In this post, I point out a few browser headers which leak information that can be used for malicious purposes. I’m going to go into a little more detail in this post and give some pointers on what you can do to protect yourself. Sort of.
First, lets take a look at the headers which are the most useful for an attacker.
They are:
HTTP_USER_AGENT
REMOTE_ADDR
HTTP_VIA
HTTP_X_FORWARDED_FOR
HTTP_USER_AGENT – This gives information about the OS and web browser the end user is using. This can be useful when trying to passively identify a target, as well as pin point an attack vector (browser based attack) if the browser the user is using is old/older.
REMOTE_ADDR – This gives the IP address of the machine connecting to the website. This is collected server side and the client cannot change it*
HTTP_VIA – This gives up information about whether a user is behind a proxy and, if so, what proxy software and version they’re using
HTTP_X_FORWARDED_FOR – This reveals the actual IP address of the end user when they connect to your site via proxy.
* The only way to modify REMOTE_ADDR would be via spoofing. The connection would be simplex, so only commands would be transfered, the client would never receive the response. This would be done using TCP sequence prediction which is more difficult today than it once was. I have not seen or heard of a successful TCP seq. pred. spoofed attack in a very, very long time.
So, the only one that can’t (easily) be changed is REMOTE_ADDR.. the rest are controlled from within the browser and/or proxy. We’ll start with the user agent.
Depending on your web browser, there are many different ways to change the user agent. We’ll start with Firefox, because that’s the easiest.
In the address bar of Firefox, type
about:config
In the “Filter” box, type:
useragent
Rather than changing the whole string at once, you have to modify each individual part of the string. If you want to see what your current user agent header looks like, go here.
Alternatively, if you don’t feel like doing it by hand and want a few more features (like, the ability to mimic a different browser entirely), Firefox has a plugin called “User Agent Switcher”. I haven’t played with it, but it appears pretty straight forward and simple.
Next, we’ll change the user agent of Chrome. (ps – if you’re not using Chrome, you should be.. for a multitude of reasons – faster, lighter, more secure. ’nuff said)
Changing the user agent is pretty simple in Chrome. There’s a “–useragent” startup switch. So, example:
google-chrome –useragent=”Chrome is the best!”
Will result in:
HTTP_USER_AGENT:Chrome is the best!
There are quite a few command line switches for Chrome.. you can find some of them here. I did notice, though, that they don’t list “useragent” as being a command line switch. Not sure why. Also, you may want to check out the “–incognito” switch and, if you’re daring and prefer security over ease of use, add that as one of your default startup options. I do. 
Ok, on to.. ahem.. Internet Explorer. Does anyone even really run this pile of crap anymore? I mean, how many times will you have to rid yourself of spyware, malware, viruses, etc. before you’ll decide that it’s easier to run a different browser than it is to reinstall Windows every 3 days?
Anyway, for those of you who, for whatever reason, still choose to run IE, here’s how you change it’s user agent. Though, I’m surprised you’re even interested, because security OBVIOUSLY isn’t of much concern to you. (Sorry, I really hate Windows.. and by combining Windows & IE my hatred grows rapidly. Get used to being flamed in my posts if you’re running IE.. go here. He has a good write up on the topic.
CAVEAT: A lot of websites rely on the user agent string to format their pages correctly. If you change your user agent string to something random (like, “Chrome is the best!”, for example) you will break pages and some pages wont even let you visit their site.
The next two, HTTP_VIA and HTTP_X_FORWARDED_FOR will need to be changed at the proxy level, since these are headers added by a proxy. Here’s a good example of why you’ll want to make sure you’re using a proxy that doesn’t send this information:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM
IP Address : 187.60.253.30
Reverse DNS : 187.60.253.30
Reverse DNS IP : 187.60.253.30
Reverse DNS Authenticity : [Possibly Forged]
Proxy Info : PROXY DETECTED
Proxy Data : 187.60.253.30 | MASKED IP: 78.88.168.38
Proxy Status : TRUE
HTTP_VIA : 1.1 187.60.253.30 (Mikrotik HttpProxy)
HTTP_X_FORWARDED_FOR : 78.88.168.38
This is someone who tried to leave comment spam. Because he’s an idiot, he’s using a proxy that passes on the HTTP_X_FORWARDED_FOR and the HTTP_VIA headers, giving me information about the proxy as well as revealing his real IP address. So, he shouldn’t even bother using a proxy if he’s attempting to use to surf anonymously.
There are about a billion different proxy server software suites out there and each will need to be configured differently. Here, I will focus on the only one that I use (for many reasons) and will run on both *NIX and Winblows. Though, running a proxy server on a windows box seems… hm. Strange? Can’t think of a nice way to write what it is that I’m thinking, so we’ll just say that it’s not something that I would advise. How about that for being politically correct? 
Anyway, Squid has an enormous amount of configuration options. Take a few hours and read through the squid.conf file to see what I mean. But, for the sake of this post, we’re really only interested in two options.
# TAG: via on|off
# If set (default), Squid will include a Via header in requests and
# replies as required by RFC2616.
#
via off
Yes, by setting this to “off” you’re breaking RFC2616 compliance, but.. sometimes the RFC is wrong. (I’m starting to sound like Microsoft…..)
The other Squid option that you want to configure is:
# TAG: forwarded_for on|off
# If set, Squid will include your system’s IP address or name
# in the HTTP requests it forwards. By default it looks like
# this:
#
# X-Forwarded-For: 192.1.2.3
#
# If you disable this, it will appear as
#
# X-Forwarded-For: unknown
#
#Default:
forwarded_for off
Again, make sure to set it to “off”, because the default is “on”.
A good site that I found that talks about configuring Squid’s privacy options is https://calomel.org/squid.html.
Also, if you have instructions on how to change these options in other proxies, feel free to write them up in the comments below.
Related posts:
Privoxy also have options to help hide whether you’re behind a proxy or not, at the top of my head there’s a change-x-forwarded-for to deal with the HTTP_X_FORWARDED_FOR header. Can’t remember if HTTP_VIA is send by privoxy, but if it is, it has to have a similar option, if not, there’s an add-header option that let’s set arbitrary options, including “HTTP_VIA: None your business”.
@netalien: Good point. I should have maybe discussed Privoxy. I use it in conjunction with Squid so I guess I overlooked the fact that it is, itself, a full blown proxy.
and I was just thinking about asking you to discuss the use of proxies, haha. great stuff as usual, and lol’d at work reading your windows comments. I do have suggestions for other posts if you’d like to consider. I was wondering if you could discuss the usages of proxies through penetration testing, any benefits to IDS evasion, or will they most likely be on a block list, etc. Particularly have you used one with nmap before with the -g switch for which port you’re sending it through? take care.
actually just found this using proxychains http://www.commondork.com/2009/06/26/tunneling-nmap-through-tor/ . can’t test till I get home tonight. thoughts?
@Erik: My first thought is….. Tor wont route data to certain ports (port 25, for example) to prevent allowing spammers to use Tor to hide themselves. As usual, I could be wrong, but…. I’m interested in how this actually works. I will have to play with it as well before I make any solid conclusions. There’s a lot of smart people out there writing a lot of smart stuff.. so it’s entirely possible that this works great. Let me know what you find and I’ll do the same.
@Erik: Talking about NIDS and evasion is on my list.. but PLEASE submit any ideas that you have for topics that people might find interesting. I’m kind of suffering from writers block at the moment, so any ideas that you can provide would be greatly appreciated.
As far as using proxies during a pentest….. depends. I usually use Tor when I’m following a link from an email (or that someone posts here) to hide myself.. and the same goes for when I’m using google-fu, sql injections, or digging through a company’s website. If I want to do a portscan, I’ll usually use Tor and go to one of the many websites that provide portscanning tools.
The biggest problem with trying to hide a portscan is that it really limits the functionality of your scan, which makes it difficult to determine firewall rules and whatnot. If I’m doing an actual penetration test, however, I’m not worried about getting caught so much, so I don’t hinder myself by trying to be anonymous unless the client is specifically interested in seeing how well their detection mechanisms work, then I go the extra mile to try to hide myself and not trip NIDS.
[...] that the proxy that you’re using is properly configured, as mentioned in my post “Browser Headers and Information Leaks” You don’t want to spend all this time searching for a proxy, spoofing your mac, [...]
i wana to know how i fix my facebook