Squid Proxy Port Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/http/squid_pivot_scanning metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Squid Proxy Port Scanner
Module: auxiliary/scanner/http/squid_pivot_scanning
Source code: modules/auxiliary/scanner/http/squid_pivot_scanning.rb
Disclosure date: -
Last modification time: 2020-08-21 08:47:05 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: -
A exposed Squid proxy will usually allow an attacker to make
requests on their behalf. If misconfigured, this may give
the attacker information about devices that they cannot
normally reach. For example, an attacker may be able to make
requests for internal IP addresses against an open Squid
proxy exposed to the Internet, therefore performing a port
scan against the internal network. The
auxiliary/scanner/http/open_proxy
module can be used to
test for open proxies, though a Squid proxy does not have to
be on the open Internet in order to allow for pivoting (e.g.
an Intranet Squid proxy which allows the attack to pivot to
another part of the internal network). This module will not
be able to scan network ranges or ports denied by Squid
ACLs. Fortunately it is possible to detect whether a host
was up and the port was closed, or if the request was
blocked by an ACL, based on the response Squid gives. This
feedback is provided to the user in meterpreter VERBOSE
output, otherwise only open and permitted ports are printed.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/http/squid_pivot_scanning
msf auxiliary(squid_pivot_scanning) > show options
... show and set options ...
msf auxiliary(squid_pivot_scanning) > set RHOSTS ip-range
msf auxiliary(squid_pivot_scanning) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(squid_pivot_scanning) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(squid_pivot_scanning) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(squid_pivot_scanning) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Description
A exposed Squid proxy will usually allow an attacker to make requests on their behalf. If misconfigured, this may give the attacker information about devices that they cannot normally reach. For example, an attacker may be able to make requests for internal IP addresses against an open Squid proxy exposed to the Internet, therefore performing a port scan against the internal network.
The auxiliary/scanner/http/open_proxy
module can be used to test for open proxies, though a Squid proxy does not have to be on the open Internet in order to allow for pivoting (e.g. an Intranet Squid proxy which allows the attack to pivot to another part of the internal network).
This module will not be able to scan network ranges or ports denied by Squid ACLs. Fortunately it is possible to detect whether a host was up and the port was closed, or if the request was blocked by an ACL, based on the response Squid gives. This feedback is provided to the user in meterpreter VERBOSE
output, otherwise only open and permitted ports are printed.
Vulnerable Application Setup
The official Squid configuration documentation covers the significant flexibility of the Squid proxy. For this module, the most relevant core Squid configuration lines usually looks like this (default for version 3.5):
http_port 3128
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localnet
http_access allow localhost
http_access deny all
In short, this opens port 3128 for proxying from localhost
or a localnet
ranges to any port in Safe_ports
, and allows SSL CONNECT requests to be made to SSL_ports
(just 443 in this example).
The references to "manager" are referring to a component of Squid which provides management controls and reports displaying statistics about the squid process as it runs, and can show useful information like file descriptors or internal hostnames and IP addresses if the ACL permits access. See the official docs for more information on the Cache Manager.
As such, you should be able to install Squid with default configuration, and reach through it from an internal network source range to anythin the Squid proxy has a route to. If you wish to test against other ports or network ranges, modify the configuration to suit prior to testing.
Verification Steps
To test this module, you can try the following:
- Install Squid
- Start the Squid service
- Start msfconsole
- Do:
use auxiliary/scanner/http/squid_pivot_scanning
- Set the
RHOSTS
andRPORT
to be that of Squid's host address and port:set RHOSTS squid.internal
set RPORT 3128
- Set the
RANGE
parameter to be the destination host addresses you wish to port scan.set RANGE 192.168.0.1-192.168.0.2
- (Optional) Set the specific
PORTS
parameter to any ports you wish to port scan on the hosts inRANGE
.set PORTS 21-23,80,443
- Do:
run
- You should see the module attempt to connect to the proxy, and then first port of the first host in
RANGE
. Ports will be tested sequentially until the end ofPORTS
is reached, at which point it will start from the first port on the next host inRANGE
.
Options
Here is a quick overview of each option within the module.
CANARY_IP
The IP to check if the proxy always answers positively - this IP address should not normally respond.
Default value: 1.2.3.4
MANUAL_CHECK
Invoke the canary check, and stop the scan if the Squid proxy server appears to answer positively to every request.
Default value: true
PORTS
The destination TCP ports to scan through the proxy. Ports will be scanned in ascending order.
Note: these must be TCP, this scanner cannot scan other protocols.
Proxies
This option should not be confused with the Squid proxy you are trying to scan - this is one of the default Meterpreter paramets in which you can specify a proxy chain to use that you require to reach the Squid proxy.
RANGE
This is the IP range you wish to sca through the Squid proxy. PORTS
on these hosts will be scanned. Hosts are scanned in ascending order.
RPORT
This is the port that the Squid proxy is listening on. Squid defaults to 3128.
Default value: 3128
SSL
Whether you need to connect to Squid with SSL. This is not normally the case.
Default value: false
THREADS
The number of concurrent threads (max one per Squid host).
Default value: 1
VHOST
HTTP server virtual host header to send on requests.
Scenarios and Examples
The following is a brief demo of a port scan against two hosts (192.168.0.1
and 192.168.0.2
) through a Squid proxy responding at 10.10.10.100:3128
. You could assume that the Squid host has a public or otherwise reachable IP address, where the 192.168.0.0
network range is not normally reachable to you.
msf6 > use auxiliary/scanner/http/squid_pivot_scanning
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RHOSTS 10.10.10.100
RHOSTS => 10.10.10.100
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RPORT 3128
RPORT => 3128
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
PORTS => 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 192.168.0.1-192.168.0.2
RANGE => 192.168.0.1-192.168.0.2
msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
[+] [10.10.10.100] 192.168.0.1 is alive.
[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
[+] [10.10.10.100] 192.168.0.2 is alive.
[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Setting the VERBOSE
option will show each port tested and explain the reason for unreachable ports, if known. This can be helpful, as a port might very well be open and responding on a host, however if it is denied by the Squid ACL you will be unable to reach it regardless.
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
[*] [10.10.10.100] Verifying manual testing is not required...
[*] [10.10.10.100] Requesting 192.168.0.1:21
[+] [10.10.10.100] 192.168.0.1 is alive.
[*] [10.10.10.100] 192.168.0.1 is alive but 21 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:22
[*] [10.10.10.100] 192.168.0.1:22 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:23
[*] [10.10.10.100] 192.168.0.1:23 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:24
[*] [10.10.10.100] 192.168.0.1:24 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:25
[*] [10.10.10.100] 192.168.0.1:25 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:79
[*] [10.10.10.100] 192.168.0.1:79 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:80
[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
[*] [10.10.10.100] Requesting 192.168.0.1:81
[*] [10.10.10.100] 192.168.0.1:81 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:139
[*] [10.10.10.100] 192.168.0.1:139 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:443
[*] [10.10.10.100] 192.168.0.1 is alive but 443 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:445
[*] [10.10.10.100] 192.168.0.1:445 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.1:1433
[*] [10.10.10.100] 192.168.0.1 is alive but 1433 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:1521
[*] [10.10.10.100] 192.168.0.1 is alive but 1521 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:1723
[*] [10.10.10.100] 192.168.0.1 is alive but 1723 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:3389
[*] [10.10.10.100] 192.168.0.1 is alive but 3389 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:8080
[*] [10.10.10.100] 192.168.0.1 is alive but 8080 is closed.
[*] [10.10.10.100] Requesting 192.168.0.1:9100
[*] [10.10.10.100] 192.168.0.1 is alive but 9100 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:21
[+] [10.10.10.100] 192.168.0.2 is alive.
[*] [10.10.10.100] 192.168.0.2 is alive but 21 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:22
[*] [10.10.10.100] 192.168.0.2:22 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:23
[*] [10.10.10.100] 192.168.0.2:23 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:24
[*] [10.10.10.100] 192.168.0.2:24 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:25
[*] [10.10.10.100] 192.168.0.2:25 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:79
[*] [10.10.10.100] 192.168.0.2:79 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:80
[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
[*] [10.10.10.100] Requesting 192.168.0.2:81
[*] [10.10.10.100] 192.168.0.2:81 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:139
[*] [10.10.10.100] 192.168.0.2:139 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:443
[*] [10.10.10.100] 192.168.0.2 is alive but 443 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:445
[*] [10.10.10.100] 192.168.0.2:445 likely blocked by ACL.
[*] [10.10.10.100] Requesting 192.168.0.2:1433
[*] [10.10.10.100] 192.168.0.2 is alive but 1433 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:1521
[*] [10.10.10.100] 192.168.0.2 is alive but 1521 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:1723
[*] [10.10.10.100] 192.168.0.2 is alive but 1723 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:3389
[*] [10.10.10.100] 192.168.0.2 is alive but 3389 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:8080
[*] [10.10.10.100] 192.168.0.2 is alive but 8080 is closed.
[*] [10.10.10.100] Requesting 192.168.0.2:9100
[*] [10.10.10.100] 192.168.0.2 is alive but 9100 is closed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
If the Squid administrator has made the error of having an ACL be too permissive, you might even see more interesting ports. A contrived example is below, note SSH has been added to Safe_ports
.
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh
http_access deny !Safe_ports
http_access allow localhost
http_access allow localnet
http_access deny all
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set TARGETS 127.0.0.1
TARGETS => 127.0.0.1
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 127.0.0.1
RANGE => 127.0.0.1
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-23
PORTS => 21-23
msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
[*] [10.10.10.100] Verifying manual testing is not required...
[*] [10.10.10.100] Requesting 127.0.0.1:21
[+] [10.10.10.100] 127.0.0.1 is alive.
[*] [10.10.10.100] 127.0.0.1 is alive but 21 is closed.
[*] [10.10.10.100] Requesting 127.0.0.1:22
[+] [10.10.10.100] 127.0.0.1:22 seems open (HTTP 200, server header: 'unknown').
[*] [10.10.10.100] Requesting 127.0.0.1:23
[*] [10.10.10.100] 127.0.0.1:23 likely blocked by ACL.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Finally, it is worth knowing that all open discovered ports are saved as services for later viewing:
msf6 auxiliary(scanner/http/squid_pivot_scanning) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
127.0.0.1 22 tcp unknown open SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
192.168.0.1 80 tcp nginx/1.14.0 (ubuntu) open ...
192.168.0.2 80 tcp nginx/1.14.0 (ubuntu) open Redirect to: index.php
Go back to menu.
Msfconsole Usage
Here is how the scanner/http/squid_pivot_scanning auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/http/squid_pivot_scanning
msf6 auxiliary(scanner/http/squid_pivot_scanning) > show info
Name: Squid Proxy Port Scanner
Module: auxiliary/scanner/http/squid_pivot_scanning
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
willis
0x44434241
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CANARY_IP 1.2.3.4 yes The IP to check if the proxy always answers positively; the IP should not respond.
MANUAL_CHECK true yes Stop the scan if server seems to answer positively to every request
PORTS 21,80,139,443,445,1433,1521,1723,3389,8080,9100 yes Ports to scan; must be TCP
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RANGE yes IPs to scan through Squid proxy
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Description:
A exposed Squid proxy will usually allow an attacker to make
requests on their behalf. If misconfigured, this may give the
attacker information about devices that they cannot normally reach.
For example, an attacker may be able to make requests for internal
IP addresses against an open Squid proxy exposed to the Internet,
therefore performing a port scan against the internal network. The
`auxiliary/scanner/http/open_proxy` module can be used to test for
open proxies, though a Squid proxy does not have to be on the open
Internet in order to allow for pivoting (e.g. an Intranet Squid
proxy which allows the attack to pivot to another part of the
internal network). This module will not be able to scan network
ranges or ports denied by Squid ACLs. Fortunately it is possible to
detect whether a host was up and the port was closed, or if the
request was blocked by an ACL, based on the response Squid gives.
This feedback is provided to the user in meterpreter `VERBOSE`
output, otherwise only open and permitted ports are printed.
Module Options
This is a complete list of options available in the scanner/http/squid_pivot_scanning auxiliary module:
msf6 auxiliary(scanner/http/squid_pivot_scanning) > show options
Module options (auxiliary/scanner/http/squid_pivot_scanning):
Name Current Setting Required Description
---- --------------- -------- -----------
CANARY_IP 1.2.3.4 yes The IP to check if the proxy always answers positively; the IP should not respond.
MANUAL_CHECK true yes Stop the scan if server seems to answer positively to every request
PORTS 21,80,139,443,445,1433,1521,1723,3389,8080,9100 yes Ports to scan; must be TCP
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RANGE yes IPs to scan through Squid proxy
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the scanner/http/squid_pivot_scanning auxiliary module:
msf6 auxiliary(scanner/http/squid_pivot_scanning) > show advanced
Module advanced options (auxiliary/scanner/http/squid_pivot_scanning):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/http/squid_pivot_scanning module can do:
msf6 auxiliary(scanner/http/squid_pivot_scanning) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/http/squid_pivot_scanning auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/http/squid_pivot_scanning) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- PORTS
- [<RHOST>] Verifying manual testing is not required...
- <RHOST> likely answers positively to every request, check it manually.
- Proceeding with the scan may increase false positives.
- X-Squid-Error
- X-Squid-Error
- [<RHOST>] No route to <TARGET>
- [<RHOST>] Squid could not resolve '<TARGET>', try putting the IP in the RANGE parameter if known.
- [<RHOST>] <TARGET>:<PORT> unknown Squid proxy error: '<VALUE>' (HTTP <RES.CODE>)
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
PORTS
Here is a relevant code snippet related to the "PORTS" error message:
65: iplist = Rex::Socket::RangeWalker.new(datastore['RANGE'])
66: portlist = Rex::Socket.portspec_crack(datastore['PORTS'])
67: dead = false
68:
69: if portlist.empty?
70: raise Msf::OptionValidateError.new(['PORTS'])
71: end
72:
73: vprint_status("[#{rhost}] Verifying manual testing is not required...")
74:
75: manual = false
[<RHOST>] Verifying manual testing is not required...
Here is a relevant code snippet related to the "[<RHOST>] Verifying manual testing is not required..." error message:
68:
69: if portlist.empty?
70: raise Msf::OptionValidateError.new(['PORTS'])
71: end
72:
73: vprint_status("[#{rhost}] Verifying manual testing is not required...")
74:
75: manual = false
76: # request a non-existent page first to make sure the server doesn't respond with a 200 to everything.
77: res_test = send_request_cgi({
78: 'uri' => "http://#{datastore['CANARY_IP']}:80",
<RHOST> likely answers positively to every request, check it manually.
Here is a relevant code snippet related to the "<RHOST> likely answers positively to every request, check it manually." error message:
81: 'version' => '1.0',
82: 'vhost' => ''
83: }, 10)
84:
85: if res_test && res_test.body && (res_test.code == 200)
86: print_error("#{rhost} likely answers positively to every request, check it manually.")
87: print_error("\t\t Proceeding with the scan may increase false positives.")
88: manual = true
89: end
90:
91: iplist.each do |target|
Proceeding with the scan may increase false positives.
Here is a relevant code snippet related to the "Proceeding with the scan may increase false positives." error message:
82: 'vhost' => ''
83: }, 10)
84:
85: if res_test && res_test.body && (res_test.code == 200)
86: print_error("#{rhost} likely answers positively to every request, check it manually.")
87: print_error("\t\t Proceeding with the scan may increase false positives.")
88: manual = true
89: end
90:
91: iplist.each do |target|
92: next if manual && datastore['MANUAL_CHECK']
X-Squid-Error
Here is a relevant code snippet related to the "X-Squid-Error" error message:
115: }, 10)
116: end
117:
118: if res && res.body
119: # Look at the HTTP headers back from Squid first, for some easy error detection.
120: if res.headers.key?('X-Squid-Error')
121: case res.headers['X-Squid-Error']
122: when /ERR_CONNECT_FAIL/
123: # Usually a HTTP 503, page body can give some more information. Example:
124: # <p id="sysmsg">The system returned: <i>(111) Connection refused</i></p>
125: if res.body =~ /id="sysmsg".*Connection refused/
X-Squid-Error
Here is a relevant code snippet related to the "X-Squid-Error" error message:
116: end
117:
118: if res && res.body
119: # Look at the HTTP headers back from Squid first, for some easy error detection.
120: if res.headers.key?('X-Squid-Error')
121: case res.headers['X-Squid-Error']
122: when /ERR_CONNECT_FAIL/
123: # Usually a HTTP 503, page body can give some more information. Example:
124: # <p id="sysmsg">The system returned: <i>(111) Connection refused</i></p>
125: if res.body =~ /id="sysmsg".*Connection refused/
126: if alive.nil?
[<RHOST>] No route to <TARGET>
Here is a relevant code snippet related to the "[<RHOST>] No route to <TARGET>" error message:
128: alive = true
129: end
130: vprint_status("[#{rhost}] #{target} is alive but #{port} is closed.")
131: elsif res.body =~ /id="sysmsg".*No route to host/
132: dead = true
133: print_error("[#{rhost}] No route to #{target}")
134: end
135: when /ERR_ACCESS_DENIED/
136: # Indicates that the Squid ACLs do not allow connecting to this port.
137: # See: https://wiki.squid-cache.org/SquidFaq/SquidAcl
138: vprint_status("[#{rhost}] #{target}:#{port} likely blocked by ACL.")
[<RHOST>] Squid could not resolve '<TARGET>', try putting the IP in the RANGE parameter if known.
Here is a relevant code snippet related to the "[<RHOST>] Squid could not resolve '<TARGET>', try putting the IP in the RANGE parameter if known." error message:
137: # See: https://wiki.squid-cache.org/SquidFaq/SquidAcl
138: vprint_status("[#{rhost}] #{target}:#{port} likely blocked by ACL.")
139: when /ERR_DNS_FAIL/
140: # Squid could not resolve the destination hostname.
141: dead = true
142: print_error("[#{rhost}] Squid could not resolve '#{target}', try putting the IP in the RANGE parameter if known.")
143: else
144: print_error("[#{rhost}] #{target}:#{port} unknown Squid proxy error: '#{res.headers['X-Squid-Error']}' (HTTP #{res.code})")
145: end
146: next # Skip to next port if the host is not marked as dead
147: end
[<RHOST>] <TARGET>:<PORT> unknown Squid proxy error: '<VALUE>' (HTTP <RES.CODE>)
Here is a relevant code snippet related to the "[<RHOST>] <TARGET>:<PORT> unknown Squid proxy error: '<VALUE>' (HTTP <RES.CODE>)" error message:
139: when /ERR_DNS_FAIL/
140: # Squid could not resolve the destination hostname.
141: dead = true
142: print_error("[#{rhost}] Squid could not resolve '#{target}', try putting the IP in the RANGE parameter if known.")
143: else
144: print_error("[#{rhost}] #{target}:#{port} unknown Squid proxy error: '#{res.headers['X-Squid-Error']}' (HTTP #{res.code})")
145: end
146: next # Skip to next port if the host is not marked as dead
147: end
148:
149: # By this stage, we've likely got a good connection. Parsing the body might no longer be reasonable if the
Go back to menu.
Related Pull Requests
- #14014 Merged Pull Request: Bugfix: Better handling of Squid HTTP response codes.
- #8888 Merged Pull Request: spelling/grammar fixes part 1
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #4878 Merged Pull Request: Fixed typo
- #2779 Merged Pull Request: Raise Msf::OptionValidateError when the PORTS option is invalid
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
- #285 Merged Pull Request: Squid pivot scanning
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/dos/http/squid_range_dos
- auxiliary/admin/mssql/mssql_ntlm_stealer
- auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
- auxiliary/admin/oracle/ora_ntlm_stealer
- auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
- auxiliary/scanner/http/ntlm_info_enumeration
- auxiliary/scanner/smtp/smtp_ntlm_domain
- auxiliary/server/capture/http_ntlm
- auxiliary/server/http_ntlmrelay
- exploit/windows/local/bits_ntlm_token_impersonation
- exploit/linux/http/dlink_dcs_930l_authenticated_remote_command_execution
- exploit/linux/http/klog_server_authenticate_user_unauth_command_injection
- exploit/linux/http/nagios_xi_mibs_authenticated_rce
- exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce
- exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
- exploit/linux/http/nagios_xi_snmptrap_authenticated_rce
- exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection
- exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
- exploit/unix/webapp/bolt_authenticated_rce
- exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload
- exploit/windows/http/nscp_authenticated_rce
- exploit/windows/http/prtg_authenticated_rce
- exploit/linux/proxy/squid_ntlm_authenticate
Authors
- willis
- 0x44434241
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.