Nmap Development mailing list archives
Re: Scanning through socks proxy
From: Fyodor <fyodor () insecure org>
Date: Wed, 15 Dec 2010 18:39:57 -0800
On Wed, Dec 15, 2010 at 11:53:05PM +0000, Wolfric wrote:
I'm sure this has been brought up already before although I can't seem to follow exactly what happened or what went wrong. Is there any chance someone can clarify if it is foreseeable to have proxy support in nmap or if not, why not.
I'd love to have proxy support in Nmap, but it will be hard to implement efficiently. Some people have written proof-of-concept patches, but nothing that we could seriously consider integrating so far. On the other hand, we have quite developed proxy support for Ncat (it can connect through proxies, or even act as one). As far as Nmap proxy support, we have some ideas in the Nmap todo (http://nmap.org/svn/todo/nmap.txt): o Scanning through proxies o Nmap should be able to scan through proxy servers, particularly now that we have an NSE script for detectiong open proxies and now that Ncat can act as proxy client or server. o Requirements: o Would be nice to be able to chain through multiple proxy servers of different types. o Would be nice to be able to spread the load amongst multiple proxies. o Should support port scanning, version detection, and NSE. In other words, nsock should support proxies. o Support IPv4 and v6 o Need to figure out how to get good performance. Pool of connections to proxy or proxies for concurrency? HTTP pipelining? o Support the different varieties of proxies: socks4, socks4a, socks5, HTTP GET (if possible), HTTP CONNECT. Note that GET proxies present some challenges since the error messages may not be standard, etc. o Maybe auto-detect the proxy type so that Nmap can try the most efficient scanning method first? o I've been asked to support basic, ntlm, and digest authentication if possible. o Implementation ideas: o There is a patch by Zoltan Panczel (http://nmap-dev.fw.hu) and it has been improved by Jacob Appelbaum in nmap-exp/ioerror/ . This patch doesn't handle things like parallelization, but it may be a good proof of concept. o This might not be appropriate for ultra_scan ... perhaps would be better to write a general scanning engine for abusing applications for port scanning purposes. This could handle scanning through proxies and the existing FTP bounce scan would also be ported to this engine (or, frankly, we could probably get away with removing FTP bounce). rembrandt at jpberlin.de tells me that you can also do this with the "forwarding" commands on IMAP servers. Whoever does this should probably start by reading the code for the main port scanning engine (ultra_scan()) and also the version detection code (service_scan()). And the version detection paper at http://nmap.org/book/vscan.html. If you understand all that, you may be ready for this project :). This is important, because it is easy to do poorly. The tough part is high performance and clean code which is general enough that all these different applications can be scanned through using the same basic engine. You should run your ideas by nmap-dev in as much detail as possible before starting. Of course having a TODO item for this is only the first step. Someone needs to actually write a patch and send it in for review. And this isn't the sort of patch that can be done in an afternoon. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Scanning through socks proxy Wolfric (Dec 15)
- Re: Scanning through socks proxy Fyodor (Dec 15)