🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🏰 InternalAllTheThings / Proxy Bypass

Proxy Bypass

An HTTP proxy server acts as an intermediary between a client (like a web browser) and a web server. It processes client requests for web resources, fetches them from the destination server, and returns them to the client.

Summary

Methodology

Discover Proxy Configuration

  • Windows, in the registry key DefaultConnectionSettings

    Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

  • Windows:

    netsh winhttp show proxy

  • Linux, in the environment variables http_proxy and https_proxy

    env
cat /etc/profile.d/proxy.conf

PAC Proxy

PAC (Proxy Auto-Configuration) is a method to automatically determine whether web traffic should go through a proxy server. It uses a .pac file that contains a JavaScript function called FindProxyForURL(url, host).

  • proxy.pac
  • wpad.dat

Example:

function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, '.example.com')) {
        return 'DIRECT';
    }
    return 'PROXY proxy.example.com:8080';
}

Tools:

  • PortSwigger - Proxy Auto Config - This extension automatically configures Burp upstream proxies to match desktop proxy settings. This includes support for Proxy Auto-Config (PAC) scripts.

Common Bypass

  • Try several way to reach the Internet

    • IP address
    • Domain categorized in Health/Finance

  • Use another proxy reachable in the same environment

  • Weak regular expression for URL can be abused to bypass the proxy configuration

    user:pass@domain/endpoint?parameter#hash
e.g: microsoft.com:microsoft.com@microsoft.com.evil.com/microsoft.com?microsoft.com#microsoft.com

  • Trusted Websites: Living Off Trusted Sites (LOTS) Project

    • Amazon Cloud: AWS endpoints
    • Microsoft Cloud: Azure endpoints
    • Google Cloud: GCP endpoints
    • live.sysinternals.com

  • User-Agents

    • Tools related User-Agent: curl, python, powershell

      User-Agent: curl/8.11.0
User-Agent: python-requests/2.32.3
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.2161

    • Platform related User-Agent: Android/iOS/Tablet

      Mozilla/5.0 (Linux; Android 14; Pixel 9 Build/AD1A.240905.004; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/129.0.6668.78 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/484.0.0.63.83;IABMV/1;] 
Mozilla/5.0 (iPhone; CPU iPhone OS 18_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/485.1.0.45.110;FBBV/665337277;FBDV/iPhone17,1;FBMD/iPhone;FBSN/iOS;FBSV/18.0.1;FBSS/3;FBCR/;FBID/phone;FBLC/it_IT;FBOP/80]

  • Domain Fronting

  • Protocols
    • TCP
    • Websocket (HTTP)
    • DNS Exfiltration

References