Re: general scanning engine - request for comments :)

[Fyodor <fyodor () insecure org>]

On Wed, Jul 12, 2006 at 11:58:09PM -0700, doug () hcsw org wrote:

> Just in case some people thinking about the system think that chaining
> proxys is only useful for the ultra paranoid, consider situations like
> the following:

I agree completely.

> An extremely handy chaining type would be SSH. I'm not sure exactly
> how you to implement this. If you assume every box has nc on it,
> it could be easy. Otherwise, you could possibly perhaps an ssh tunnel
> to perform this.

Maybe.  I'm not sure exactly what sort of ssh proxying you have in
mind.  I think you can already do something like:

ssh user@proxy1 ssh user@proxy2 ssh user@proxy3 nmap [options] [targets]

That will likely be much more efficent than trying to set up ssh
tunnels or execute nc.  But of course the final machine must have Nmap
installed.  But if you have ssh access, that is usually easy to
achieve (download a binary to /tmp or whatever) and does not requrie
root access.

> o Escaping your own ISP's port forwarding restrictions. I've used ISPs
>   before that filter outbound port 25 - making it impossible to scan
>   SMTP servers!

Yeah, the anti-spammer in me likes this restriction but the rest of me
hates this unwelcome intrusion into my connectivity.  My DSL line does
this.  Obviously it is easy to tunnel around, but still annoying.  The
goal is to prevent naive users from becoming unwitting spam zombies,
so they should make it easy for more experienced users to remove this
"protection".  But I'm getting into a whole different debate now :).

> Many people using this method are probably scanning under the assumption
> they will get maximum scanning privacy and sometimes a simple DNS request
> can give it away.
>
> I would suggest reverse DNS be disabled by default for all proxy scans.

I see your point, but then we would need some way to turn it back on
for people who do want it.  Plus we'd need to document yet another
special case in the man page.  I'd say just print a warning if they
use proxy scan but not -n.  There are cases where you aren't worried
about detection of your DNS lookups.

> Some of these proxying methods can perform forward DNS resolution for us.
> The forward DNS could potentially be more complicated.

Yeah, though I agree that it would be cool if we do find a way to
support it.  Without ugly hacks.

> In your mail you talked about performing service detection through
> a chain of proxys. This would be extemely cool! Do you think it would
> be possible to add the proxying functionality as some sort of addition
> to nsock? This would be a very useful addition to nsock and could
> potentially mean that a huge amount of (present and future) Nmap
> functionality could be proxied.

I think that is a great idea.  Though as I mentioned to Majek, just
trying to isolate the codoe as well as possible may be a good first
step.  I can see the desire to share this code with ncat, version
detection, etc.

Thanks for your comments!
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev