Parsia's Den

Because no one wants to be the other guy from Wham!

Oct 7, 2017 - 2 minute read - Comments - Thick Client Proxying .NET Framework

Thick Client Proxying - Part 7 - Proxying .NET Applications via Config File

.NET applications use a configuration file to read some settings. It’s an XML file named applicationName.exe.config.

They usually use WinINET or IE proxy settings. Sometimes they do not. We can either use an application specific config file or use one for the whole .NET framework.

Look inside the decompiled code (or just grep the binary files) for references to System.Configuration MSDN-page. Applications use ConfigurationManager and WebConfigurationManager classes to access these settings.

Application specific config file.

Add these settings (configuration is already present in existing config files):

<configuration> 
  <system.net>  
    <defaultProxy
      enabled = "true" [true|false]
      useDefaultCredentials = "false" [true|false]
      >
      <bypasslist>
          <add
            address = "" [String, Required, Collection Key]
          />
      </bypasslist>

      <module
          type = "" [String]
      />
      <proxy
        autoDetect = "Unspecified" [False | True | Unspecified]
        scriptLocation = ""
        bypassonlocal = "Unspecified" [False | True | Unspecified]    // whitelist
        proxyaddress = ""                                             // proxy address
        usesystemdefault = "Unspecified" [False | True | Unspecified] // IE proxy settings
      />
    </defaultProxy>
  </system.net>  
</configuration>  

Note usesystemdefault and proxyaddress are mutually exclusive. I think you can have both but I am not sure about the behavior.

For example:

<configuration> 
  <system.net>  
    <defaultProxy>  
      <proxy  
        proxyaddress="http://127.0.0.1:8080"
        bypassonlocal="true"  
      />  
      <bypasslist>  
        <add address="[a-z]+\.contoso\.com" />  
      </bypasslist>  
    </defaultProxy>  
  </system.net>  
</configuration>  
  • Keep http:// in proxy address even if you are using an HTTPS proxy like Burp, it will proxy TLS.
  • If IE proxy settings are not working then usesystemdefault is useless for you as it does the same thing. For Windows services it will not work because proxy settings are per-user by default and different for the account running the service.

Use tools like Process Monitor to detect if the application is looking for this or any other configuration files.

.NET Framework Machine Configuration File

We can use a similar config file for the entire machine. Meaning any application running via that .NET framework will use those settings (honoring them is another matter but standard libraries usually do).

Location is %WINDIR%\Microsoft.NET\Framework|Framework64\[version]\Config\machine.config.

Important note: You need to change the config for both 32 and 64-bit frameworks (Framework|Framework64) and each version (e.g. 2, 3 or 4) separately.

For example for 64-bit .NET Framework 4.x (anything 4.x is under 4): - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config

To learn more about the config file (which is really recommended) see file machine.config.comments in the same location. It has comments and examples. Read those.