The easiest server to check by hand, and usually quite difficult to create by accident
(unless you are a Microsoft Windows user), and often the most difficult to find.
Checking the server by hand maybe performed with the use of 'telnet' (telnet.exe
for Microsoft users). The protocol is simple and described in full in
RFC 2616, however here you can see
the basics...
These are the simple rules:
First, the protocol is text based, so you can type requests, and see responses.
Second, the requests are terninated with a complete blank line.
Third, each request begins with a 'Method'. (e.g. GET POST CONNECT)
For a spammer only the CONNECT method is generally used and it takes the hostname and port as arguments. (e.g. 'CONNECT myproxy.example.com:80 HTTP/1.0').
Follows is an example of the CONNECT method, going to a correctly configured proxy:
>>> $ telnet oblivion.its.uq.edu.au 8080
<<< Trying 130.102.152.116...
<<< Connected to oblivion.its.uq.edu.au.
<<< Escape character is '^]'.
>>> CONNECT smtp.uq.edu.au:25 HTTP/1.0
>>>
<<< HTTP/1.0 403 Forbidden
<<< Server: Squid/2.4.STABLE4
<<< Mime-Version: 1.0
<<< Date: Tue, 15 Oct 2002 00:24:57 GMT
<<< Content-Type: text/html
<<< Content-Length: 696
<<< Expires: Tue, 15 Oct 2002 00:24:57 GMT
<<< X-Squid-Error: ERR_ACCESS_DENIED 0
<<< X-Cache: MISS from oblivion
<<< Proxy-Connection: close
.
. HTML Cut for clarity.
.
<<< Connection closed by foreign host.
<<< $
Follows is the same proxy server badly configured and therefore open:
>>> $ telnet oblivion.its.uq.edu.au 8080
<<< Trying 130.102.152.116...
<<< Connected to oblivion.its.uq.edu.au.
<<< Escape character is '^]'.
>>> CONNECT smtp.uq.edu.au:25 HTTP/1.0
>>>
<<< HTTP/1.0 200 Connection established
<<<
<<< 220 bunyip.cc.uq.edu.au ESMTP Sendmail 8.9.3/8.9.3; Tue, 15 Oct 2002 10:46:23 (GMT)
>>> QUIT
<<< 221 bunyip.cc.uq.edu.au closing connection
<<< Connection closed by foreign host.
<<< $
As you can see it clearly shows the banner of the target mailserver when the connection is successful. If the
mailserver is carefully chosen this method can be used to 'compromise' anti-relay rules of any company mailserver,
even if the mailserver is well administered.
In this case a SQUID proxy server was used, and fortunately by default these
servers are secure. However, unfortunately there are a number of 'clueless' admins who continue to add lines like:
http_access allow all
above the line:
http_access deny CONNECT !SSL_ports
This allows anyone to connect to anything.
As proxies can talk to other proxies in what is sometimes known as 'proxy chaining' all the world best access control rules
are defeated by getting the proxy server to connect to itself on the localhost, and then getting it to connect to where
ever you want.
Proxy Chaining is even more difficult to to stop as it is quite common for admins to wrongly trust the localhost, and use it for testing. Consequently even lines such as:
are dangerous, this is particually the case when the server is bound to all IP addresses.
Note: If you put your proxy server on port 80, and bind the server to all addresses. You should explicitly deny connections,
from the localhost to anywhere.
The Open SOCKS Proxy Server
This is probably the most difficult to check, though it may be the easiest detect.
Detecting is easy, because the server nearly always listens on port 1080, regardless of version. That being said, it is likely that some of the
smarter admins put their socks servers on other ports.
Checking is a bit more difficult as the protocol is binary. Next I will attempt to describe the protocol for checking in relatively simple terms.
Determining version is simple for both the SOCKS v4 and SOCKS v5 servers, and can be done with as little as a 3 byte packet.
Definition
Byte
1
2
3
4
.
N
Meaning
Version
Methods
Method 1
Method 2
.
Method N
Example
Byte
1
2
3
4
5
Suggested
5
3
0
1
2
The suggested packed to send will request a SOCKS v5 connection with all three authentication methods, ( 0 = No Auth, 1 = GSAPI based Auth, 2 = Username/Password Auth )
The reply will return different based on the version, and are detailed as follows:
Definition
Byte
1
2
Meaning
Version
Method
Example
Byte
1
2
Value
5
0
In the above example reply, the server is reporting it maybe used without authentication. This for some people indicates the server is Open, however to check it is truely Open, a proxied
connection needs to be initiated. The version test only actually shows that the server is closed, and if closed the second byte of the result should be '255' to indicate no methods are
appropriate.
The following sections deal with version 4 and 5 servers.
Note: If a SOCKS v5 Methods request is sent to a version 4 proxy, the first byte will be returned as either a '0' (zero) or '4' (four) and the the remaining bytes ignored.
SOCKS v4
Once you are sure you have a SOCKS v4 proxy server you can send a request. The format is as follows:
Definition
Byte
VN
CD
DP
DIP
UID
......
NULL
# Bytes
1
1
2
4
Variable
1
Meaning
Version
Ignored
Destination Port
Destination IP Address
User ID
......
NULL
Result Packet
Definition
Byte
VN
CD
DP
DIP
# Bytes
1
1
2
4
Meaning
Version
Result
Destination Port
Destination IP Address
Result codes are in the 'CD' byte and are as follows:
90 - Request Granted
91 - Request Rejected or Failed
92 - Request Rejected because the SOCKS server cannot connect to the identd on the 'requesters' machine/ip.
93 - Request Rejected because the request was from a UID not matching the UID that was reported by identd.
SOCKS v5
The SOCKS v5 protocol is described in full in RFC 1928. However, follows is a simple description of the format
of a request packet and the associated result packet.
Note: SOCKS v5 requires the connection to start with the 'Method Request' packet as described above. Follows is the next part of the protocol when a version 5 server
is detected.
Definition
Byte
VN
CD
NULL
AT
DEST
DP
# Bytes
1
1
1
1
4
2
Meaning
Version
Command
Reserved
Address Type
Destination Address
Destination Port
Command should always be 1 for general use as this is 'Connect'.
Address type of 1 means the Destination Address is an IP address.
Result Packet
Definition
Byte
VN
CD
# Bytes
1
1
Meaning
Version
Result
Result codes are in the 'CD' byte and are as follows:
0 - Connection Succeeded
1 - General SOCKS server failure.
2 - Connection not allowed by Ruleset. (This is the only answer that should be seen if the server is secure) 3 - Network Unreachable.
4 - Host Unreachable.
5 - Connection Refused (from Host).
6 - TTL expired.
7 - Command not Supported.
8 - Address type not supported.
