(Steve Shead is a longtime security practitioner and avid user of CORE IMPACT Pro)
Here’s another depiction of one of my favorite use cases for CORE IMPACT Pro.
Sometimes when conducting a test, you really don't want your traffic to be seen, and using a SOCKS proxy is one good way to do just that.
The challenge, for me, was always finding a manner of doing this that wasn't too time intensive and that could be easily repeated, even if the involved application didn't support proxys.
My original idea was to simply use Freecap to do this, but I was finding some limitations that way - and I wanted the whole process to be simpler. So, assuming you are using a secure proxy provider, here’s another way that works nicely.
What you need:
- -A secure proxy provider (I use http://www.cotse.net/- simple and cost effective)
- -A copy of FreeCAP (the site takes a while to load - it's worth the wait)
- -A copy of PuTTY
If you have all these you're ready to rock.
First, install and configure puTTY: (cotse.net method)
- -Choose your own version
- -Download newest version
- -Start PuTTY
- -Where it says Hostname (or IP address) type in the server name you were given from Cotse.Net.
- -Where it says Saved Sessions type in Cotse SSH Tunnel
- -Click the Save button
- -On left click the [+] next to SSH
- -Click on Tunnels
- -In Source Port type 5000
- -In Destination type 127.0.0.1:1080
- -Click Add button
- -Select Connection -> Data -> Auto-login name and add your cotse username.
- -Select Sessions
- -Click Save button again.
- -PuTTY is configured, now to launch it.
- -Double click on Cotse SSH Tunnel and log in with your cotse username (all lower case) and your password (password is case sensitive and will not echo, just type it and hit enter)
- -Do not close the window (closing the window will terminate the tunnel!)
- -PuTTY must always be started first.
This is obvious, but I'm going to say it anyway - if you close the PuTTY window you close the tunnel!
Now open CORE IMPACT Pro:
-Go to Tools/Options/Network and put a check mark in “Use a proxy server.” The proxy address will be 127.0.0.1 on port 5000.
And… you're done.
I've yet to run a full penetration test with the proxy set, but I know the Network Information Gathering portion works.
-Steve Shead, Information Security Officer and Director of IT