Nmap Development mailing list archives
Re: Scripts for proxy detection
From: David Fifield <david () bamsoftware com>
Date: Tue, 26 May 2009 17:03:48 -0600
On Sun, May 24, 2009 at 03:06:43AM -0300, Joao Correa wrote:
I've been working on some scripts to detect open proxy servers. As a starting point I've made a few changes on the http-open-proxy script, including different methods beyond GET. I've also included POST, HEAD and CONNECT methods to it.
Thanks, João, this looks good. Here are some notes on the HTTP script. I did a test of the HTTP open proxy script using Ncat and Polipo (http://www.pps.jussieu.fr/~jch/software/polipo/). $ ncat -l --proxy-type http 3128 $ ./polipo proxyPort=8123 $ nmap --script proxy-open-http localhost -p 3128,8123 -d PORT STATE SERVICE REASON 3128/tcp open squid-http syn-ack | proxy-open-http: Potentially OPEN proxy. |_ Methods succesfully tested: GET POST HEAD CONNECT 8123/tcp open polipo syn-ack | proxy-open-http: Potentially OPEN proxy. |_ Methods succesfully tested: GET POST HEAD The script correctly found all methods open for the Ncat proxy, but missed CONNECT for the Polipo proxy. It is because of the match pattern in the script: "^http/1.0 200 ok". That's what Ncat returns, but Polipo returns $ ncat -C localhost 8123 CONNECT www.google.com:80 HTTP/1.0 HTTP/1.1 200 Tunnel established The match should work for any HTTP version number as long as the code is 200, and should ignore the human-readable status message that follows. Check http://tools.ietf.org/html/draft-luotonen-web-proxy-tunneling-01 and see if any other status codes should be reported. (There may not be any, just check. I haven't tested the SOCKS script yet. This is the only problem I found in the HTTP script.
I was planning to include socks open proxy detection on the same script, but, as both proxy servers are different and use to run on different ports, I think it is better to set two different scripts, with different port rules. This way, http related code would never be sent to a socks proxy, what could happen if both tests were on the same script. A way of having only one script would be testing the open ports and test only those proxy servers related to such ports... anyway I think that this solution isn't the best, since it will make the code much more complex.
I think this is the right idea. I support having two different scripts for this, especially if the mechanism for testing is different.
The socks detection script is also displaying a lot of connection related information. I'm planning to soon make all these information visible only if requested by the user with a script argument.
You can use the print_debug function, and then the information will only be visible with -d, -d2, or whatever you choose.
I've also changed both script names because with the new names both scripts will be listed together in the script directory, what I think is nice, since they are both related. Anyway, the new names are not definitive.
I would use the name http-open-proxy and socks-open-proxy to fit with our general scheme of putting the protocol name first. It makes sense for scripts that do the same thing to be together, but it also makes sense for all the HTTP scripts, for example, to be together. Which SOCKS server did you use for testing? Is there a small one that's easy to install that others can use to test this script?
If someone is able to test the code, I would really make good use of some feedback.
Is it possible to use the http library (http://nmap.org/nsedoc/modules/http.html) to do the GET test instead of using comm.exchange? HEAD and POST are not possible yet but there is a patch for them: http://seclists.org/nmap-dev/2009/q1/0889.html. CONNECT may not be possible to handle in this way because it is not a normal HTTP transaction. Maybe we shouldn't do a POST check because POST allows changing state on the server. GET/HEAD/POST all belong to basically the same class anyway, while CONNECT is something different. What do others think? What's the reason for using www.google.com.br in the CONNECT test when www.google.com is used in the other tests? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Scripts for proxy detection Joao Correa (May 23)
- Re: Scripts for proxy detection David Fifield (May 26)
- Re: Scripts for proxy detection Joao Correa (May 26)
- Re: Scripts for proxy detection Joao Correa (May 28)
- Re: Scripts for proxy detection DePriest, Jason R. (May 28)
- Re: Scripts for proxy detection David Fifield (Jun 01)
- Re: Scripts for proxy detection David Fifield (Jun 01)
- Re: Scripts for proxy detection Joao Correa (Jun 02)
- Re: Scripts for proxy detection Joao Correa (Jun 09)
- Re: Scripts for proxy detection David Fifield (Jun 09)
- Re: Scripts for proxy detection Joao Correa (May 26)
- Re: Scripts for proxy detection David Fifield (May 26)