Re: ncat - proxy behavior / dns lookup / bug?

[David Fifield <david () bamsoftware com>]

On Thu, Jun 14, 2012 at 06:25:24PM +0200, Florian Roth wrote:
> Recently I carried out of an audit at a client's network in which I
> tried to connect trough the clients proxy server (HTTP, HTTPS) to
> another ncat instance running on a remote server.
> Workstations in the clients internal network cannot resolve host names
> located in the Internet. The internal DNS only resolves internal host
> names. I though - wow, cool, ok, it's safer that way. But than I
> noticed that ncat tries to resolve the DNS addresses given as
> parameters and fails.
>
> ncat --proxy proxy.company.net:8080 www.web.de 80
> .. cannot resolve www.web.de ...
>
> Therefore I tried this
>
> ncat --nodns --proxy 10.1.1.250:8080 www.web.de 80
> .. cannot resolve www.web.de ...
>
> I tried to connect to the IP but the proxy was configured to deny all
> requests made to IP addresses.
>
> My final impression is that this is a bug, because ncat should not try
> to resolve the host name to an IP address before sending the request
> to the proxy server.
> It should be the task of the proxy server to resolve the IP.

I agree that Ncat shoud use the proxy to resolve the name when possible.
According to my understanding, this is possible with SOCKS4a, SOCKS5,
and HTTP proxies, but not SOCKS4.

This would require some changes to the structure of the code, because if
I remember correctly, Ncat resolves the destination address shortly
after option parsing.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/