Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

SOCKS4a Project Progress

From: Andrew Jason Farabee <afarabee () uci edu>
Date: Sun, 7 Jun 2015 07:48:17 -0700
Hi all,


I’ve finally gotten an nsock socks4a proxy proof of concept working.  I was
in a rush, so there are a lot of parts that should be refactored if we
decide to keep them.  All of the files involved can be found in
https://svn.nmap.org/nmap-exp/pasca1/nmap-nse-socks4a/

Socks4a requires nsock to open a connection with the socks4a server, send a
packet requesting to open a tunnel to an included URI, and then transmit
and listen to any additional data using the socks4a server IP/port in place
of the target IP/port.

There is currently no scanning engine associated with the socks4a
functionality, so the proof of concept requires a few workarounds.  First,
I modified the http-title script as http-title-hostrule to always attempt
to grab the title tags on port 80 in order to test socks4a functionality.
The options -n -Pn and -sn must also be set in order to prevent DNS
resolution, probing, and scanning, since ideally we would not want any
packets sent outside of the socks4a tunnel.  Note that l_connect is
currently performing hostname resolution.

The full command I have been using in combination with an ssh socks4a
server (“ssh -D 8080 127.0.0.1”) is:

./nmap --script http-title-hostrule --proxy socks4a://127.0.0.1:8080
scanme.nmap.org -n -Pn -sn

In order to test http-title-hostrule on a tor hidden service, the hidden
server name must be included in /etc/hosts.  A typical entry would look
like this:

127.0.0.1 localhost

127.0.0.1 74ypjqjwf6oejmax.onion

This hosts file will be used before typical DNS authoritative resolution,
allowing nmap to resolve the .onion name to an address in order to continue
to the socks4a connection and script execution.  Tor must be running on the
local machine for this to work, and the default outgoing port for the tor
client is 9050. The output looks like this:

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-06-07 07:34 PDT

Nmap scan report for 74ypjqjwf6oejmax.onion (127.0.0.1)

Host is up.

Host script results:

|_http-title-hostrule: Beneath VT &ndash; Exploring Virginia Tech's steam
tunnels and...

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds


If you run into any difficulties getting this proof of concept to work,
please let me know.  I will be sending an email soon with a description of
issues that will need to be still need to be solved in order to move this
project forward and some of the reasons behind the current implementation
decisions.  I would really appreciate any feedback.

Thank you,
Andrew

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: