Re: Scripts for proxy detection

[David Fifield <david () bamsoftware com>]

On Thu, May 28, 2009 at 05:17:43AM -0300, Joao Correa wrote:
> Hello everyone,
>
> I'm posting two new versions for the open proxy detection scripts.
>
> The new features are:
>
> HTTP:
> * Changed pattern for connect (tested and supporting both polipo and
> ncat, needs to test on squid!)
> * Default test address is now nmap.org, and not www.google.com
> * HTTP status codes 200, 301 and 302 are recognized as valid
> responses, meaning that the proxy is correctly working
> * It is also possible to use a different test address, specified with
> script-args. The args should be "url", with the url that might be
> tested and "hurl" with the url used to set the "Host:" field of the
> HTTP requests. If no hurl is set, than url is used as hurl. If none is
> set, nmap.org is used.
> * Notice that the arguments will only work with nmap patched for
> correct argument parsing
>
> Socks:
> * Replaced function packet.hextobin for bin.pack
> * HTTP status codes 200, 301 and 302 are recognized as valid
> responses, meaning that the proxy is correctly working
> * Replaced excessive prints for stdnse.print_debug
> * It is also possible to use a different test address, specified with
> script-args. The arg is only "url" here. If it is not set, nmap.org is
> used.
> * Also will only work if nmap is patched
> * Tested on Dante and ssh

Here are my comments on socks-open-proxy.nse. I tested it with the
"ssh -D" command.

$ ssh -N -D 1080 goomba.bamsoftware.com
$ ./nmap --datadir . --script=socks-open-proxy localhost -p1080
PORT     STATE SERVICE
1080/tcp open  socks
|  socks-open-proxy: Potentially OPEN proxy.
|_ Versions succesfully tested: Socks4 Socks5

$ ssh -N -D 10000 goomba.bamsoftware.com
$ ./nmap --datadir . --script=socks-open-proxy localhost -p10000
PORT      STATE SERVICE
10000/tcp open  snet-sensor-mgmt
$ ./nmap --datadir . --script=socks-open-proxy localhost -p10000 -sV --version-all
PORT      STATE SERVICE VERSION
10000/tcp open  socks5  (No authentication; connection failed)

The script worked fine when the proxy server was running on a standard
port. As expected, it didn't run when the server was on a non-standard
port. However, it should have run when version detection discovered the
service "socks5". You should make the portrule match "socks4" and
"socks5" as well as "socks".

You can use stdnse.strsplit instead of having multiple copies of the
explode function in each script.
http://nmap.org/nsedoc/modules/stdnse.html#strsplit
On second thought, you don't actually need a string splitting function
if you're only looking at the Response-Line (first line) of the
response, and not examining the header fields.

I think you should not hard-code the default target IP address:
        local sip = "42 66 07 63"
        local url = "www.google.com"
You already have code to resove a name in case a url script argument was
received; just use that in all cases. Otherwise someday someone will
change either sip or url without changing the other, or that IP address
will have a different owner, or something.

Don't forget up update the script documentation. It still refers to the
"Server: gws" header field, even though the script doesn't use that
technique anymore.

When the proxy server returns "Request granted", is that enough to
report the proxy as open? Is it necessary to actually retrieve the web
page? Maybe coffeeshop proxies say "Request granted" and then substitute
their click-through terms of service, or something? But in that case the
script would still say "open proxy" because of the 200 status code
returned. If it still works without retrieving the web page, you should
remove that step.

The script argument names are too general. "url" could mean many
different things to different scripts. One way to disambiguate is to put
the arguments inside a table with a name based on that of the scripts.
So:
        --script-args='open-proxy={url=...}'
Then you would access it in your script:
        nmap.registry.args["open-proxy"].url
However, the name "url" is misleading, because the argument is only a
host name. I suggest changing it to "host". Then you should add a @usage
example to the documentation showing how to use the script arguments,
like this:
http://nmap.org/nsedoc/scripts/dns-zone-transfer.html
http://nmap.org/svn/scripts/dns-zone-transfer.nse

The script is nice and easy to understand. Very useful too, and fast. I
think this and the HTTP script should be included when these few
adjustments are made.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org