' proxy server will convert absolute URI to relative URI.
| |
| − |
| |
| − | === HTTPS proxies ===
| |
| − |
| |
| − | ''The same as above, but using HTTPS (HTTP over SSL/TLS).''
| |
| − |
| |
| − | Sometimes HTTP proxies that support CONNECT method are called ''"HTTPS proxies"''. These HTTP proxies can tunnel almost every TCP-based protocol.
| |
| − |
| |
| − | Example request:
| |
| − | <pre>
| |
| − | CONNECT home.netscape.com:443 HTTP/1.0
| |
| − | User-agent: Mozilla/1.1N
| |
| − | </pre>
| |
| − |
| |
| − | === SOCKS proxies ===
| |
| − |
| |
| − | SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
| |
| − |
| |
| − | === Web proxies (CGI proxies) ===
| |
| − |
| |
| − | These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
| |
| − |
| |
| − | Example GET request from [http://anonymouse.ws/ Anonymouse] (to a web server):
| |
| − | <pre>
| |
| − | GET / HTTP/1.0
| |
| − | Host: [scrubbed server host]:8080
| |
| − | User-Agent: http://Anonymouse.org/ (Unix)
| |
| − | Connection: keep-alive
| |
| − | </pre>
| |
| − |
| |
| − | Example GET request from [http://www.hidemyass.com/ HideMyAss.com]:
| |
| − | <pre>
| |
| − | GET / HTTP/1.0
| |
| − | Host: [scrubbed server host]:8080
| |
| − | User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
| |
| − | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
| |
| − | </pre>
| |
| − |
| |
| − | == Proxy detection ==
| |
| − |
| |
| − | === Server-side ===
| |
| − |
| |
| − | ==== New HTTP headers ====
| |
| − |
| |
| − | Some proxy servers add new HTTP headers to request, for example:
| |
| − | <pre>
| |
| − | GET / HTTP/1.1
| |
| − | Host: [scrubbed server host]:8080
| |
| − | Connection: keep-alive
| |
| − | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
| |
| − | Accept-Language: ru
| |
| − | UA-CPU: x86
| |
| − | Accept-Encoding: gzip, deflate
| |
| − | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
| |
| − | X-Forwarded-For: [scrubbed client real IP address]
| |
| − | Via: 1.1 proxy11 (NetCache NetApp/5.6.1D24)
| |
| − | </pre>
| |
| − |
| |
| − | ''Note:'' this HTTP request was received from a proxy server using [[netcat]].
| |
| − |
| |
| − | New HTTP headers are ''X-Forwarded-For'' and ''Via''.
| |
| − |
| |
| − | ==== Mixed HTTP headers ====
| |
| − |
| |
| − | Some proxy servers mix HTTP headers in the original request (see example above). [[Internet Explorer]] 7 puts ''Host'' and ''Connection'' headers at the end of request, not at the beginning.
| |
| − |
| |
| − | ==== Modified HTTP header values ====
| |
| − |
| |
| − | Some proxy servers modify HTTP headers replacing the original values (see example above). [[Internet Explorer]] 7 sends header ''Connection: Keep-Alive'', not ''Connection: keep-alive''.
| |
| − |
| |
| − | ==== [[OS fingerprinting]] and User-Agent ====
| |
| − |
| |
| − | The following ''User-Agent'' header was received by a web server (see example above):
| |
| − | <pre>
| |
| − | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
| |
| − | </pre>
| |
| − |
| |
| − | The request was generated by using [[Internet Explorer]] 7 (''MSIE 7.0'') on [[Windows]] Vista or [[Windows]] Server 2008 (''Windows NT 6.0'').
| |
| − | However, this connection was initiated with TCP SYN packet with following options:
| |
| − | <pre>
| |
| − | MSS
| |
| − | NOP
| |
| − | NOP
| |
| − | SACK permitted
| |
| − | NOP
| |
| − | Window scale
| |
| − | NOP
| |
| − | NOP
| |
| − | Timestamps
| |
| − | </pre>
| |
| − |
| |
| − | While [[Windows]] Vista commonly uses these options:
| |
| − | <pre>
| |
| − | MSS
| |
| − | NOP
| |
| − | Window scale
| |
| − | NOP
| |
| − | NOP
| |
| − | SACK permitted
| |
| − | </pre>
| |
| − |
| |
| − | This means that:
| |
| − |
| |
| − | * User-Agent header was forged;
| |
| − | * The request was sent using a proxy server with different [[OS]].
| |
| − |
| |
| − | ==== Other methods ====
| |
| − |
| |
| − | * Active detection: see [http://metasploit.com/research/projects/decloak/ Metasploit Decloaking Engine];
| |
| − | * Comparing source IP address with a list of known proxy servers.
| |
| − |
| |
| − | === On the way to proxy server ===
| |
| − |
| |
| − | ==== Absolute URI ====
| |
| − |
| |
| − | HTTP clients (such as web browsers) will only generate them in requests to proxies.
| |
| − |
| |
| − | ==== Other methods ====
| |
| − |
| |
| − | * Comparing destination IP address with a list of known proxy servers.
| |
| − |
| |
| − | [[Category:Anti-Forensics]]
| |
| − | [[Category:Network Forensics]]
| |
