The Open HTTP Proxy Server
The easiest server to check by hand, and usually quite difficult to create by accident (unless you are a Microsoft Windows user), and often the most difficult to find.

Checking the server by hand maybe performed with the use of 'telnet' (telnet.exe for Microsoft users). The protocol is simple and described in full in RFC 2616, however here you can see the basics...

These are the simple rules:
First, the protocol is text based, so you can type requests, and see responses.
Second, the requests are terminated with a complete blank line.
Third, each request begins with a 'Method'. (e.g. GET POST CONNECT)

For a spammer only the CONNECT method is generally used and it takes the hostname and port as arguments. (e.g. 'CONNECT HTTP/1.0').

Follows is an example of the CONNECT method, going to a correctly configured proxy:
>>>  $ telnet 8080
<<<  Trying
<<<  Connected to
<<<  Escape character is '^]'.
<<<  HTTP/1.0 403 Forbidden
<<<  Server: Squid/2.4.STABLE4
<<<  Mime-Version: 1.0
<<<  Date: Tue, 15 Oct 2002 00:24:57 GMT
<<<  Content-Type: text/html
<<<  Content-Length: 696
<<<  Expires: Tue, 15 Oct 2002 00:24:57 GMT
<<<  X-Squid-Error: ERR_ACCESS_DENIED 0
<<<  X-Cache: MISS from oblivion
<<<  Proxy-Connection: close

  . HTML Cut for clarity.
<<<  Connection closed by foreign host.
<<<  $ 

Follows is the same proxy server badly configured and therefore open:
>>>  $ telnet 8080
<<<  Trying
<<<  Connected to
<<<  Escape character is '^]'.
<<<  HTTP/1.0 200 Connection established
<<<  220 ESMTP Sendmail 8.9.3/8.9.3; Tue, 15 Oct 2002 10:46:23 (GMT)
>>>  QUIT
<<<  221 closing connection
<<<  Connection closed by foreign host.
<<<  $ 

As you can see it clearly shows the banner of the target mail server when the connection is successful. If the mail server is carefully chosen this method can be used to 'compromise' anti-relay rules of any company mail server, even if the mail server is well administered.

In this case a SQUID proxy server was used, and fortunately by default these servers are secure. However, unfortunately there are a number of 'clueless' administrators who continue to add lines like:
http_access allow all
above the line:
http_access deny CONNECT !SSL_ports
This allows anyone to connect to anything.

As proxies can talk to other proxies in what is sometimes known as 'proxy chaining' all the world best access control rules are defeated by getting the proxy server to connect to itself on the localhost, and then getting it to connect to where ever you want.

Proxy Chaining is even more difficult to to stop as it is quite common for administrators to wrongly trust the localhost, and use it for testing. Consequently even lines such as:
acl localhost src
acl myservers src
http_access allow localhost
http_access allow myservers
above the line:
http_access deny CONNECT !SSL_ports
are dangerous, this is particularly the case when the server is bound to all IP addresses.

Note: If you put your proxy server on port 80, and bind the server to all addresses. You should explicitly deny connections, from the localhost to anywhere.

The Open SOCKS Proxy Server
This is probably the most difficult to check, though it may be the easiest detect.

Detecting is easy, because the server nearly always listens on port 1080, regardless of version. That being said, it is likely that some of the smarter administrators put their socks servers on other ports.

Checking is a bit more difficult as the protocol is binary. Next I will attempt to describe the protocol for checking in relatively simple terms.
Determining version is simple for both the SOCKS v4 and SOCKS v5 servers, and can be done with as little as a 3 byte packet.
 Byte   1   2   3   4   .   N 
 Meaning   Version   Methods   Method 1   Method 2   .   Method N 
 Byte   1   2   3   4   5    
 Suggested   5   3   0   1   2    
The suggested packed to send will request a SOCKS v5 connection with all three authentication methods, ( 0 = No Auth, 1 = GSAPI based Auth, 2 = Username/Password Auth )

The reply will return different based on the version, and are detailed as follows:
 Byte   1   2 
 Meaning   Version   Method 
 Byte   1   2 
 Value   5   0 
In the above example reply, the server is reporting it maybe used without authentication. This for some people indicates the server is Open, however to check it is truly Open, a proxies connection needs to be initiated. The version test only actually shows that the server is closed, and if closed the second byte of the result should be '255' to indicate no methods are appropriate.

The following sections deal with version 4 and 5 servers.

Note: If a SOCKS v5 Methods request is sent to a version 4 proxy, the first byte will be returned as either a '0' (zero) or '4' (four) and the the remaining bytes ignored.


Once you are sure you have a SOCKS v4 proxy server you can send a request. The format is as follows:
 Byte   VN   CD   DP   DIP   UID   ......   NULL 
 # Bytes   1   1   2   4   Variable   1 
 Meaning   Version   Ignored   Destination Port   Destination IP Address   User ID   ......   NULL 

Result Packet
 Byte   VN   CD   DP   DIP 
 # Bytes   1   1   2   4 
 Meaning   Version   Result   Destination Port   Destination IP Address 
Result codes are in the 'CD' byte and are as follows:
90 - Request Granted
91 - Request Rejected or Failed
92 - Request Rejected because the SOCKS server cannot connect to the identd on the 'requesters' machine/ip.
93 - Request Rejected because the request was from a UID not matching the UID that was reported by identd.


The SOCKS v5 protocol is described in full in RFC 1928. However, follows is a simple description of the format of a request packet and the associated result packet.

Note: SOCKS v5 requires the connection to start with the 'Method Request' packet as described above. Follows is the next part of the protocol when a version 5 server is detected.

 Byte   VN   CD   NULL   AT   DEST   DP 
 # Bytes   1   1   1   1   4   2 
 Meaning   Version   Command   Reserved   Address Type   Destination Address   Destination Port 

Command should always be 1 for general use as this is 'Connect'.
Address type of 1 means the Destination Address is an IP address.

Result Packet
 Byte   VN   CD 
 # Bytes   1   1 
 Meaning   Version   Result 
Result codes are in the 'CD' byte and are as follows:
0 - Connection Succeeded
1 - General SOCKS server failure.
2 - Connection not allowed by Rule-set. (This is the only answer that should be seen if the server is secure)
3 - Network Unreachable.
4 - Host Unreachable.
5 - Connection Refused (from Host).
6 - TTL expired.
7 - Command not Supported.
8 - Address type not supported.

Copyright © 2002-2014 by SORBS | Terms & Conditions | Privacy Policy