So i have this gut feeling that my web activity at workis being monitored . Just googled it and nothing helpful came up or perhaps it did and i just dont really know what im looking for .
Is there any way i can find out?
Any help would be appreciated.
Thanks
Recording website activity
Forum rules
Older HTS users: Be nice to the new people.
NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.
Older HTS users: Be nice to the new people.
NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.
5 posts • Page 1 of 1
Recording website activity
by hoxtonspecial on Sat Feb 02, 2013 9:59 am
([msg=73236]see Recording website activity[/msg])
- hoxtonspecial
- New User
- Posts: 9
- Joined: Mon Jan 28, 2013 7:50 am
- Blog: View Blog (0)
Re: Recording website activity
by limdis on Sat Feb 02, 2013 10:38 am
([msg=73238]see Re: Recording website activity[/msg])
This is going to be very basic because I want you to be able to understand generally how this works.
You should always assume that you are being monitored at work. Most times though it's just internet and mail traffic because it's easier and less stressful on the network. In order for this to be possible the traffic within the network has to be unencrypted, and is usually encrypted when you attempt to access anything outside the network (like google.com) through a forward proxy. Where your monitoring comes into play is when a transparent proxy is being used; which often acts as, or with, the router. Anything internal comes to the router, is reviewed, and is sent to it's destination.
So basically here is what happens:
You -> request connect google.com -> (switch if present ->) router -> proxy -> ISP -> internet -> google.com
@router - log created
@proxy - Check allow list (block/allow)
Now the proxy processes might all be lumped into the same location (such as the router) and works nearly simultaneously.
The very first thing you want to check is if you can use HTTPS. If you can, you can get around the proxy filter that might have black listed any websites. This is because your requests are no longer in plain text and do not tick anything listed on the blacklist. Logs created of this information will show gibberish. However, if the admin is at all competent this will be blocked. This can be done two ways; proxy denies any encrypted traffic internally from the network, or enabling https is blocked on your local machine. That is something you will want to check for. If it is local, there is a very good chance that your local machine is not being monitored at all times, and allows you to pentest a little bit without having to worry about getting fired immediately.
I'll stop here and let you ask any questions and others to comment before moving on. I don't want to overwhelm you as this can break into a very large discussion topic.
You should always assume that you are being monitored at work. Most times though it's just internet and mail traffic because it's easier and less stressful on the network. In order for this to be possible the traffic within the network has to be unencrypted, and is usually encrypted when you attempt to access anything outside the network (like google.com) through a forward proxy. Where your monitoring comes into play is when a transparent proxy is being used; which often acts as, or with, the router. Anything internal comes to the router, is reviewed, and is sent to it's destination.
So basically here is what happens:
You -> request connect google.com -> (switch if present ->) router -> proxy -> ISP -> internet -> google.com
@router - log created
@proxy - Check allow list (block/allow)
Now the proxy processes might all be lumped into the same location (such as the router) and works nearly simultaneously.
The very first thing you want to check is if you can use HTTPS. If you can, you can get around the proxy filter that might have black listed any websites. This is because your requests are no longer in plain text and do not tick anything listed on the blacklist. Logs created of this information will show gibberish. However, if the admin is at all competent this will be blocked. This can be done two ways; proxy denies any encrypted traffic internally from the network, or enabling https is blocked on your local machine. That is something you will want to check for. If it is local, there is a very good chance that your local machine is not being monitored at all times, and allows you to pentest a little bit without having to worry about getting fired immediately.
I'll stop here and let you ask any questions and others to comment before moving on. I don't want to overwhelm you as this can break into a very large discussion topic.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
"Drink all the booze, hack all the things."
-
limdis - Moderator
- Posts: 1652
- Joined: Mon Jun 28, 2010 5:45 pm
- Blog: View Blog (0)
Re: Recording website activity
by weekend hacker on Sat Feb 02, 2013 11:11 am
([msg=73242]see Re: Recording website activity[/msg])
Another efficient way to monitor workers is also intercept all https. So its you->secure->proxy and then proxy->secure->website. The downside is of course that the connection will be signed with an invalid certificate. But the sys admin could add that cert to your browser so you wouldn't even notice if you didn't check it. Its a far better solution than to not allow secure connections.
So try https, and check the certificate that's being issued.
So try https, and check the certificate that's being issued.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
-
weekend hacker - Administrator
- Posts: 192
- Joined: Sun Apr 13, 2008 2:39 pm
- Location: 127.0.0.1
- Blog: View Blog (0)
Re: Recording website activity
by limdis on Sat Feb 02, 2013 11:16 am
([msg=73243]see Re: Recording website activity[/msg])
weekend hacker wrote:Another efficient way to monitor workers is also intercept all https. So its you->secure->proxy and then proxy->secure->website. The downside is of course that the connection will be signed with an invalid certificate. But the sys admin could add that cert to your browser so you wouldn't even notice if you didn't check it. Its a far better solution than to not allow secure connections
I've encountered this before. It's frustrating and slows things way down.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
"Drink all the booze, hack all the things."
-
limdis - Moderator
- Posts: 1652
- Joined: Mon Jun 28, 2010 5:45 pm
- Blog: View Blog (0)
Re: Recording website activity
by hoxtonspecial on Sat Feb 02, 2013 11:17 am
([msg=73244]see Re: Recording website activity[/msg])
That's amazingly clear thankyou.
Youre right i have plenty of questions, but in going to go read about proxies first!
Thanks again.
-- Mon Feb 04, 2013 6:29 pm --
Ok so have read all about proxies and how they can be used to as filters for the internet.
I suppose my questions are:
1) How can you check for proxies
2) I read a fascinating article on proxy chaining but it mentioned that and IP can still be found even if you are behind multiple proxys, how is this possible?
thanks.
Youre right i have plenty of questions, but in going to go read about proxies first!
Thanks again.
-- Mon Feb 04, 2013 6:29 pm --
Ok so have read all about proxies and how they can be used to as filters for the internet.
I suppose my questions are:
1) How can you check for proxies
2) I read a fascinating article on proxy chaining but it mentioned that and IP can still be found even if you are behind multiple proxys, how is this possible?
thanks.
- hoxtonspecial
- New User
- Posts: 9
- Joined: Mon Jan 28, 2013 7:50 am
- Blog: View Blog (0)
5 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests