Scan with nmap over a CONNECT proxy?

[Richard Miles <richard.k.miles () googlemail com>]

Hello

I was checking one of my servers on the internet and curiously I found it
support CONNECT method to everywhere, so I could connect into it from
internet and CONNECT for example at google, or even establish a telnet
session with another machine in another network. While it may be very useful
for a spammer I was thinking that a hacker can do much more and probable use
this open CONNECT proxy to connect to my internal servers, since I have two
interfaces, one external and another internal.

I tested with ncat and I connected to a internal server with a command like
ncat --proxy MyExternalProxy --proxy-type http 10.10.2.3 23

And I got the telnet screen asking for the username.

However it was easy because I know my internal IP address, an hacker would
need to guess my internal IP addresses and opened ports and do it by hand
may be very hard. So, I was thinking, there is a option at nmap to scan over
a CONNECT proxy?

Something like nmap -sV -sC --proxy MyExternalProxy --proxy-type
http10.10.2.0/24

It would be awesome. There is any patch or way to do it?

I also tried just to test nmap with -sV and -sC in a exclusive port in
conjunction with ncat, but I couldn't, since ncat appear to do not allow to
bind IP and connect to a remote proxy at the same time. I was thinking in
something like ncat -l 3333 --proxy MyExternalProxy --proxy-type http
10.10.2.3 23

So, I could test it like nmap -sV -sC -p 23 localhost

Ideas?

Well, anyone knows any portscanner that is able to scan a remote internal
network over a CONNECT proxy? I would love to see it.

Thanks
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/