Nmap Development mailing list archives
RE: Nmap Scans via Socks Proxy? (OSX)
From: "Dario Ciccarone \(dciccaro\)" <dciccaro () cisco com>
Date: Fri, 7 Sep 2007 16:22:57 -0400
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of DePriest, Jason R. Sent: Friday, September 07, 2007 2:14 PM To: Dario Ciccarone (dciccaro) Cc: nmap-dev () insecure org Subject: Re: Nmap Scans via Socks Proxy? (OSX) On 9/7/07, Dario Ciccarone (dciccaro) <> wrote:Does that even work? I would assume SYN scan would become a"connect"scan, just because it's being proxied. And FIN/XMAS wouldn't work at all. And kiss OS detection goodbye. I haven't tried the scenario - but knowing how a proxyworks, it lookslike the only possible outcome. DarioI would suspect the results would be wildly inaccurate, but no worse than scanning through a simple NAT.
Big bold statement alarm :) I have to admit I haven't tried to do a nmap scan thru a NAT/PAT device lately. It would be interesting to sniff pre/post NAT and see how the packet changes. Of course, it would depend on the device in question - I'm not sure the NAT/PAT on box X would work the same way as the NAT/PAT on box Y. SYN scan might work in both - FIN/XMAS, again, might work in some loose NAT/PAT implementations, but not in those that actually keep conn state, track 3-way handshake, etc. Mostly because SOCKS5 doesn't do
any special application or protocol specific mangling, it just passes stuff back and forth and manages the IP addresses. It's been a while since I look at a SOCKS packet capture, so I am not sure.
I've just checked RFC-1928, and unless I'm VERY wrong, SOCKS5 is supposed to work at the application level - the client asks the server to connect to the destination host, and then the application data rides on top of said connection. This might work for -sT and -sV - but as SOCKS5 doesn't work at the network nor transport layers, how would the whole OS identification and exotic scans work? I think you might have better luck by going thru TOR (but again, I haven't used TOR, so I don't know at which level of the OSI stack it works). Or just create a GRE tunnel on your Linux box to your first hop router, and keep sending the datagrams thru tunnels until you reach closer to the destination. Ah, and no, no NAT required for the return traffic. Let's think about that for a while ;) Dario _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap Scans via Socks Proxy? (OSX) cosynmr (Sep 06)
- Re: Nmap Scans via Socks Proxy? (OSX) majek04 (Sep 06)
- Re: Nmap Scans via Socks Proxy? (OSX) DePriest, Jason R. (Sep 06)
- RE: Nmap Scans via Socks Proxy? (OSX) Dario Ciccarone (dciccaro) (Sep 07)
- Re: Nmap Scans via Socks Proxy? (OSX) DePriest, Jason R. (Sep 07)
- RE: Nmap Scans via Socks Proxy? (OSX) Dario Ciccarone (dciccaro) (Sep 07)
- Re: Nmap Scans via Socks Proxy? (OSX) cosynmr (Sep 08)
- RE: Nmap Scans via Socks Proxy? (OSX) Dario Ciccarone (dciccaro) (Sep 07)