Nmap Development mailing list archives

Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!)

From: David Fifield <david () bamsoftware com>
Date: Sat, 4 Jul 2015 08:20:52 -0700

On Fri, Jul 03, 2015 at 11:25:26PM +0200, Jacek Wielemborek wrote:

W dniu 03.07.2015 o 22:01, grarpamp pisze:

One of the features that my modifications enable is performing port
scanning behind proxies. I only scanned it using SOCKS4 server built
into Tor

./nmap -sT --proxy socks4://localhost:9050 scanme.nmap.org

Please do note that even though port scanning within Tor is possible,
you cannot scan .onion names due to lack of SOCKS4A support.


SOCKS4 and SOCKS4A are old and deprecated and should not
be implemented (unless you're also implementing the current SOCKS5
and adding in 4/4A as a bonus).

Tor supports SOCKS5 (and the deprecated 4/4A but it will complain).
So scanning onions and anything else by name should be possible.

SOCKS5 also supports IPv6 which is becoming the way of things.
Therefore, implement SOCKS5 :)


I think that SOCKS5 support within Nsock library (on which my
modification depends) is planned. SOCKS5 also supports UDP, so it could
bring even more benefits. For now, SOCKS4 has to do though.


Yeah. Jacek's post wasn't about adding proxy support to Nmap per se--Nmap
has been able to use a proxy for certain operations for quite some time
now, through the --proxies command line option. The proxy support worked
for things like version detection and NSE (Nmap Scripting Engine), but
it notably did not work for port scanning, because the port-scanning
code in Nmap uses sockets much differently than the rest of it. Jacek's
patch is about overcoming certain architectural difficulties and
extending proxy support to the port scanning phase too.

The patch doesn't actually add new SOCKS code to Nmap. It just uses what
is already there. Supporting SOCKS5 is a good project but it is separate
from this one.

Doing domain name resolution through the proxy (which would prevent DNS
leaks and enable scanning of onion sites) is also a separate and kind of
large project. Many parts of Nmap's code assume that they have an IP
address to work with, so it will take some rearchitecting too.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 03)
- Message not available
  - Message not available
    - Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 03)
    - Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jasey DePriest (Jul 03)
    - Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Daniel Miller (Jul 03)
    - Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
  - Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 04)
    - Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
    - Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 14)
  - Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
    - Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 04)