]>
Commit | Line | Data |
---|---|---|
d76ed9a9 AS |
1 | /* This file describes what proxy tests to run: what ports to connect |
2 | * to, what to send to them, what to look for, and what to do if that | |
3 | * is found. | |
4 | */ | |
5 | ||
6 | /* Connect on port 1080, sending "\5\1\0" as challenge. | |
7 | * If we get "\5\0" as a response, it's an unsecured socks5. */ | |
8 | "1080:050100" { | |
9 | "0500" "reject:Unsecured socks5"; | |
10 | }; | |
11 | ||
12 | /* Connect on port 1080, sending "\4\1" followed by the port | |
13 | * and IP of the client, followed by the (NUL-terminated) ident to | |
14 | * use. If we get a four byte response with '\x5a' as the second | |
15 | * byte, it's an unsecured socks4 proxy. | |
16 | * | |
17 | * It would be generally wise to replace the $p$i with a hard-coded | |
18 | * one; many insecure proxies refuse to connect to themselves. | |
19 | */ | |
1117fc5a | 20 | "1080:0401$p$i=p=r=o=x=y00" { |
d76ed9a9 AS |
21 | "..5a...." "reject:Unsecured socks4"; |
22 | }; | |
23 | ||
24 | "23:" { | |
25 | // This first test is interesting: multi-stage, and a default action is reject | |
26 | // this crap at the front is the router trying to negotiate telnet options | |
27 | "fffb01fffb03fffd18fffd1f0d0a0d0a=U=s=e=r= =A=c=c=e=s=s= =V=e=r=i=f=i=c=a=t=i=o=n0d0a0d0a=P=a=s=s=w=o=r=d3a= :=c=i=s=c=o0d0a" { | |
28 | "0d0a=P=a=s=s=w=o=r=d3a= " "accept"; | |
29 | "other" "reject:[1 hour] Cisco router with default password"; | |
30 | }; | |
31 | "=W=i=n=G=a=t=e=>" "reject:Unsecured wingate"; | |
32 | "=T=o=o= =m=a=n=y" "reject:Unsecured wingate"; | |
33 | "=E=n=t=e=r= =h=o=s=t= =n=a=m=e" "reject:Unsecured wingate"; | |
34 | // the 3a is ':'; due to a parser glitch, =: isn't parsed like you might expect | |
35 | "=E=n=t=e=r= 3a= =<=h=o=s=t=>" "reject:Unsecured wingate"; | |
36 | }; | |
37 | ||
38 | /* Connect on port 3128 (squid), trying to use a HTTP CONNECT | |
39 | * proxy. If we get a 200 response, it worked and should be | |
40 | * booted. | |
41 | * If you do this check on port 80, you might check for "200 | |
42 | * Connection" instead to reduce false positives; many servers | |
43 | * send 200 OK responses for custom 404 Error pages. | |
44 | * As with the SOCKS4 check, you may want to replace the $c:3128 | |
45 | * (client hostname and port) with a hard-coded one. | |
46 | */ | |
47 | "3128:=C=O=N=N=E=C=T= $c=:=3=1=2=8= =H=T=T=P=/=1=.=00d0a0d0a" { | |
48 | "=H=T=T=P=/=1=.=0= =2=0=0" "reject:Unsecured proxy"; | |
49 | }; | |
50 | ||
51 | "27374:" { | |
52 | "" "reject:Subseven detected"; | |
53 | }; |