Home page logo
/

nmap-dev logo Nmap Development mailing list archives

General web proxying with Ncat
From: David Fifield <david () bamsoftware com>
Date: Thu, 16 Apr 2009 16:55:35 -0600

Hi,

Ncat's HTTP proxy now supports the GET, HEAD, and POST methods, so it
can be used as a proxy with an ordinary web browser. Run

        ncat -l --proxy-type http

Configure your web browser to use the proxy server at localhost:31337.
The CONNECT method that enables SSL connections is also supported. Of
course you can continue to make Ncat client connections through the
proxy:

        ncat --proxy localhost:31337 scanme.nmap.org 80

The proxy allows authentication (credentials are sent in the clear):

        ncat -l --proxy-type http --proxy-auth user:pass

I wrote this new code with special attention towards securing it against
buffer overflows and like vulnerabilities. There are over a thousand new
lines of parsing and memory allocation code, so I would appreciate a
second opinion.

The proxy as it stands now only supports HTTP/1.0, and not HTTP/1.1
features like connection persistence and pipelining. Using the proxy is
likely to make your web browsing slower because all requests are
serialized. I wouldn't expose the proxy to the Internet because of a
lack of authentication mechanisms. (You can use --proxy-auth, --allow,
and --deny, but they are not very strong.)

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
  • General web proxying with Ncat David Fifield (Apr 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]