Re: Scripts for proxy detection

[David Fifield <david () bamsoftware com>]

On Sun, May 24, 2009 at 03:06:43AM -0300, Joao Correa wrote:
> I've been working on some scripts to detect open proxy servers. As a
> starting point I've made a few changes on the http-open-proxy script,
> including different methods beyond GET. I've also included POST, HEAD
> and CONNECT methods to it.

Thanks, João, this looks good. Here are some notes on the HTTP script.

I did a test of the HTTP open proxy script using Ncat and Polipo
(http://www.pps.jussieu.fr/~jch/software/polipo/).

$ ncat -l --proxy-type http 3128
$ ./polipo proxyPort=8123
$ nmap --script proxy-open-http localhost -p 3128,8123 -d
PORT     STATE SERVICE    REASON
3128/tcp open  squid-http syn-ack
|  proxy-open-http: Potentially OPEN proxy.
|_ Methods succesfully tested: GET POST HEAD CONNECT
8123/tcp open  polipo     syn-ack
|  proxy-open-http: Potentially OPEN proxy.
|_ Methods succesfully tested: GET POST HEAD

The script correctly found all methods open for the Ncat proxy, but
missed CONNECT for the Polipo proxy. It is because of the match pattern
in the script: "^http/1.0 200 ok". That's what Ncat returns, but Polipo
returns

$ ncat -C localhost 8123
CONNECT www.google.com:80 HTTP/1.0

HTTP/1.1 200 Tunnel established

The match should work for any HTTP version number as long as the code is
200, and should ignore the human-readable status message that follows.
Check http://tools.ietf.org/html/draft-luotonen-web-proxy-tunneling-01
and see if any other status codes should be reported. (There may not be
any, just check.

I haven't tested the SOCKS script yet. This is the only problem I found
in the HTTP script.

> I was planning to include socks open proxy detection on the same
> script, but, as both proxy servers are different and use to run on
> different ports, I think it is better to set two different scripts,
> with different port rules. This way, http related code would never be
> sent to a socks proxy, what could happen if both tests were on the
> same script. A way of having only one script would be testing the open
> ports and test only those proxy servers related to such ports...
> anyway I think that this solution isn't the best, since it will make
> the code much more complex.

I think this is the right idea. I support having two different scripts
for this, especially if the mechanism for testing is different.

> The socks detection script is also displaying a lot of connection
> related information. I'm planning to soon make all these information
> visible only if requested by the user with a script argument.

You can use the print_debug function, and then the information will only
be visible with -d, -d2, or whatever you choose.

> I've also changed both script names because with the new names both
> scripts will be listed together in the script directory, what I think
> is nice, since they are both related. Anyway, the new names are not
> definitive.

I would use the name http-open-proxy and socks-open-proxy to fit with
our general scheme of putting the protocol name first. It makes sense
for scripts that do the same thing to be together, but it also makes
sense for all the HTTP scripts, for example, to be together.

Which SOCKS server did you use for testing? Is there a small one that's
easy to install that others can use to test this script?

> If someone is able to test the code, I would really make good use of
> some feedback.

Is it possible to use the http library
(http://nmap.org/nsedoc/modules/http.html) to do the GET test instead of
using comm.exchange? HEAD and POST are not possible yet but there is a
patch for them: http://seclists.org/nmap-dev/2009/q1/0889.html. CONNECT
may not be possible to handle in this way because it is not a normal
HTTP transaction.

Maybe we shouldn't do a POST check because POST allows changing state on
the server. GET/HEAD/POST all belong to basically the same class anyway,
while CONNECT is something different. What do others think?

What's the reason for using www.google.com.br in the CONNECT test when
www.google.com is used in the other tests?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org