Skip to main content

Find Transparent Proxy Systems

(2021-02-17)

Problem

A system between me and my destination is doing proxying for the destination IP.

In practice: A firewall was showing all IPs it could route to as having SIP and Cisco-CSSP services enabled. Configuration changes to the firewall were necessary to close things. However, we needed to prove the proxying before we could disable it.

Solution

# nmap --traceroute -Pn -p 2000 example.com
TRACEROUTE (using port 2000/tcp)
1   2.04 ms  gateway (192.168.1.1)
2   14.37 ms 10.100.96.1
3   15.60 ms example.com (192.0.2.5)

# nmap --traceroute -Pn -p 22 example.com
TRACEROUTE (using port 22/tcp)
1   2.04 ms  gateway (192.168.1.1)
2   14.37 ms 10.100.96.1
3   15.60 ms 182.23.16.88
4   10.11 ms 182.23.16.82
5   44.73 ms example.com (192.0.2.5)

In the example above, the system 182.23.16.88 is providing proxied services for 192.0.2.5 on port 2000, and passing ssh further along the routing path to where 192.0.2.5 actually is.

(Source)