Nmap Development mailing list archives
SOCKS4a Project Progress
From: Andrew Jason Farabee <afarabee () uci edu>
Date: Sun, 7 Jun 2015 07:48:17 -0700
Hi all, I’ve finally gotten an nsock socks4a proxy proof of concept working. I was in a rush, so there are a lot of parts that should be refactored if we decide to keep them. All of the files involved can be found in https://svn.nmap.org/nmap-exp/pasca1/nmap-nse-socks4a/ Socks4a requires nsock to open a connection with the socks4a server, send a packet requesting to open a tunnel to an included URI, and then transmit and listen to any additional data using the socks4a server IP/port in place of the target IP/port. There is currently no scanning engine associated with the socks4a functionality, so the proof of concept requires a few workarounds. First, I modified the http-title script as http-title-hostrule to always attempt to grab the title tags on port 80 in order to test socks4a functionality. The options -n -Pn and -sn must also be set in order to prevent DNS resolution, probing, and scanning, since ideally we would not want any packets sent outside of the socks4a tunnel. Note that l_connect is currently performing hostname resolution. The full command I have been using in combination with an ssh socks4a server (“ssh -D 8080 127.0.0.1”) is: ./nmap --script http-title-hostrule --proxy socks4a://127.0.0.1:8080 scanme.nmap.org -n -Pn -sn In order to test http-title-hostrule on a tor hidden service, the hidden server name must be included in /etc/hosts. A typical entry would look like this: 127.0.0.1 localhost 127.0.0.1 74ypjqjwf6oejmax.onion This hosts file will be used before typical DNS authoritative resolution, allowing nmap to resolve the .onion name to an address in order to continue to the socks4a connection and script execution. Tor must be running on the local machine for this to work, and the default outgoing port for the tor client is 9050. The output looks like this: Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-06-07 07:34 PDT Nmap scan report for 74ypjqjwf6oejmax.onion (127.0.0.1) Host is up. Host script results: |_http-title-hostrule: Beneath VT – Exploring Virginia Tech's steam tunnels and... Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds If you run into any difficulties getting this proof of concept to work, please let me know. I will be sending an email soon with a description of issues that will need to be still need to be solved in order to move this project forward and some of the reasons behind the current implementation decisions. I would really appreciate any feedback. Thank you, Andrew
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SOCKS4a Project Progress Andrew Jason Farabee (Jun 07)