Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scan with nmap over a CONNECT proxy?

From: David Fifield <david () bamsoftware com>
Date: Mon, 3 May 2010 09:57:46 -0600
On Thu, Apr 29, 2010 at 05:34:48PM +0000, Richard Miles wrote:

Hello

I was checking one of my servers on the internet and curiously I found it
support CONNECT method to everywhere, so I could connect into it from
internet and CONNECT for example at google, or even establish a telnet
session with another machine in another network. While it may be very useful
for a spammer I was thinking that a hacker can do much more and probable use
this open CONNECT proxy to connect to my internal servers, since I have two
interfaces, one external and another internal.

I tested with ncat and I connected to a internal server with a command like
ncat --proxy MyExternalProxy --proxy-type http 10.10.2.3 23

And I got the telnet screen asking for the username.

However it was easy because I know my internal IP address, an hacker would
need to guess my internal IP addresses and opened ports and do it by hand
may be very hard. So, I was thinking, there is a option at nmap to scan over
a CONNECT proxy?

Something like nmap -sV -sC --proxy MyExternalProxy --proxy-type
http10.10.2.0/24

It would be awesome. There is any patch or way to do it?


This isn't part of the Nmap core yet but it is planned. There's an
experimental branch at

svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/ioerror/nmap-proxy

You can also run Nmap through proxychains. You have to specify -sT for
connect scan or it won't work.

http://proxychains.sourceforge.net/howto.html

Using proxychains is slow because it turns nonblocking socket calls into
blocking calls and ruins all Nmap's parallelism. A goal for proxy
scanning in Nmap is to retain the parallelism advantages we have for
other scan types.


I also tried just to test nmap with -sV and -sC in a exclusive port in
conjunction with ncat, but I couldn't, since ncat appear to do not allow to
bind IP and connect to a remote proxy at the same time. I was thinking in
something like ncat -l 3333 --proxy MyExternalProxy --proxy-type http
10.10.2.3 23


I think this was a bug in an earlier version of Ncat. 5.21 should allow
you to bind and connect through a proxy at the same time.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: