Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Portscanning through HTTP proxy?

From: "Alex R" <alex () deviousmeans net>
Date: Wed, 8 Dec 2004 18:35:34 +0200
Can these proxies also relay any type of TCP protocol such as smtp, pop3,
telnet, or ssh? Or do they specifically have to be designed to relay these
protocols?

-----Original Message-----
From: uzy [mailto:uzy () isecurelabs com] 
Sent: Wednesday, December 08, 2004 6:23 PM
To: nmap-dev () insecure org
Subject: Re: Portscanning through HTTP proxy?

Right.
Proxychains hijacks the connect() library call for any TCP socket.
RAW/PACKET or UDP sockets cannot be redirected through this kind of proxies 
because, as far as I know, these proxies are designed to relay full TCP 
connections only. 

TCP connect scan (-sT) and service fingerprint on TCP (-sV) can be 
proxyfied. 

OS fingerprints (-O), RAW scans ( -f, -sI, -sO, -sS, -sA, and so on) or UDP 
fingerprints/scans (-sU) can not. 

cu 

MadHat writes: 


On Dec 7, 2004, at 1:40 PM, Alex R wrote:

Can you proxy anything? For example could you proxy some -O stuff or -sS 
and
-sV?


-O does not work with proxying as the proxy mangles the packets, -sV 
should work fine. 



-----Original Message-----
From: uzy [mailto:uzy () isecurelabs com]
Sent: Tuesday, December 07, 2004 9:25 PM
To: nmap-dev () insecure org
Subject: Re: Portscanning through HTTP proxy? 

You could consider using nmap -sT with proxychains. As simple as : 

proxychains nmap -sT -p NN myIP 

Edit proxychains.conf to specify your SOCKS or HTTP proxy. 

http://proxychains.sf.net 

Cheers 

MadHat writes: 


On Dec 7, 2004, at 2:14 AM, Max wrote:

You might have better success with Nessus since it comes with its own
language


Why not just patch nmap?  It has a language too, called C++ ;) 

Fyodor has mention in the source code that there should probably be 
SOCKS
support as well.  Just if no one asks for it, he is going to work on 
what
he feels is most important.  If someone really wants a feature, they can
request it, or try and write a patch (the glory of Open Source). 



M@x 


MadHat wrote:

On Dec 6, 2004, at 3:58 PM, Mark Lachniet wrote:

Is there a decent way, similar to the FTP bounce approach, to do
portscanning through an insecure HTTP proxy using CONNECT verbs?  For
example, say I find a dual-homed host that has unrestricted proxy, 
and
am
too lazy to telnet to the proxy and type: 

'CONNECT http://10.1.1.1:25 HTTP/1.1' 

and manually iterate it a hundred times.

there is not an easy way right now built into nmap that I know of, but
it should be easy to make a patch for it.



 

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org 



 


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org 

 

 

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org 



 

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org 



 


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org





---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: