Re: Scripts for proxy detection

[David Fifield <david () bamsoftware com>]

On Thu, May 28, 2009 at 05:17:43AM -0300, Joao Correa wrote:
> I'm posting two new versions for the open proxy detection scripts.
>
> The new features are:
>
> HTTP:
> * Changed pattern for connect (tested and supporting both polipo and
> ncat, needs to test on squid!)
> * Default test address is now nmap.org, and not www.google.com

I see that you have already changed it back to www.google.com. I think
that is a better default too. I did a search and that is what is used by
the ScanSSH proxy detector too (http://monkey.org/~provos/scanssh/).

> * HTTP status codes 200, 301 and 302 are recognized as valid
> responses, meaning that the proxy is correctly working
> * It is also possible to use a different test address, specified with
> script-args. The args should be "url", with the url that might be
> tested and "hurl" with the url used to set the "Host:" field of the
> HTTP requests. If no hurl is set, than url is used as hurl. If none is
> set, nmap.org is used.

I can see why you have a separate url and hurl; it's because you may
want to make a proxy connection to http://example.com/dir/file.html (url),
but then the Host: header field has to be just "example.com", not
"example.com/dir/file.html". But you should do that work in the script,
and not make the user do it. There are functions in the url module that
will make this easy.
http://nmap.org/nsedoc/modules/url.html

Now that I look back at it, there's no way to access a URL like
http://example.com/dir/file.html in socks-open-proxy.nse, because the
code will try to resolve the name "example.com/dir/file.html" as if it
were a host name. I take back what I wrote in
http://seclists.org/nmap-dev/2009/q2/0523.html; you should keep the
script argument name "url", allow it to be followed by a path, and use
the url module to parse out the host name.

> Questions:
> Should we include new HTTP status codes?

I think the ones you have are good.

> Should we remove POST from the HTTP open proxy tests? (as mentioned by
> David in his previous e-mail)

I recommend this, especially now that I see it requires a separate
script argument for a POST-able URL. I guess it would be possible for a
proxy server to support POST but not GET or HEAD, but it wouldn't be
very useful. Enumerating the methods supported by an HTTP server or
proxy would best be done in a separate script.

> Socks script only tests a connection to the destination's port 80.
> Should we include more ports? If yes, how should we parse the
> responses? (we'll have different responses from each service)

See my question in http://seclists.org/nmap-dev/2009/q2/0523.html. I
don't know much about SOCKS, but perhaps "Request granted" is enough
without sending any application-level data.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org