As mentioned in the previous chapter, the DNS protocol is the key to redirect, intercept and manipulate a target system’s data stream on the IP (Internet Protocol) layer in the OSI (Open Systems Interconnection) model. But instead of only controlling the stream on the lower layer, the layers five up to seven also can help an attacker to achieve the same goals.
A well known OSI layer seven protocol is HTTP (HyperText Transfer Protocol). It’s not only implemented in browsers and web servers as one might assume. Also widespread and common applications like mIRC, PuTTY, Skype or even the layer seven protocol SIP count on the simplicity and popularity of the approved HTTP. Often, besides using their own application protocols they offer to tunnel their data stream over an HTTP proxy server. This is usually to bypass restrictions or policies imposed by your employer, your ISP (Internet Service Provider) or your government.
The biggest amount of time we spend online we are surfing the web, checking our emails, updating our profiles on our favorite social networks, buying stuff and paying our bills over the web interface of our bank. If we’re not using the browser, we call or chat with our friends via VoIP-phones and Instant Messengers, we play poker or other online games. Many things we did once only in the real life in direct contact with other persons shifted towards the virtual world now. The days people used the Internet for research only is definitely over and with the advent of the Web 2.0 all the generations are welcome with open arms. The big mass arrived doing their daily duties on the Internet. Even the critical ones where we ask for trust and confidentiality.
Given these circumstances, it does not take a lot to realise that when people use a program that can be configured to use a proxy server to transmit sensitive data over the network, then this is exactly the point which attackers will focus on. Once they gained access to the target system they only need to instruct the user applications to use a different proxy server, which is controlled by them, to intercept and to read the the data stream of the victim.
Because of the widespread combination of Microsoft Windows as operating system and Internet Explorer as browser these circumstances are quite convenient for attackers. The Internet Explorer uses an entry in the system registry to set and get the current HTTP proxy server. Either one sets this values directly in the registry under
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
or you set the values within the Internet Explorer options.
The second most popular web browser on the market is Mozilla Firefox. Firefox’ settings are not saved within the Windows system registry. Instead they are scrambled inside data files somewhere within the “application data” directory (use the %APPDATA% environment variable to change to this directory).
Compared to the DNS reconfiguration attack the proxy server reconfiguration needs a little more effort to implement. For each application the attacker needs to make sure the proxy server is set and points to his server. But once it is implemented the result is exactly the same and the attacker can access the data stream.
