KFSensor proxy server emulation

This section describes how and why proxy servers are exploited.

Proxy Servers

A proxy server acts as an intermediary between a client and an application server.

Proxy servers allow machines on an internal network to access the Internet, and properly configured they perform an important role within an organization's security infrastructure. However when they are badly configured and exploited they are of enormous benefit to illegitimate users.

For a hacker there are two main benefits of using a proxy server:

  • Firstly, a proxy server can enable access to machines that a hacker could not access directly. For example a proxy server could allow a hacker on the Internet to connect to a machine on an internal company network.
  • Secondly, a proxy server can provide anonymity to a hacker. It is this feature that is most prized by those with malicious intent. Of course proxy servers can log usage, but it is reasonable to assume that administrators who leave a proxy server unguarded are unlikely to monitor their logs.

If insecure proxy servers could be eliminated then the majority of hack attacks and spam would cease to be possible, as the user accounts of the perpetrators could be identified and closed down much faster.

Types of Proxy Server

There are many different types of proxy servers that can be exploited.
Some proxy servers are build specifically for the task, while others have proxy capabilities built in as a sub-set of their functionality.

The most important and commonly exploited proxy servers are:

  1. SOCKS - A generic proxy server designed for all types of TCP and UDP traffic. Originally it was a UNIX only system, but many Windows applications provide SOCKS support; most notably the infamous WinGate.
  2. SMTP Open Relay - An insecure SMTP server that has the ability to relay emails
  3. HTTP - HTTP servers can be used to relay HTTP requests to other HTTP servers, allowing anonymous surfing. The HTTP CONNECT request was introduced to allow access to HTTPS servers, but it can also be used to relay any type of traffic to any type of service.
  4. Trojans - Trojans, back doors and viruses often provide proxy functionality. Viruses have been written with the specific purpose of providing proxy functionality. These are the safest proxies of all for a hacker to use as they rarely contain logging functionality and the user is unaware of their presence.

It does not matter what type of proxy server is used. As long as it allows traffic to be relayed it can be exploited to the same effect.

To further guarantee anonymity, hackers often chain proxy server together to make their identification much harder.
For example a hacker could connect to a SubSeven trojan and request that it connects to a public SOCKS server which is then used to connect to a HTTP proxy, which will then be used to connect to the target server.

Attacks Using Proxy Servers

Proxy servers can be and are used to provide anonymity for any type of attack.
The most common attacks are as follows:

  1. Spam - Commercial bulk email is reliant on anonymous proxy servers.
    A single proxy server running on a home user's DSL connected PC can be used to deliver millions of spam emails in a single day.
  2. Anonymous surfing - Proxy servers can be used to surf the web anonymously. This can be of enormous benefit to people whose governments repress their basic freedoms. However, proxy servers are mostly used by people wanting to surf porn, or launch attacks on web servers.
  3. IRC - Hackers like to use proxies to hide their identities on IRC channels and to launch IRC bots which cannot be traced back to their owners.

Finding Proxy Servers

There are numerous web sites that provide lists of proxy IP/port addresses (just type "proxy list" into Google). Some of these lists are free and others charge for the best lists, as part of the support industry that has built up around spam.

For the owners of these lists and others there are a number of tools available for the job. The most basic of these is a scanner which looks for open ports where proxies can be found; e.g. 1080, 3128 and 8080.
There are also a number of websites that provide a free online proxy check.

Once a proxy server has been located, it needs to be tested to ensure it allows access to the type of connection desired and to ensure it provides anonymity.

After identification and testing the proxy server can then be exploited, or added to a list of vulnerable servers.

Examples of testing for open proxy servers can be found at this URL http://www.keyfocus.net/kfsensor/kb/openproxies.php

If a honeypot proxy server is to be effective then it must be able to fool the testing stage.
There are many approaches to testing proxy servers. In the hacker community a proxy is 'elite' if it provides fast access and total anonymity.
KFSensor implements several methods to ensure it passes many of these tests with an 'elite' rating.

What KFSensor can do

KFSensor can emulate several different types of proxy server:
  1. HTTP Proxy - see the Edit Sim Std Server - HTTP section.
  2. SOCKS Proxy - see the Edit Sim Std Server - SOCKS section.
  3. SMTP open relay server - see the Edit Sim Std Server - SMTP section.
  4. SubSeven trojan - see our website http://www.keyfocus.net/kfsensor/extras/.

As well as emulating the proxy server itself KFSensor can also emulate the services of a target server and handle proxy chaining requests.

For example an attacker can connect to KFSensor on port 8080 and request an HTTP CONNECT to a different machine's SOCKS server of 1080. Then ask the SOCKS server to connect to the attacker's target SMTP server and finally start pumping email through the SMTP server. All this is handled safely inside KFSensor without the attacker being aware that anything is amiss.

The SOCKS and HTTP proxy emulations have very similar configuration options and uses. These are described in detail in the next section - SOCKS and HTTP Proxy Configuration.

Join the fight against spam?

A correctly configured installation of KFSensor is a very effective weapon in the fight against spam.

By allowing spammers to use KFSensor to connect to emulations of the world's SMTP servers, KFSensor can prevent millions of spam messages being delivered each day.
It can also be used to identify the true location of spammers allowing them to be reported and have their Internet accounts cancelled.
Honeypots are increasingly being used for this purpose.

This functionality is completely optional and is not enabled by default.
KFSensor provides eight different levels of proxy emulation to allow you to select the one you are comfortable with running.

A word of warning

Before joining the fight against spam by running KFSensor's full proxy emulation, please consider the following:
  1. Spam is big business and honeypots threaten to make life a lot more difficult for those involved.
    There have already been cases of honeypots being attacked by spam gangs launching DDOS attacks.
    Is you network capable of taking such an attack?

  2. Spammers do not hold back from pumping as much spam through a proxy as they can get away with.
    While KFSensor provides ways to limit the amount of traffic it can still be considerable.
    Have you got the bandwidth to spare?

  3. The law in a few countries is only just starting to do something about spam, let alone considering the legality of honeypots used in this way.
    Fighting spam is clearly in the public interest and it is extremely unlikely that spammers would win a case against a honeypot owner that discards spam.
    However, are you happy with the legality of running a honeypot that discards spam?


  1. A non-static DSL or cable connection is perfect for fighting spam.
    The IP address cannot be traced back to your organization.
    A different IP address is provided every time a connection is made. This makes it impractical for spammers to blacklist the IP address or launch a DDOS attack. If this is attempted then reconnect to get a fresh IP and start again.
  2. The Internet is being constantly scanned for open proxy servers, so it is only a matter of time before a honeypot is detected and exploited. To speed things up, many proxy list web sites have a 'submit form' to allow their users to add proxy addresses. Volunteer your own. It might be worth using a proxy yourself to do this.

Next Read: SOCKS and HTTP Proxy Configuration

Related Topics

KFSensor On-Line Manual Contents