Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap proxy auth support, masking --proxies auth command-line data?

From: Andrew Jason Farabee <afarabee () uci edu>
Date: Sun, 19 Jul 2015 05:54:48 -0700
Okay, I think I understand how I would implement masking from within
ncat, I'll have to look into how large of a footprint the patch would
have to have in order to mask the username and password in nmap or if
the memory passed nsock_proxychain_new() from nmap is already a direct
reference to argv.  I really like your idea btw, my first ideas for
this were way too complicated (I remembered a program I used that had
the user encrypt their password with a different program before using
the ciphertext in the command line).

I do have a secwiki account already, do you recommend documenting this
there for now?  I started posting tests for other patches on my gist
for now.  Sorry I haven't really documented things yet, I was trying
to get as much working as possible today.  I'm currently working on
http proxy authentication, so hopefully once that is done I can re-run
ncat-test.pl and check those tests that were failing.

As for your questions, right now it does not attempt anonymous
authentication first, do you think there would be benefit to attempt
to connect without authentication first? I should look into the ncat
trunk authentication methods to see what the existing behavior is
(it's probably best for now if I try to change as little as possible).
I've been testing it with wireshark, valgrind, and gdb for now and
everything looks good so far.

Thanks for the feedback!

Andrew

On Sun, Jul 19, 2015 at 4:41 AM, Jacek Wielemborek <d33tah () gmail com> wrote:

(see message below)

W dniu 19.07.2015 o 12:44, commit-mailer () nmap org pisze:

Author: andrew
Date: Sun Jul 19 10:44:13 2015
New Revision: 34931

Log:
Added basic support for sending out user id in socks4a initialization packets.

Modified:
   nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c

Modified: nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c
==============================================================================
--- nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c        (original)
+++ nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c        Sun Jul 19 10:44:13 2015
@@ -195,6 +195,7 @@

     nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata,
                 outgoing, outgoing_len);
+    free(outgoing);
   } else {
     nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata,
                 (char *)&socks4, sizeof(struct socks4_data));
@@ -214,9 +215,9 @@
   struct proxy_node *next;
   struct socks4_data socks4a;
   size_t outgoing_len = sizeof(struct socks4_data) + target_name_len + sizeof(uint8_t);
-  uint8_t *outgoing = safe_zalloc(outgoing_len);
-  char nullbyte = '\0';
+  uint8_t *outgoing;
   int timeout;
+  int user_len = 0;

   px_ctx->px_state = PROXY_STATE_SOCKS4_TCP_CONNECTED;

@@ -231,11 +232,19 @@

   timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod);

+  if (px_ctx->px_current->user) {
+    user_len = strlen(px_ctx->px_current->user);
+    outgoing_len = sizeof(socks4a) + target_name_len + user_len + 1;
+  }
+  outgoing = safe_zalloc(outgoing_len);
+
   /* Copy contents of socks4a data packet into memory */
-  memcpy(outgoing, &socks4a, sizeof(struct socks4_data));
-  memcpy(outgoing + sizeof(struct socks4_data), target_name, target_name_len);
-  memcpy(outgoing + sizeof(struct socks4_data) + target_name_len, &nullbyte,
-         sizeof(uint8_t));
+  memcpy(outgoing, &socks4a, sizeof(socks4a));
+  /* If user id is supplied, overwrite the last null byte of socks4_data and
+   * include the last null byte in the user id string. */
+  if (user_len)
+    memcpy(outgoing + sizeof(socks4a) - 1, px_ctx->px_current->user, user_len + 1);
+  memcpy(outgoing + sizeof(socks4a) + user_len, target_name, target_name_len + 1);

   nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata,
               (char *)outgoing, outgoing_len);

_______________________________________________
Sent through the svn mailing list
http://nmap.org/mailman/listinfo/svn



Hello,

I like the progress! Just to make sure though - how are you testing your
implementation, could you document it somewhere? If you don't have a
secwiki.org account, it's a good moment to create it as it might take
some time to get your account approved.

Also, how exactly does it behave? Do we assume that if username and
password are specified, we'll jump right to authenticating without
trying anonymous access first? This is the kind of behavior that I find
worth documenting.

There's one thing I am tad worried about - if you specify username and
password in --proxies, it's visible to all other users of this system in
the results of the "ps" command. While IMHO it's a bad security practice
to allow regular users see command line options of processes that belong
to other users and it's not default on CentOS systems and the like,
Debian defaults are not as forgiving there. It might make sense to
remove the logins and passwords from the argv (though I'd rather wait
for somebody else to comment on this). Here's what I would propose:

1. In nsock_proxychain_new(), add a new bool argument that says whether
we request to mask out the login and password,
2. Make sure calls to this function in ncat and nmap (there are just two
single ones) operate on memory that points to argv or find the relevant
string in argv.

It's not trivial and might not be worth it - two other options is to not
worry about it (though it's ABSOLUTELY NECESSARILY to mention this
possible security problem in the documentation) and add a new
command-line option that would read the --proxies value from a file
(should be much simpler to implement).

What do you think?

Cheers,
d33tah


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: