Re: Scanning through socks proxy

[Fyodor <fyodor () insecure org>]

On Wed, Dec 15, 2010 at 11:53:05PM +0000, Wolfric wrote:
> I'm sure this has been brought up already before although I can't seem
> to follow exactly what happened or what went wrong. Is there any
> chance someone can clarify if it is foreseeable to have proxy support
> in nmap or if not, why not.

I'd love to have proxy support in Nmap, but it will be hard to
implement efficiently.  Some people have written proof-of-concept
patches, but nothing that we could seriously consider integrating so
far.  On the other hand, we have quite developed proxy support for
Ncat (it can connect through proxies, or even act as one).

As far as Nmap proxy support, we have some ideas in the Nmap todo
(http://nmap.org/svn/todo/nmap.txt):

o Scanning through proxies
 o Nmap should be able to scan through proxy servers, particularly now
   that we have an NSE script for detectiong open proxies and now that
   Ncat can act as proxy client or server.
 o Requirements:
   o Would be nice to be able to chain through multiple proxy servers of
     different types.
   o Would be nice to be able to spread the load amongst multiple
     proxies.
   o Should support port scanning, version detection, and NSE.  In
     other words, nsock should support proxies.
   o Support IPv4 and v6
   o Need to figure out how to get good performance.  Pool of
     connections to proxy or proxies for concurrency?  HTTP pipelining?
   o Support the different varieties of proxies: socks4, socks4a,
     socks5, HTTP GET (if possible), HTTP CONNECT.  Note that GET
     proxies present some challenges since the error messages may not
     be standard, etc.
   o Maybe auto-detect the proxy type so that Nmap can try the most
     efficient scanning method first?
   o I've been asked to support basic, ntlm, and digest authentication
     if possible.
 o Implementation ideas: 
   o There is a patch by Zoltan Panczel (http://nmap-dev.fw.hu) and it
     has been improved by Jacob Appelbaum in nmap-exp/ioerror/ .  This
     patch doesn't handle things like parallelization, but it may be a
     good proof of concept.
   o This might not be appropriate for ultra_scan ... perhaps would be
     better to write a general scanning engine for abusing
     applications for port scanning purposes.  This could handle
     scanning through proxies and the existing FTP bounce scan would
     also be ported to this engine (or, frankly, we could probably get
     away with removing FTP bounce).  rembrandt at jpberlin.de tells me
     that you can also do this with the "forwarding" commands on IMAP
     servers.  Whoever does this should probably start by reading the
     code for the main port scanning engine (ultra_scan()) and also
     the version detection code (service_scan()).  And the version
     detection paper at http://nmap.org/book/vscan.html.  If you
     understand all that, you may be ready for this project :).  This
     is important, because it is easy to do poorly.  The tough part is
     high performance and clean code which is general enough that all
     these different applications can be scanned through using the
     same basic engine.  You should run your ideas by nmap-dev in as
     much detail as possible before starting.


Of course having a TODO item for this is only the first step.  Someone
needs to actually write a patch and send it in for review.  And this
isn't the sort of patch that can be done in an afternoon.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/