OpenSkillIndex← back to search

Hacktricks-skills squid-pentest

Pentest Squid HTTP proxy on port 3128. Use this skill whenever you discover a Squid proxy service, need to enumerate proxy capabilities, pivot through a proxy to scan internal networks, or configure proxychains for HTTP interaction. Trigger on mentions of Squid, HTTP proxy, port 3128, proxy pivoting, or internal network scanning through proxies.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/3128-pentesting-squid/SKILL.MD
source content

Squid Proxy Pentesting

A skill for testing and exploiting Squid HTTP proxy services (default port 3128) during penetration testing engagements.

What this skill does

This skill helps you:

  • Enumerate Squid proxy capabilities and configuration
  • Test proxy authentication and access controls
  • Pivot through Squid to scan internal networks
  • Configure proxychains for transparent HTTP interaction
  • Chain browser/Burp tools through Squid for interception

When to use this skill

Use this skill when:

  • You discover a Squid proxy service (port 3128/tcp, http-proxy)
  • You need to test proxy authentication or access controls
  • You want to scan internal networks through a discovered proxy
  • You need to configure proxychains for HTTP proxy interaction
  • You're pivoting through a proxy to reach internal services

Quick Start

1. Basic Proxy Enumeration

Test if the proxy is accessible and check for authentication:

# Test proxy connectivity
curl --proxy http://TARGET_IP:3128 http://TARGET_IP

# Check proxy banner
curl -v --proxy http://TARGET_IP:3128 http://example.com 2>&1 | head -20

If authentication is required, you'll see a 407 Proxy Authentication Required response.

2. Scan Internal Networks Through Proxy

Use the bundled SPOSE scanner to enumerate ports reachable from the proxy:

# Scan all TCP ports through Squid
./scripts/squid-pivot-scan.sh TARGET_IP

# Or with uv (if available)
uv run spose.py --proxy http://TARGET_IP:3128 --target localhost --allports

3. Configure Proxychains

Set up proxychains for transparent HTTP interaction:

# Configure proxychains with Squid
./scripts/configure-proxychains.sh TARGET_IP 3128

# Test with curl
proxychains curl http://127.0.0.1:9191 -v

# Scan internal hosts
proxychains nmap -sT -n -p- localhost

4. Chain Browser/Burp Through Squid

Configure Burp Suite to route through Squid:

  1. Open Burp → Proxy → Settings → Network → Connections → Upstream proxy servers
  2. Add: 
    http://TARGET_IP:3128
  3. Requests will flow: Browser → Burp → Squid → Internal Target

This enables interception of services bound to 127.0.0.1 or internal networks.

Detailed Techniques

Proxy Authentication Testing

If the proxy requires authentication:

# Test with credentials
curl --proxy http://user:pass@TARGET_IP:3128 http://TARGET_IP

# Try common credentials (if authorized)
for user in admin root guest; do
  for pass in admin password 123456; do
    curl -s --proxy http://$user:$pass@TARGET_IP:3128 http://TARGET_IP | grep -q "200" && echo "Found: $user:$pass"
  done
done

Nmap Through Proxy

Scan internal networks using proxychains:

# Configure proxychains (see script above)
# Then scan
proxychains nmap -sT -n -p- 127.0.0.1
proxychains nmap -sT -n -p- 10.0.0.0/24

SPOSE Scanner

SPOSE (Squid Pivoting Open Port Scanner) is optimized for proxy pivoting:

# Basic scan
python spose.py --proxy http://TARGET_IP:3128 --target TARGET_IP

# Scan all ports
python spose.py --proxy http://TARGET_IP:3128 --target localhost --allports

# With uv package manager
uv add --script spose.py -r requirements.txt
uv run spose.py --proxy http://TARGET_IP:3128 --target localhost --allports

Common Squid Configurations

Open Proxy (No Auth)

# Will return 200 OK or redirect
curl --proxy http://TARGET_IP:3128 http://example.com

Authenticated Proxy

# Returns 407 Proxy Authentication Required
curl -v --proxy http://TARGET_IP:3128 http://example.com

ACL-Restricted Proxy

May allow only specific destinations or methods. Test with:

# Test different methods
curl -X CONNECT --proxy http://TARGET_IP:3128 example.com:443
curl -X GET --proxy http://TARGET_IP:3128 http://example.com

Security Considerations

  • Authorization: Only test proxies you have permission to assess
  • Rate limiting: Be mindful of scan rates to avoid triggering alerts
  • Logging: Proxy access is typically logged; document your testing
  • Legal: Ensure you have written authorization before pivoting through proxies

References

Bundled Scripts

  • scripts/squid-enumerate.sh
    - Basic proxy enumeration and testing
  • scripts/squid-pivot-scan.sh
    - SPOSE-based internal network scanning
  • scripts/configure-proxychains.sh
    - Proxychains configuration helper