Hinky’s Proxy Obsession

I’ve been using nmap for close to ten years.

Recently, after installing the latest beta version, I decided to read the docs.

I was quite surprised to find that proxy-detecting code (both http and SOCKS) was available.  Then I was somewhat disappointed that the method used was a bizarre scripting language nobody uses (Lua).

And when I finally tested the code out, I was incredibly unimpressed, especially with the SOCKS code.  It does nothing more than request an http from Google (terribly unoriginal).

I have an issue with that.

The reason I started looking at SOCKS proxies in the first place was that I discovered the vast majority of open port 1080 SOCKS proxies were improperly configured Microsoft ISA 2004/2006 (now known as Forefront TMG) boxes.  That in itself is not unusual, as there are thousands of server room Trevors and study-at-home MCSE wannabees who have no clue what they’re doing.

The issue with SOCKS and ISA is that Microsoft despises SOCKS.  And due the the architecture of ISA server (since the 2004 version), is that ISA SOCKS can’t do any Web protocols (http, https, ftp) if you have the ISA Web proxy service enabled.  So, requesting a Web page is bound to fail 99% of the time, making the Google Web page test an Instant FAIL.  However, they fail distinctively, and the nmap SOCKS script fails to realize that.

True, ISA servers are not the only SOCKS servers on the Web, but they’re the lowest of the low-hanging fruit.  They do have one major advantage: ISA servers do not log SOCKS traffic.

That’s pure, unadulterated anonymity, boys and girls!

The hard part, after finding an ISA SOCKS server open to the outside world, is to find a usable, non-Web port you can use.  For that you have to get creative with a stable, public, SOCKS judge, which is something I have personally failed miserably at over the last two years of this project.

However, I am working on the SOCKS judge part.  The best port to check is undoubtedly TCP 1935 (Flash server).  There are thousands of them, all public.  Ssh (TCP 22) is a good one as well.  It’s easier to identify (the initial ssh handshake is 100% clear text), but much harder to find and generally better protected.  TCP 53 (DNS zone transfer) probably has some good possibilities, but might raise too many red flags (still, it’s the SOCKS server owner’s problem – not yours).  If and when the usual Web protocols (80, 443, 21) work, that’s just fine, but using SOCKS for Web browsing is a complete waste of a valuable resource.

I’ve only lightly browsed the nmap Lua SOCKS script but I’m certain I could adapt it to these methods.

Meanwhile, nmap has added some other useful techniques that I missed over the last few revisions.  Notably, it can generate random IP addresses for scanning.  Nice feature, although that’s not what I do, since I am loathe to violate my ISP’s EULA.

Much.

It’s Chrome without Google! A winning non-combination!

Ever since I started plugging IP addresses into combo boxes (circa 1995), I have been frustrated by the lack of an easy cut&paste method to change addresses quickly, as well as the fact there has never been a standardized IP address interface (some you have to tab through octets, others will take a space, etc).

Just give me a freakin’ Crtl-V. Hell, I’d even settle for a Shift-Ins!

Browsers are halfway there, but you have to copy the port in separately.

Not so with Iron (Chrome as well). It takes a command line option in the form:

-proxy-server=[address]:[port]

DUH!

I can copy out of the List and paste right into the shortcut, adding the colon if required.

THAT’S A QUICK SWITCH, BITCH!

And what is the point of running multiple browsers if you can’t run multiple proxies?  That’s one of the things that always pissed me off about Safari (although originally it did support the http_proxy environment variable even in Windows – why the Hell did they take that out?).

Iron is available here.  There’s also a Linux version, but watch out because you may never go back to Firefox (or whatever) again!

I did a kernel upgrade this weekend on the UT99 servers and as a result had to stop The List for a few hours.

After everything was up and running I manually refreshed The List but I accidentally ran an old script – one that still had CoDeeN servers listed.  As soon as I caught that I fixed it, but it was up for about a half an hour before I noticed.

At noon (EST) today everything should be back in sync.

I queried the database for the number of new proxies discovered over the last twelve months & came up with the chart below.

I almost forgot about the Koobface Flood, but there it is!  Those were the days, boys and girls.

“New proxies” are not necessarily “live proxies”.  They are IP address/port combinations that weren’t already in the database.  99.9% of “new” proxies are dead proxies, but this does give you an idea of what’s out there on the various proxy lists across the Web.

This really doesn’t show how bad the proxy business has been lately.  I haven’t run the numbers on the Gold database yet, but I’m working on it.

It seems our Cameroonian pals have been busy the last year making their home domain (.cm) the riskiest place on the Internet, according to a report by McAfee.

Cameroon, a small African country that borders Nigeria, jumped to the number one spot this year with 36.7 percent of the .cm domain posing a security risk, but did not even make the list last year. Because the domain .cm is a common typo for .com, many cybercriminals set up fake typo-squatting sites that lead to malicious downloads, spyware, adware and other potentially unwanted programs.