Nmap Development mailing list archives

Re: GSoC idea for ambitious students: making Nmap port-scan behind proxies!

From: David Fifield <david () bamsoftware com>
Date: Fri, 18 Mar 2016 22:06:30 -0700

On Wed, Mar 02, 2016 at 04:28:29PM +0100, Jacek Wielemborek wrote:

Jacek "d33tah" Wielemborek here - last year I mentored an Nmap GSoC
project related to enhancing Nmap proxy capabilities. My little dream is
to have a reliable way to port scan services using Nmap and thought I'd
reach out to potential GSoC students in hope that one of you could help
us get there :)

Last year I posted a call for testing [1] related to my small patch [2]
that basically replaced all connect() calls with their counterparts that
use Nsock. This - at least in theory - should make it easy to use Nmap's
port scanning engine with proxies since Nsock abstracts away the heavy
lifting associated to making proxy connections.

Unfortunately, even though the patch is just "243 additions and 206
deletions", somehow a bug crept in. To be honest I'm not yet sure what
actually happened - a good starting point would be a David's post about
the false negatives the patch generates [3].


To be fair, I was the only one who responded to your call for testing.
Maybe my network was having a bad day, or something. It would be helpful
to get more results.

I tried it again today (r34821) from a university connection and got
more favorable results.

nmap-nsock-ultrascan r34821
-sT, no proxy   4 open, 991 closed, 5 filtered    1.92 seconds
-sT, Tor proxy  4 open, 996 closed|filtered     388.25 seconds
-sS             4 open, 991 closed, 5 filtered   88.53 seconds

nmap-master r35713
-sT, no proxy   4 open, 991 closed, 5 filtered    1.27 seconds
-sS             4 open, 991 closed, 5 filtered   88.13 seconds

I don't know why the SYN scan is taking so long, but it's doing it in
both branches, so it's probably not related to your patch.



# Nmap 6.49SVN scan initiated Fri Mar 18 21:38:16 2016 as: ./nmap -sT scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0079s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
161/tcp   filtered snmp
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
9929/tcp  open     nping-echo
31337/tcp open     Elite

# Nmap done at Fri Mar 18 21:38:18 2016 -- 1 IP address (1 host up) scanned in 1.92 seconds


# Nmap 6.49SVN scan initiated Fri Mar 18 21:39:13 2016 as: ./nmap -Pn -sT --proxy socks4://127.0.0.1:9050 
scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.45s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed|filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

# Nmap done at Fri Mar 18 21:45:41 2016 -- 1 IP address (1 host up) scanned in 388.25 seconds


# Nmap 6.49SVN scan initiated Fri Mar 18 21:46:17 2016 as: ./nmap -sS scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0040s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
161/tcp   filtered snmp
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
9929/tcp  open     nping-echo
31337/tcp open     Elite

# Nmap done at Fri Mar 18 21:47:46 2016 -- 1 IP address (1 host up) scanned in 88.53 seconds


# Nmap 7.10SVN scan initiated Fri Mar 18 21:50:11 2016 as: ./nmap -sT scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0090s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
161/tcp   filtered snmp
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
9929/tcp  open     nping-echo
31337/tcp open     Elite

# Nmap done at Fri Mar 18 21:50:12 2016 -- 1 IP address (1 host up) scanned in 1.27 seconds


# Nmap 7.10SVN scan initiated Fri Mar 18 21:50:33 2016 as: ./nmap -sS scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0045s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
161/tcp   filtered snmp
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
9929/tcp  open     nping-echo
31337/tcp open     Elite

# Nmap done at Fri Mar 18 21:52:01 2016 -- 1 IP address (1 host up) scanned in 88.13 seconds
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

GSoC idea for ambitious students: making Nmap port-scan behind proxies! Jacek Wielemborek (Mar 02)
- Re: GSoC idea for ambitious students: making Nmap port-scan behind proxies! Daniel Miller (Mar 04)
- Re: GSoC idea for ambitious students: making Nmap port-scan behind proxies! David Fifield (Mar 18)