Re: general scanning engine - request for comments :)

[majek04 <nmap () forest one pl>]

Fyodor wrote:
> > ------------------|-binary-|-udp-|-dns-|-ipv6-|-k-a-
> > HTTPPROXY CONNECT-|---Y----|-----|--Y--|--?---|-----
> > HTTPPROXY GET-----|--------|-----|--Y--|--?---|--Y--
> > SOCKS 4-----------|---Y----|--Y--|-----|------|-----
> > SOCKS 4a----------|---Y----|--Y--|--Y--|------|-----
> > SOCKS 5-----------|---Y----|--Y--|--Y--|--Y---|-----
> > FTP BOUNCE--------|--------|-----|-----|------|--Y--
> > classic connect()-|---Y----|--Y--|--Y--|--Y---|-----
>
> Looks good.  I assume classic connect() is the Nmap connect scan
> (-sT)?  If so, it doesn't really do "resolving dns names on the remote
> site", nor does Nmap support UDP any longer using connect (though it
> theoretically could).

Woops. My mistake. Now, by saying connect() I mean what nsock :)
Isn't nsock supporting udp?

> Maybe it would be useful to implement connect scan through your proxy
> scanning engine anyway as a simple case for testing/debugging/etc the
> system.  It probably wouldn't become the default implementation of
> -sT, but it would be interesting to compare the performance and timing
> between the two implementations.
Probably it wouldn't become default implementation.
But when we'll implement this we could separate
our engines. With proxy engine that doesn't need root,
and with ultra_scan that needs privileges.


> If you find an elegant way to handle this, go for it.  Otherwise, I
> think keeping forward DNS resolution as is for now is OK.  But I can
> definitely see us possibly wanting to add remote host DNS in the
> future, so do try to keep that in mind.  We may want to give a privacy
> warning message if the user DOESN'T specify -n.
What I would need, is doing forward dns queries in the last moment,
just before ip number is needed.

> > Ping probes:
> >      Normally nmap is doing ping probes before scanning.
> >      How such ping probes should look like when someone is using
> >      proxy/socks chaining?
>
> Maybe they can just use -P0.  I tend to think another warning message is warranted here if they use proxy scan but 
> don't specify -P0.
I think by default -P0 should be assumed when doing proxy-scanning.
But maybe in future we should implement some type of '-PS' through proxy.

> > Service detection:
> >      Imagine Version Detection through TOR or other anonymous proxy.
> >      I think this could be really powerful tool.
>
> Yeah.  I think we should try to isolate the proxy chaining code as
> much as possible so that it can be more easily reused in ncat,
> possibly version detection, etc.  Doug suggested putting the code in
> Nsock.  That may make sense (especially if there are efficiency
> advantages to integrating them), though isolating them in their own
> files in Nmap with a reasonably generic API and as few (if any)
> dependencies on Nmap stuff (like the NmapOps structure) might be a
> good compromise.
Okay.


Cheers :)
Marek Majkowski


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev