Re: The issue when using the socks-open-proxy.nse

[Hongyi Zhao <hongyi.zhao () gmail com>]

On Thu, 12 Mar 2015 08:20:55 -0500, Daniel Miller wrote:
[snipped]

Thanks a lot ;-)

> 1. Use -sV to detect the socks proxy on the port so that the script can
> run.

I've tried this method several times, but always failed in the end, see 
the following example output for detail:

-- begin socks-open-proxy test--
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -sV -p60088 
--script socks-open-proxy -n -Pn -T4 4.53.111.74

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 21:49 CST
Nmap scan report for 4.53.111.74
Host is up.
PORT      STATE    SERVICE VERSION
60088/tcp filtered unknown

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
-- end socks-open-proxy test--

> 2. Force the script to run on *every* scanned port: `--script
> +socks-open-proxy` This is safe to do in cases like this where you are
> scanning just one port, and you are certain of the service that is
> listening. But this is not usually a good idea when scanning a lot of
> ports, especially on unknown systems, since it will result in a lot of
> data being sent to every open port.

I've tried this method several times too, the results is changeable, 
i.e., sometimes I'll find it succeeded, and give me the socks-test 
results; sometimes it will failed.  See the following for detail on the 
successful and failed information about the test:

-- begin socks-open-proxy test--
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p60088 --
script +socks-open-proxy -n -Pn -T4 4.53.111.74

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 21:52 CST
Nmap scan report for 4.53.111.74
Host is up.
PORT      STATE    SERVICE
60088/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.17 seconds
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p60088 --
script +socks-open-proxy -n -Pn -T4 4.53.111.74

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 21:52 CST
Nmap scan report for 4.53.111.74
Host is up (0.32s latency).
PORT      STATE SERVICE
60088/tcp open  unknown
| socks-open-proxy: 
|   status: open
|   versions: 
|_    socks5

Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds
-- end socks-open-proxy test--

Furthermore, I do a test on my local tor socks5 proxy.  But the test's 
results are also changeable, see the following for detail. 

It seems that, most of time, I'll failed with these tests.

--
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p9050 --
script +socks-open-proxy -n -Pn -T4 127.0.0.1

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 22:23 CST
Nmap scan report for 127.0.0.1
Host is up (0.000055s latency).
PORT     STATE SERVICE
9050/tcp open  tor-socks

Nmap done: 1 IP address (1 host up) scanned in 20.18 seconds
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p9050 --
script +socks-open-proxy -n -Pn -T4 127.0.0.1

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 22:24 CST
Nmap scan report for 127.0.0.1
Host is up (0.000058s latency).
PORT     STATE SERVICE
9050/tcp open  tor-socks
| socks-open-proxy: 
|   status: open
|   versions: 
|     socks4
|     socks5
|_    socks4

Nmap done: 1 IP address (1 host up) scanned in 40.70 seconds
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p9050 --
script +socks-open-proxy --script-args proxy.url=http://130.158.6.87/api/
iphone/,proxy.pattern="^*vpn_servers"  -n -Pn -T4 127.0.0.1

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 22:25 CST
Nmap scan report for 127.0.0.1
Host is up (0.000056s latency).
PORT     STATE SERVICE
9050/tcp open  tor-socks

Nmap done: 1 IP address (1 host up) scanned in 27.89 seconds
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p9050 --
script '+socks-open-proxy' --script-args proxy.url=http://130.158.6.87/
api/iphone/,proxy.pattern="^*vpn_servers"  -n -Pn -T4 127.0.0.1

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 22:26 CST
Nmap scan report for 127.0.0.1
Host is up (0.000055s latency).
PORT     STATE SERVICE
9050/tcp open  tor-socks

Nmap done: 1 IP address (1 host up) scanned in 26.30 seconds
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p9050 --
script '+socks-open-proxy' --script-args proxy.url=http://130.158.6.87/
api/iphone/,proxy.pattern="^*vpn_servers"  -n -Pn -T4 127.0.0.1

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 22:30 CST
Nmap scan report for 127.0.0.1
Host is up (0.000049s latency).
PORT     STATE  SERVICE
9050/tcp closed tor-socks

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
werner@debian:~/software/anti-gfw/nmap/nmap.svn/scripts$ nmap -p9050 --
script '+socks-open-proxy' --script-args proxy.url=http://130.158.6.87/
api/iphone/,proxy.pattern="^*vpn_servers"  -n -Pn -T4 127.0.0.1

Starting Nmap 6.47SVN ( http://nmap.org ) at 2015-03-12 22:30 CST
Nmap scan report for 127.0.0.1
Host is up (0.000041s latency).
PORT     STATE  SERVICE
9050/tcp closed tor-socks

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
--

ps. In the above tests, I also do the customized socks-open-proxy tests 
with the  `--script-args'  parameters, which is described at http://
nmap.org/nsedoc/scripts/socks-open-proxy.html.

But unfortunately, I always failed with the customized  proxy.url and 
proxy.pattern parameters in doing the testing.  I don't know the reason.

> 3. Edit the nmap-services file to add port 60088/tcp as socks5.

How to do this, where does the nmap-services file located at?

Regards.
-- 
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/