Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[PATCH] New 0-true-packets scanning method

From: Pablo Fernandez <pablo.fernav () gmail com>
Date: Sun, 01 Jan 2006 06:14:50 +0100
Hello ppl! Happy new year!

As a gift for this new year I just finished coding a patch for the
latest stable release of nmap (3.95). Just like the Idle scan, this one
also sends 0 packets to the target from the true IP address (although is
not as cool as the Idle scan, bummer =P ).

This is the patch that Sendai would probably have written =P, it scans
through an standard HTTP/1.x proxy, it will connect to the specified
proxy (option -sY (the Y stands for proxY)) and start scanning through
it, it has the ability to recognize open, closed and filtered ports, but
it will act according to the specified proxy behavior, most proxies I
test with acted correctly, but some of them didn't use the right
responses on some situations.

This scan method is also nice to bypassing firewalls, i.e. nmap -sY
proxy.somecorp.com:8080 -p 22 192.168.5.0/24.

I recently released a proxy chain building tool, it will tunnel through
n proxies (with CONNECT method support) for greater anonymity. Since
this tool supports binding to a local port and connecting each client
through the whole chain something like this could be done:

proxychain -p 8080 proxy1 proxy2 proxy3 proxy4
nmap -sY 127.0.0.1:8080 -P0 --host_timeout 60000 target

In this case --host_timeout should probably be used since building the
whole chain could take some time...

This way the scan would be performed from proxy4...

[YOU] -> [PROXY1] -> [PROXY2] -> [PROXY3] -> [PROXY4] -> [TARGET]

proxychain can be downloaded from
http://freshmeat.net/projects/proxychain/

--host_timeout tells -sY how much time it should try before giving up on
a probably filtered port.

Ok, I hope this patch makes it to the next release of nmap.

The patch can be downloaded from
http://www.littleq.net/nmap-with-proxy.patch and it's signature from
http://www.littleq.net/nmap-with-proxy.patch.sig

--------------------------------------------------------------------
pablo@debtop:~/nmap-3.95-patch$ ./nmap -sY 210.95.250.193:8080 -p
22,23,25 scanme.insecure.org -P0

Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-01-01 05:52
CET
Interesting ports on scanme.nmap.org.48.153.217.205.in-addr.arpa
(205.217.153.62):
PORT   STATE    SERVICE
22/tcp open     ssh
23/tcp filtered telnet
25/tcp closed   smtp

Nmap finished: 1 IP address (1 host up) scanned in 37.608 seconds
------------------------------------------------------------------------

Best regards,
Pablo Fernandez

PS. Hey, I got the first patch on 2006!
-- 
Pablo Fernandez Lopez
http://www.littleQ.net/

GPG: http://www.littleQ.net/pablo.asc
Fingerprint: 14A0 8343 E8FB E940 59E3  F7BB C347 869D DBB9 337F



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: