Our Blog


Reading time ~1 min

I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness.

So, WinGate proxy includes a remote management agent which is accessed via a client utility called GateKeeper.  This allows one to configure the WinGate server across the network.  However, its not enabled to listen on the network by default, and only listens on  From my perusal of the documentation, the remote administrative facility should only be available to enterprise and professional license holders, and those firms using standard edition licenses will have to configure their proxy software locally.

In any case, WinGate proxy supports using CONNECT methods to negotiate connections for SSL-based web-sites etc, but no access control is in place to prevent users using this method to connect to  This, along with some python-fu, makes it a trivial task to access the remote administration service across the network.  This is illustrated in the following images.

Tunnelling with Monsoen - Connected to GateKeeper
Tunnelling with MonSoen - Connected to GateKeeper

Naturally, after knocking together a little proxy tunnel script, I remembered an idea Gareth had a number of years ago for scanning networks and port ranges via badly configured proxies, and decided to incorporate them into the original tunnel script.  An example is illustrated in the following image…

Scanning with MonSoen
Scanning with MonSoen

So, enter MonSoen.py.  A cute (and probably entirely unnecessary) python-based script for tunnelling connections through proxy servers, scanning networks using GET or CONNECT and otherwise being miserable to others (nods at Gareth).

It’s going to need the python netaddr module.  MonSoen is available from http://www.sensepost.com/research_misc.html