Deep Analysis Agent Hunter _ Proxy Server

Deputy Hunter is the Sun wind comrade hard work results, no solar wind more than a year of continuous cultivation, there is no wonderful agent Hunter today, so let us at the beginning of the article on the Sun Wind Comrade Express sincere greetings! The first thing to say is that I have not used the software before, the version at hand is 1998 out of the 1.1 version. But in the second half of the writing, it's time to download the latest version 2.8. But the result is the same: Goodwell Note: Now 3.0 version, but I use is not very stable. ）
The purpose of this article is to help ADM get rid of the wide range of scanning activities currently on the Internet using agent hunters. and revealing the principle of the agent hunter. Because there is no detailed information about the proxy server at hand, the implementation of the analysis agent takes a lot of effort. Hope that in the dissemination of this article, please try to keep the integrity of the article, thank you!

The implementation of the agent Hunter: because there is no source code, the analysis began using NETCAT, using its hex dump function to intercept the information sent by the Hunter. But Netcat is a DOS software, it is not easy to use, so it took a few hours to write a forwin netcat. The information intercepted is as follows:

The 3a 2f 2f (m) 2e 6d # Get HTTP://WWW.M
6f, 2e, 6f 6d, 2f-axtor.com HTTP/1
2e 0d 0a-6f-1..host:www.ma 3a (2e 6d)
6f (2e) 6f 6d 0d 0a-xtor.com..accept
3a 2a 2f 2a 0d 0a (6d-3a): */*. Pragma:n
6f 2d-O-cache 0d 0a-the 2d-a- User-ag
6e, 3a, 6f Ent:proxyhunter, 6e, #
2e 0d 0a 0d 0a # 1.0 ....

Hands basically we know what the hunter is sending to the server:
Get htttp://www.maxor.com http/1.1 Host:www.maxtor.com Accept: */* pragma:no-cache
User-agent:proxyhunter 1.0

That is, after issuing such a command sequence, if the other side is proxy server, the hunter will collect www.maxtor.com home page, and then down should be in the home page to search for the keyword in the hunter's hand, if true, the target is a proxy server, and free. So I guess if the direct hair keyword to it, will it pass the test? The answer is: on!, not to, had to surf the internet (this month's Internet time has been overdrawn:) rack on the sniffer, looking for a real agent, and then find a limited, test after the disconnect quickly. The following is the log of the true proxy server:

------------------------------------------------------------------------------
http/1.1 OK
server:microsoft-iis/4.0
Content-location:http://www.maxtor.com/default.htm
Date:tue, May 1999 04:53:14 GMT
Content-type:text/html
Accept-ranges:bytes
last-modified:wed, APR 1999 16:42:38 GMT
Etag: "CF6F51F9691BE1:105FB"
content-length:8558
Content-location:http://www.maxtor.com/default.htm
Etag: "CF6F51F9691BE1:105FB"
Accept-ranges:bytes
Cache-last-checked:tuesday, 04-may-99 04:15:50 GMT
proxy-agent:netscape-proxy/2.5

<HTML>
<HEAD>
<meta http-equiv= "Content-type" con_tent= "text/html; Charset=iso-8859-1 ">
<title>
Maxtor corporation-creative Solutions For information Storage
</title>
------------------------------------------------------------------------------

Sure it also checked the other characteristics of the biography, but there is no good way, had to try one by one. Add the first line, "http/1.1200 OK" plus keyword to the hunter, OK!!! Passed the test. Looks like the hunter just checked two places. (perhaps to speed up) further experiments show that the Hunter examines the following way: "http/1.1" +wordkey (feature biography) in other words, as long as in the connection is, you send it above the word Fu, the Hunter accepted will consider the validation successful, So far we have found a way to cheat the hunter and pass the test. The limited agent in the validation is log as follows:

-----
http/1.1 404 ERROR
.......
-----
Further studies show that only the issue of
"http/1.1 404"
The word Fu can be deceived thereby by verifying that the hunter displays "to password":
---
The 2.8 version of the Hunter also added to the socks verification, but the results are as follows:
---
At this point, we should be able to analyze the results of the implementation of the agent to find the way, the rest is through the program to prove it. But there are two other areas worth noting:

1. In the first log above, I came with the 16 conversion, which is very important!! Earlier I just did not look at it carefully, took a long detour. Notice the Fu between the characters, "0x0d 0x0a" or "\ n" in C; okay? Wait, the most important thing is the last 8bits!!!!!!!!! "0x0d 0x0a 0x0d 0x0a" consecutive two "\ n", I just did not see it, always get the right answer. (After the program pass the test, I had to manually find the answer, and finally look at the side of the log, only to find the problem, as the Linux Mail command with a carriage return plus a point for the end of the letter, send Agent command is a continuous two carriage return end.) The following is the GNUC implementation of the agent Hunter, note that this procedure only explains the implementation of the Agent Hunter, do not have multiple IP scanning function.

------------------------------Cut is here-----------------------------------
/* This codez describe how to search a PROXY server
*
* by
*
* Zer9
* ====
* zer9@21cn.com
*
* Test on Slackware 2.0.33
* CC Proxyht.c-o PROXYHT.C
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <signal.h>
#define DEFAULTPROXYPORT 8080//default proxy port 8080
#define MSG1 "Get http://www.maxtor.com http/1.1\n"//1--change (1, 2)
#define MSG2 "host:www.maxtor.com\n"//2 to search
#define MSG3 "Accept: */*\n"//other sit e #define MSG4 "pragma:no-cache\n"
#define MSG5 "User-agent:proxyht 0.01\n\n" #define KEYWORD "Maxtor Corp"//This is
Keyword #define TIMEOUT 30
void Alarm_handler (int w)
{
Alarm (0);
printf ("Time out!\n");
}
int main (int argc,char *argv[])
{
struct IN_ADDR Target;
struct Hostent *he;
struct sockaddr_in sin;
int s,proxyport;
Char recvbuf1[5000];
Char recvbuf2[10000];
if (argc==2)
Proxyport=defaultproxyport;
Else
if (argc==3)
Proxyport=atoi (argv[2]);
Else
{
printf ("Proxyht 0.01 by Zer9 mail:zer9@21cn.com\n");
printf ("Usage:%s [proxy_port]\n", argv[0]);
return 0;
}
if ((He=gethostbyname (argv[1]))!=null)
Bcopy (HE-&GT;H_ADDR, (char *) &target.s_addr,he->h_length);
Else
TARGET.S_ADDR=INET_ADDR (argv[1]);
if (target.s_addr==-1)
{
Perror ("gethostbyname");
return-1;
}
printf ("Proxyht 0.01 by Zer9 Mail:
Zer9@21cn.com\n ");
if ((S=socket (af_inet,sock_stream,0)) <0)
{
Perror ("socket");
return-1;
}
Sin.sin_family=af_inet;
Sin.sin_port=htons (ProxyPort);
SIN.SIN_ADDR.S_ADDR=TARGET.S_ADDR;
if (Connect (s, (struct sockaddr*) &sin,sizeof (sin)) <0)
{
Perror ("Connect");
return-1;
}
Bzero (recvbuf1,sizeof (RECVBUF1));
Bzero (recvbuf2,sizeof (RECVBUF2));
printf ("%s start verifying ... waiting a while please\n", argv[1]);
Signal (Sigalrm,alarm_handler);
Send (S,msg1,strlen (MSG1), 0);
Send (S,msg2,strlen (MSG2), 0);
Send (S,msg3,strlen (MSG3), 0);
Send (S,msg4,strlen (MSG4), 0);
Send (S,msg5,strlen (MSG5), 0);
1alarm (TIMEOUT);
Recv (S,recvbuf1,sizeof (RECVBUF1), 0);
Recv (S,recvbuf2,sizeof (RECVBUF2), 0);
Alarm (0);
If u want to debug, open follow two lines
printf ("%s\n", RECVBUF1);
printf ("%s\n", recvbuf2);
if (Strstr (RECVBUF1, "http/1.1 200"))
{
if (Strstr (Recvbuf2,keyword))
{
printf ("hahaha ... there" s something found!);
Close (s); return 0;
}
}
Else
{
if (Strstr (recvbuf1, "http/1.1 404"))
{
printf ("Woo! I found one,but dont free...\n ");
Close (s);
return 0;
}
}
Close (s);
printf ("Sorry.dont hit me please,nexttime i *must* find one.\n");
return 0;
}
----------------------------Cut is here-----------------------------------------

Agent Hunter Deception Realization: A gun in the hands of good people can save, but fell on the wrong hand on the ... : The agent Hunter is such a gun. In the wake of the massive use of hunter scans for illegal services, many people have recently used the Hunter's multithreading features to find specific ports (such as finger (31337), Bo, 12345 (bo) ... At the same time as it is likely to cause a variety of destructive results, but also the use of a large amount of bandwidth, so that normal activities on the Internet are affected (anyway I am very uncomfortable:) (how to deal with these "very curious" comrade? is to give them [a]. a small lesson; or [B]. Just let them have a free love? The following is a Linux (GCC) of the implementation of the ANTI-PORXYHT, the original Win95 under the first I have done, but it is not good to post, but also not conducive to the understanding of everyone. In general, a non-blocking-mode socket (Win95) is much easier to write daemon than a socket (BSD4.3) in blocking mode, and can monitor multiple port effortlessly at the same time under Win95, while Linux has only the following options:
1. Multithreading
2. Intercept each IP packet and then handle it according to the port in the packet;
3. Start multiple copies at the same time:)
4. I don't know ...
1&&2 I will not, have to use 3. ：）
But generally as long as listen to port 8080, because no matter how the hunter sweep, 8080 are not spared. As with the above, this program is just to show you how to cheat the hunter to pass the Hunter's verification, and there is no excess functionality, in the future I may add. While I was writing the software, I spent some time testing to see if the Hunter had a overflow weakness, in his hair Fu when the size of the <=256 I have measured, as if one time to see the phenomenon should be CPU load 100%, may be my love machine too "fast" problem, the rest ( 20-30 times there are no abnormalities. May be with the Hunter is written in C + +, C + + string classes are rarely likely to occur (overflow). If you test the ability to send a hunter to the machine by sending a string, please tell me yo! : In spite of this, you can add a win95&win97&win98 vulnerability, in accept (ns,....) And then pass it on to each other. : (Preferably let it pass the test, let the other party is "extremely happy when sent to him))") (How I am interested in mentioning it) test on Slackware 2.0.33 (maybe irix6.4)./phs 8080 indicates listening 8080 port, after being scanned deceive each other through the Hunter's verification (show: Free:). /phs-n 8080--> said listening to 8080 ports, after the scan to deceive each other through the Hunter's verification (display: password:) The same, the program Win95 version I also write, you can listen to multiple ports, just brother I do not have a home page, two without FTP, can not be shared.

Some readers may ask: The Hunter can choose different character to come to verify, how do I know he will send the message to that website, and what is his KEYWORD at hand? Ohhh,u "re g00d b0y:) This is a critical question, and tests show that if you send a word to the Hunter Chungzhong without keyword (but the beginning is" http/1.1 200 "), The Hunter will show" timeout ", if even" http/1.1 200 "is not, Send only one empty word Fu, the Hunter shows "no feature string", send disorderly display "Non proxy". So how do we solve the keyword problem? Since we are the server side, so the initiative is in our hands; there are two ways:

1, to build a large database, such as the MSG string in the above program, the famous homepage of the title are added to it, I think as long as the name of the manufacturer contains a string on it;

2. Filter out the www.xxxx.xxx from the request Agent's command from the other side and send it to it, which can be implemented by the program. It would be better to add "Corp", Inc., "LTD". ... such as universal string, (if you guess the password is better, this should not be a problem:)
1. 2 do not contradict, can be used in combination. But there is another way: (Armchair: If you are in the presence of an attack, first send him a timeout (or password) information, generally (I think) the other side will be the second to verify, this period "run to" the real site and then in the second scan of the real keyword to him. (re-stated: on paper;)

So far, this article will be over, and sincerely hope that the sun wind comrade after seeing this article can make the Hunter more perfect.
(But it is best to leave a overflow hole, let us also have a hidden (^o^)

This article should be one of the categories that reveal software bugs, and I've finally done something for everyone. A long time ago, it was intended to write a software on intrusion spoofing, which was nuess,sscan when it was scanned (not by hunters, but by the,... The hacker ' scanner ' encounters a 21port connection request and sends an imitation WUFTP interface to it ... But I was still under Linux, multiple-port monitoring I will not, recently transferred to C++builder door, found that can be a light and one of the realization, think about it, choose [a] when the entire Win95 in the external view is a Linux
("#ffff00" Hat 5.2 Apolllo) (The other side will definitely use that wuftpremoteof desperately try:) [B] is slackware2.0.35 [C] is? SUNOS 5.5[d] is.....ha .... Cool: "When you encounter finger @ @localhost send a huge passwd to it:" The best even shadow also sent to him, let him from a happy! : Ohh, that's right. plus an [E] bsd0.0.18 The history book of the Ancestral 3:))--Let those hacker (beginners) run out of brains and think I'm a win95. This hunter's deception is just a try, and maybe some days later someone ( Maybeme) Write Bo_spoof,netspy_spoof ... Don't forget to give me a copy:)