Nmap Development mailing list archives
[PATCH] New 0-true-packets scanning method
From: Pablo Fernandez <pablo.fernav () gmail com>
Date: Sun, 01 Jan 2006 06:14:50 +0100
Hello ppl! Happy new year! As a gift for this new year I just finished coding a patch for the latest stable release of nmap (3.95). Just like the Idle scan, this one also sends 0 packets to the target from the true IP address (although is not as cool as the Idle scan, bummer =P ). This is the patch that Sendai would probably have written =P, it scans through an standard HTTP/1.x proxy, it will connect to the specified proxy (option -sY (the Y stands for proxY)) and start scanning through it, it has the ability to recognize open, closed and filtered ports, but it will act according to the specified proxy behavior, most proxies I test with acted correctly, but some of them didn't use the right responses on some situations. This scan method is also nice to bypassing firewalls, i.e. nmap -sY proxy.somecorp.com:8080 -p 22 192.168.5.0/24. I recently released a proxy chain building tool, it will tunnel through n proxies (with CONNECT method support) for greater anonymity. Since this tool supports binding to a local port and connecting each client through the whole chain something like this could be done: proxychain -p 8080 proxy1 proxy2 proxy3 proxy4 nmap -sY 127.0.0.1:8080 -P0 --host_timeout 60000 target In this case --host_timeout should probably be used since building the whole chain could take some time... This way the scan would be performed from proxy4... [YOU] -> [PROXY1] -> [PROXY2] -> [PROXY3] -> [PROXY4] -> [TARGET] proxychain can be downloaded from http://freshmeat.net/projects/proxychain/ --host_timeout tells -sY how much time it should try before giving up on a probably filtered port. Ok, I hope this patch makes it to the next release of nmap. The patch can be downloaded from http://www.littleq.net/nmap-with-proxy.patch and it's signature from http://www.littleq.net/nmap-with-proxy.patch.sig -------------------------------------------------------------------- pablo@debtop:~/nmap-3.95-patch$ ./nmap -sY 210.95.250.193:8080 -p 22,23,25 scanme.insecure.org -P0 Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-01-01 05:52 CET Interesting ports on scanme.nmap.org.48.153.217.205.in-addr.arpa (205.217.153.62): PORT STATE SERVICE 22/tcp open ssh 23/tcp filtered telnet 25/tcp closed smtp Nmap finished: 1 IP address (1 host up) scanned in 37.608 seconds ------------------------------------------------------------------------ Best regards, Pablo Fernandez PS. Hey, I got the first patch on 2006! -- Pablo Fernandez Lopez http://www.littleQ.net/ GPG: http://www.littleQ.net/pablo.asc Fingerprint: 14A0 8343 E8FB E940 59E3 F7BB C347 869D DBB9 337F
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- [PATCH] New 0-true-packets scanning method Pablo Fernandez (Dec 31)