Nmap Development mailing list archives
Port scanning behind proxies: my experiments with making ultra_scan work with nsock
From: Jacek Wielemborek <d33tah () gmail com>
Date: Tue, 30 Jun 2015 20:07:28 +0200
Hi, Recently when I was talking to Henri, he told me that my nmap-nsock-scan branch might be causing stack overflows because of how I designed its main loop. He pointed me to a better approach and then I remembered David's suggestion to try mixing in Nsock's code within ultra_scan. Yesterday I thought I'd see how much effort this would take and started hacking. After a few hours of experimenting, I think I managed to get the code working better than the result of my last year's Google Summer of Code project. My prototype, while having some bugs that I will mention in the next post, already can perform portscans behind a proxy and has most of the functionality the traditional Nmap connect() scan does. Here's how to try it out: 1. Pull my nmap-nsock-ultrascan branch: svn co 'https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-ultrascan' 2. Enter nmap-nsock-ultrascan directory and build Nmap: cd nmap-nsock-ultrascan ; ./configure && make 3. If all went well, try a simple -sT scan: ./nmap -sT scanme.nmap.org You may also experiment with --ttl, -e, -S, --ip-options and of course --proxy. Feel invited to poke at the binary with valgrind and in case of segmentation faults/assertion errors, I'll be happy to take a look at the stack trace. So far, I found at least two bugs still waiting to be debugged: 1. An assertion error triggered when scanning localhost, related to Linux self-connect bug (assert(!probe->timedout) in markProbeTimedout()); this can be walked around by commenting out "probe->CP()->self_connect = true;" in scan_engine_connect.cc, 2. A segmentation fault that happens when scanning many ports on scanme.nmap.org with the tor proxy on localhost. (actually, I'm not sure if I already fixed it) If you prefer patches against latest SVN, I attached one to this e-mail. Here's a diffstat: nsock/include/nsock.h | 8 + nsock/src/nsock_connect.c | 18 ++ nsock/src/nsock_internal.h | 5 nsock/src/nsock_iod.c | 32 ++++ scan_engine.cc | 14 - scan_engine.h | 20 -- scan_engine_connect.cc | 332 ++++++++++++++++++++------------------------- 7 files changed, 224 insertions(+), 205 deletions(-) NOTE: you cannot scan hidden services with this one yet. In order to do that, you would need Andrew Farabee's SOCKS4A patch. Cheers, d33tah
Attachment:
nmap-nsock-ultrascan.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Port scanning behind proxies: my experiments with making ultra_scan work with nsock Jacek Wielemborek (Jun 30)