Squid - Port 3128

Basic info

Port 3128 is widely associated with Squid, a caching and forwarding HTTP web proxy. While it can improve performance and control web access, misconfigured instances can expose systems to security vulnerabilities. In this article, we’ll explore how to identify, assess, and safely exploit Squid proxies during a penetration test—strictly in authorized environments.

🔍 What is Squid Proxy?

Squid is an open-source proxy server that supports HTTP, HTTPS, FTP, and more. It is commonly used for:

• Caching frequently accessed web content.

• Filtering traffic (e.g., for parental controls or company policies).

• Controlling internet usage via ACLs (Access Control Lists).

Squid typically listens on port 3128, though this can be configured.

Enumeration

Use tools like nmap to detect open port 3128 and identify the service:

nmap -sV -p 3128 --script http-proxy nmap_target

If Squid is detected, note its version.

PORT     STATE  SERVICE      VERSION
3128/tcp open   http-proxy   Squid http proxy 4.11

Banner Grabbing

nc target_ip 3128

Type something like GET http://example.com HTTP/1.0 to see if it responds. A valid response indicates the proxy is open or misconfigured.

Checking for Open Proxy

Use curl to see if you can proxy through it:

curl -x http://target_ip:3128 http://example.com

If you get a successful response, the proxy is likely open.

Internal Network Access via Proxy

Try accessing internal IP ranges:

curl -x http://target_ip:3128 http://192.168.1.1

If successful, the proxy is leaking internal network data—critical misconfiguration.

Using ProxyChains

Configure /etc/proxychains.conf and run:

proxychains nmap -sT 192.168.1.0/24

This shows if the proxy can be abused to scan internal networks.

SPOSE Scanner

Alternatively, the Squid Pivoting Open Port Scanner (spose.py) can be used.

python spose.py --proxy http://10.10.11.131:3128 --target 10.10.11.131