Nmap Development mailing list archives
CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!)
From: Jacek Wielemborek <d33tah () gmail com>
Date: Fri, 03 Jul 2015 14:24:27 +0200
List, (TL;DR: Just perform "BUILDING INSTRUCTIONS" and let me know if it worked on your system.) A few days ago [1][2] I mentioned that I was working on a modification to Nmap's port scanning engine that would - among other things - allow scanning behind proxies. I had a few issues with the code that I needed to work on, mostly memory errors causing crashes. Right now, I am happy to announce that this branch is ready for beta testing and I'm looking for volunteers to help me with this task. Hopefully all the major bugs were shaken out and the code could be integrated soon. ======================== BUILDING INSTRUCTIONS ========================= This is the same as in [1]: 1. Pull my nmap-nsock-ultrascan branch: svn co https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-ultrascan 2. Enter nmap-nsock-ultrascan directory and build Nmap: cd nmap-nsock-ultrascan ; ./configure && make 3. If all went well, try a simple -sT scan: ./nmap -sT scanme.nmap.org ========================== HOW TO TEST IT ============================== Apart from a simple -sT scan I mentioned in step 3 of "BUILDING INSTRUCTIONS", I would definitely welcome trying out more complicated test scenarios. One of the features that my modifications enable is performing port scanning behind proxies. I only scanned it using SOCKS4 server built into Tor - to repeat that, you can run the "tor" command in the background and execute the following line to scan scanme.nmap.org: ./nmap -sT --proxy socks4://localhost:9050 scanme.nmap.org First segfaults were found and fixed thanks to stress testing I performed by adding "-p-" to the command, which scans all TCP ports possible and running this command in a loop. Note that this can sometimes take incredibly long time - probably due to "rate limiting detection" feature, the scanning can slow down to as little as a probe per second, which would make -p- scan take 18 hours. This is why I also tried --top-ports=10000, which has lower chances of behaving this way. If you run across an error (segmentation fault, assertion error or something else), it would be perfect if you could recompile Nmap with debugging support, add -d9 to the command line and run the command within a diagnostic tool such as gdb or valgrind. Here's how I did this: CXXFLAGS="-ggdb -O0" CFLAGS="-ggdb -O0" ./configure && make valgrind ./nmap -sT scanme.nmap.org -d9 -p- >log 2>&1 I hadn't tested proxy chain support or various command-line switches. I did very little testing outside of Tor. It might also be a good idea to scan multiple targets and try -iR scan - I tried neither of those. Also, please pay attention to scan timing - if the scan is much slower or faster than the old Nmap mechanism, this is a red flag that I would like to know about. Please do note that even though port scanning within Tor is possible, you cannot scan .onion names due to lack of SOCKS4A support. Also, the changes should only affect -sT connect() scan, so don't expect any improvements while trying to perform SYN scanning or any other non-connect() techniques, such as UDP/SCTP/protocol scans. ===================== FEEDBACK & LOOKING FOR BUGS ====================== Any feedback is welcome! If you just built it and ran the step 3 of "BUILDING INSTRUCTIONS" successfully, this is already some good news I'd love to hear. Please mention what system you used, this might prove to be useful information as well. If you ran into any errors, please tell me how I could reproduce it (what command you ran) and what system you used. If you could take some time and run through my comments in "HOW TO TEST IT", your report would be even better. Thanks in advance! Cheers, d33tah [1] http://seclists.org/nmap-dev/2015/q2/374 [2] http://seclists.org/nmap-dev/2015/q3/0
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 03)
- Message not available
- Message not available
- Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 03)
- Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jasey DePriest (Jul 03)
- Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Daniel Miller (Jul 03)
- Re: [tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
- Message not available
- Message not available
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 04)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 14)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 04)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) David Fifield (Jul 04)
- Re: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!) Jacek Wielemborek (Jul 04)