Re: Nmap DNS leak and proxychains redesign?

[David Fifield <david () bamsoftware com>]

On Sat, Jul 04, 2015 at 07:09:49AM -0500, Daniel Miller wrote:
> On Sat, Jul 4, 2015 at 3:43 AM, Jacek Wielemborek <d33tah () gmail com> wrote:
>
>
>     1. nmap_dns.cc - already uses Nsock routines for UDP. My idea is that
>     perhaps proxy support could be integrated here for SOCKS5 only with code
>     similar to one from nsock_connect_internal. This seems rather easy, am I
>     missing something?
>
>  
> If we had name-aware proxy capability (e.g. SOCKS5), we would not have to use
> any routines from nmap_dns.cc. The leak happens when an application assumes it
> has to resolve a name before it can connect, and the DNS lookup happens outside
> the proxy chain.
>
> From a user's perspective, I think that --proxies socks5://1.2.3.4:9050
> should imply "no non-proxied traffic" even to the point of ignoring -O or
> --traceroute, or bailing out before a scan if -sS, -sA, etc. were chosen (since
> raw packet scans will not work over a proxy like this). An option like
> --unproxied-ok (terrible name, but that's beside the point) could then be used
> to restore the current behavior of using the proxy for some things but not
> others.

I completely agree with Dan here. When you're scanning through a proxy,
it's likely that in many places in the output where we currently show an
IP address, we will show nothing (or a host name) instead. nmap_dns.cc
will probably not even be involved in this case.

Proxies don't provide name-resolution capabilities anyway. We should
take the position that we don't know the IP and don't care. The Tor
SOCKS proxy has extensions for resolution (the "tor-resolve" command
uses them):
https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt
but they are not part of standard SOCKS.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/