Port scanning behind proxies: my experiments with making ultra_scan work with nsock

[Jacek Wielemborek <d33tah () gmail com>]

Hi,

Recently when I was talking to Henri, he told me that my nmap-nsock-scan
branch might be causing stack overflows because of how I designed its
main loop. He pointed me to a better approach and then I remembered
David's suggestion to try mixing in Nsock's code within ultra_scan.
Yesterday I thought I'd see how much effort this would take and started
hacking. After a few hours of experimenting, I think I managed to get
the code working better than the result of my last year's Google Summer
of Code project.

My prototype, while having some bugs that I will mention in the next
post, already can perform portscans behind a proxy and has most of the
functionality the traditional Nmap connect() scan does. Here's how to
try it out:

1. Pull my nmap-nsock-ultrascan branch:

svn co 'https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-ultrascan'

2. Enter nmap-nsock-ultrascan directory and build Nmap:

cd nmap-nsock-ultrascan ; ./configure && make

3. If all went well, try a simple -sT scan:

./nmap -sT scanme.nmap.org

You may also experiment with --ttl, -e, -S, --ip-options and of course
--proxy. Feel invited to poke at the binary with valgrind and in case of
segmentation faults/assertion errors, I'll be happy to take a look at
the stack trace. So far, I found at least two bugs still waiting to be
debugged:

1. An assertion error triggered when scanning localhost, related to
Linux self-connect bug (assert(!probe->timedout) in
markProbeTimedout()); this can be walked around by commenting out
"probe->CP()->self_connect = true;" in scan_engine_connect.cc,

2. A segmentation fault that happens when scanning many ports on
scanme.nmap.org with the tor proxy on localhost. (actually, I'm not sure
if I already fixed it)

If you prefer patches against latest SVN, I attached one to this e-mail.
Here's a diffstat:

 nsock/include/nsock.h      |    8 +
 nsock/src/nsock_connect.c  |   18 ++
 nsock/src/nsock_internal.h |    5
 nsock/src/nsock_iod.c      |   32 ++++
 scan_engine.cc             |   14 -
 scan_engine.h              |   20 --
 scan_engine_connect.cc     |  332
++++++++++++++++++++-------------------------
 7 files changed, 224 insertions(+), 205 deletions(-)

NOTE: you cannot scan hidden services with this one yet. In order to do
that, you would need Andrew Farabee's SOCKS4A patch.

Cheers,
d33tah

Attachment: nmap-nsock-ultrascan.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/