[IOML] Shell/Perl/Whatever script wanted

[Dylan Smith]

On 21 Jul 2005, at 08:02, Simon Booth wrote:
>   The reason that I want to be able to find an outward bound proxy is 
> because I want to be able to get a reverse shell from the machine 
> (using cryptcat and tunnelling it over HTTP using gnuhttptunnel).  
> This I believe is the most sure-fire way of getting a connection out 
> as whilst most companies block a lot of traffic they generally allow 
> HTTP.

If they provide the ability to use HTTPS, you can do an HTTP CONNECT on 
the proxy which will probably be nicer to use than encapsulating 
everything in HTTP requests (since a HTTP CONNECT allows you to pass 
traffic both ways completely unmolested - indeed, some ssh clients (see 
PuTTY) actually incorporate this method of getting out via a web 
proxy). You'll probably need to listen on port 443 on your end (most 
proxies will restrict which ports you can HTTP CONNECT to). If you have 
that ability you can just use SSH (set up an sshd on port 443 on your 
machine, have the remote machine ssh in and use ssh port forwarding to 
allow you to get back to the machine at the other end). If you're using 
OpenSSH, you'll have to write a small program (you can do this in Perl, 
and indeed there are examples on the internet) to do the actual HTTP 
CONNECT, and then have ssh connect to this on localhost. You then get 
your encrypted tunnel for free as it were.
>
> One thing I guess I can't get around is if the client uses 
> authentication on the proxy so obviously that is a scenario where they 
> would have to provide some credentials, but, I'm not sure how 
> mainstream that is.

In my experience of these things, if they do and they are using ISA 
Server, since the authentication is proprietary and only supported by 
Redmondware, they have to have a second unauthenticated proxy for other 
programs (such as BACS processing or virus definition updates).