ProxyPoker is an easy way to enumerate acessible endpoints through a proxy. While proxies have evolved in the last couple of years, it's still common to find misconfigured servers allowing users to access unwanted content, be it domain-fronting domains, malicious domains or domains that allow the leakage of larges sets of data. Proxypoker quickly evaluates if many of these dangerous domains are currently accessible or not, allowing for an automated and customizable proxy audit.
ProxyPoker is pretty simple, you provide a list of domains (I personally recommend the usage of my python script to create said list through Google's API) and it tests all of them, grouping the results by a key of your choice (also provided on the input file).
Let's say you're using a list generated by the script I mentioned above to audit your environment's proxy, looking for public cloud providers accessible by your users. The input file should look like this:
Azure Websites,https://intermetro3.azurewebsites.net/,,
Azure Websites,http://webpublicprod.azurewebsites.net/,,
Azure Websites,https://givonline.azurewebsites.net/,,
Google Cloud Apps,https://jalanow.appspot.com/,,
Google Cloud Apps,https://archchinese.appspot.com/,,
Google Cloud Apps,https://inkpadnotepad.appspot.com/,,
AWS CloudFront,http://d3mxyxf0bq4cfh.cloudfront.net/,,
AWS CloudFront,https://djula6mv98a5.cloudfront.net/,,
AWS CloudFront,http://dd0jh6c2fb2ci.cloudfront.net/,,
After compiling ProxyPoker, all you have to do is run it with the -i parameter pointing to the input file:
ProxyPoke.exe -i publicCloudAudit.csv
[1/3] Azure Websites
[0/3] Google Cloud Apps
[0/3] AWS CloudFront
[+] We're done here, request details have been written to output.txt.
ProxyPoker's console outputs allows operators to quickly understand possible problems with specific groups of domains. On the results above, it seems we are safe against Google Cloud Apps and AWS CloudFront, as ProxyPoker wasn't able to establish a successfull connection to any of the received domains for those keys. Azure Websites on the other hand was accessible on one of the three received domains. To understand those macro results, let's take a look at the output.txt file generated by ProxyPoker:
[500] https://givonline.azurewebsites.net/
[200] http://webpublicprod.azurewebsites.net/
[500] https://intermetro3.azurewebsites.net/
[500] https://inkpadnotepad.appspot.com/
[999] https://jalanow.appspot.com/
[500] https://archchinese.appspot.com/
[500] http://dd0jh6c2fb2ci.cloudfront.net/
[999] http://d3mxyxf0bq4cfh.cloudfront.net/
[500] https://djula6mv98a5.cloudfront.net/
Just taking a quick look at the output, we can see most of the requested domains returned a 500 status code, with some even returning a 999 status code - a custom code for requests generating exceptions such as a timeout or connections being closed by the server itself. But amongst the Azure Websites domains we have one of them returning 200, meaning it's currently accessible.
The scenario above is merely an example, feel free to adjust the input list to any of your organization's needs, be it to figure out if your proxy would allow your users to click malicious links or to perform complete enumerations as shown above.
Usage: ProxyPoke.exe [options]
Options:
-i, --input Input file path. The only required parameter.
-o, --output Output file path.
-p, --proxy Proxy address.
-v, --verbose Enable verbose logging, printing requests to the console in real time.
-e, --exception Enable exception logging, printing exceptions to the console in real time.