Nmap Development mailing list archives
Re: GSoC idea for ambitious students: making Nmap port-scan behind proxies!
From: David Fifield <david () bamsoftware com>
Date: Fri, 18 Mar 2016 22:06:30 -0700
On Wed, Mar 02, 2016 at 04:28:29PM +0100, Jacek Wielemborek wrote:
Jacek "d33tah" Wielemborek here - last year I mentored an Nmap GSoC project related to enhancing Nmap proxy capabilities. My little dream is to have a reliable way to port scan services using Nmap and thought I'd reach out to potential GSoC students in hope that one of you could help us get there :) Last year I posted a call for testing [1] related to my small patch [2] that basically replaced all connect() calls with their counterparts that use Nsock. This - at least in theory - should make it easy to use Nmap's port scanning engine with proxies since Nsock abstracts away the heavy lifting associated to making proxy connections. Unfortunately, even though the patch is just "243 additions and 206 deletions", somehow a bug crept in. To be honest I'm not yet sure what actually happened - a good starting point would be a David's post about the false negatives the patch generates [3].
To be fair, I was the only one who responded to your call for testing. Maybe my network was having a bad day, or something. It would be helpful to get more results. I tried it again today (r34821) from a university connection and got more favorable results. nmap-nsock-ultrascan r34821 -sT, no proxy 4 open, 991 closed, 5 filtered 1.92 seconds -sT, Tor proxy 4 open, 996 closed|filtered 388.25 seconds -sS 4 open, 991 closed, 5 filtered 88.53 seconds nmap-master r35713 -sT, no proxy 4 open, 991 closed, 5 filtered 1.27 seconds -sS 4 open, 991 closed, 5 filtered 88.13 seconds I don't know why the SYN scan is taking so long, but it's doing it in both branches, so it's probably not related to your patch. # Nmap 6.49SVN scan initiated Fri Mar 18 21:38:16 2016 as: ./nmap -sT scanme.nmap.org Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.0079s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 161/tcp filtered snmp 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 9929/tcp open nping-echo 31337/tcp open Elite # Nmap done at Fri Mar 18 21:38:18 2016 -- 1 IP address (1 host up) scanned in 1.92 seconds # Nmap 6.49SVN scan initiated Fri Mar 18 21:39:13 2016 as: ./nmap -Pn -sT --proxy socks4://127.0.0.1:9050 scanme.nmap.org Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.45s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 996 closed|filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9929/tcp open nping-echo 31337/tcp open Elite # Nmap done at Fri Mar 18 21:45:41 2016 -- 1 IP address (1 host up) scanned in 388.25 seconds # Nmap 6.49SVN scan initiated Fri Mar 18 21:46:17 2016 as: ./nmap -sS scanme.nmap.org Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.0040s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 161/tcp filtered snmp 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 9929/tcp open nping-echo 31337/tcp open Elite # Nmap done at Fri Mar 18 21:47:46 2016 -- 1 IP address (1 host up) scanned in 88.53 seconds # Nmap 7.10SVN scan initiated Fri Mar 18 21:50:11 2016 as: ./nmap -sT scanme.nmap.org Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.0090s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 161/tcp filtered snmp 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 9929/tcp open nping-echo 31337/tcp open Elite # Nmap done at Fri Mar 18 21:50:12 2016 -- 1 IP address (1 host up) scanned in 1.27 seconds # Nmap 7.10SVN scan initiated Fri Mar 18 21:50:33 2016 as: ./nmap -sS scanme.nmap.org Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.0045s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 161/tcp filtered snmp 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 9929/tcp open nping-echo 31337/tcp open Elite # Nmap done at Fri Mar 18 21:52:01 2016 -- 1 IP address (1 host up) scanned in 88.13 seconds _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- GSoC idea for ambitious students: making Nmap port-scan behind proxies! Jacek Wielemborek (Mar 02)
- Re: GSoC idea for ambitious students: making Nmap port-scan behind proxies! Daniel Miller (Mar 04)
- Re: GSoC idea for ambitious students: making Nmap port-scan behind proxies! David Fifield (Mar 18)