Re: ncat as http proxy server, question mark.

[David Fifield <david () bamsoftware com>]

On Tue, Oct 28, 2008 at 02:00:51AM +0000, jah wrote:
> I attempted to use ncat (latest svn) as an http proxy on both linux and
> windows without success:
>
> # ncat -l -vvv --proxy-type http localhost 8080
> Listening on 127.0.0.1:8080
>
> Set firefox on that machine to connect via 127.0.0.1:8080 and saw zero
> traffic as a result of any http requests.
>
> # ncat -l -vvv --proxy-type http 192.168.1.16 8080
> Listening on 192.168.1.16:8080
>
> and directed firefox on another machine to connect via 192.168.1.16:8080.
> For any http request I see a HTTP 400 Bad Request response of 1024 bytes
> - 996 of them are null chars.

I noticed this too. Ncat was sending an entire buffer, not just the
string it had placed at the beginning. It was pretty obvious that it was
wrong so I fixed it in r11830.

I can't get Ncat to work as a web proxy with Firefox either, because of
the GET/CONNECT method discrepancy Michael noted in
http://seclists.org/nmap-dev/2008/q4/0324.html. But apart from that, I
don't think Ncat's CONNECT method works quite right. CONNECT is
documented at http://tools.ietf.org/html/draft-luotonen-ssl-tunneling-03.
A request is supposed to look like this:

CONNECT nmap.org:80 HTTP/1.0\r\n
\r\n
GET / HTTP/1.1\r\n
Host: nmap.org\r\n
\r\n

Before the first blank line is just a normal HTTP request, so you could
insert extra header fields like User-Agent, etc. But Ncat comes back
with "HTTP/1.0 200 OK" after the first \r\n. That means that any other
header fields as well as the second \r\n get sent to the destination web
server. Apache seems to tolerate the extra whitespace before the
request, but for example lighttpd returns "UNKNOWN 400 Bad Request".

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org