Nmap Development mailing list archives
Re: Scripts for proxy detection
From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Jun 2009 14:24:48 -0600
On Thu, May 28, 2009 at 05:17:43AM -0300, Joao Correa wrote:
Hello everyone, I'm posting two new versions for the open proxy detection scripts. The new features are: HTTP: * Changed pattern for connect (tested and supporting both polipo and ncat, needs to test on squid!) * Default test address is now nmap.org, and not www.google.com * HTTP status codes 200, 301 and 302 are recognized as valid responses, meaning that the proxy is correctly working * It is also possible to use a different test address, specified with script-args. The args should be "url", with the url that might be tested and "hurl" with the url used to set the "Host:" field of the HTTP requests. If no hurl is set, than url is used as hurl. If none is set, nmap.org is used. * Notice that the arguments will only work with nmap patched for correct argument parsing Socks: * Replaced function packet.hextobin for bin.pack * HTTP status codes 200, 301 and 302 are recognized as valid responses, meaning that the proxy is correctly working * Replaced excessive prints for stdnse.print_debug * It is also possible to use a different test address, specified with script-args. The arg is only "url" here. If it is not set, nmap.org is used. * Also will only work if nmap is patched * Tested on Dante and ssh
Here are my comments on socks-open-proxy.nse. I tested it with the "ssh -D" command. $ ssh -N -D 1080 goomba.bamsoftware.com $ ./nmap --datadir . --script=socks-open-proxy localhost -p1080 PORT STATE SERVICE 1080/tcp open socks | socks-open-proxy: Potentially OPEN proxy. |_ Versions succesfully tested: Socks4 Socks5 $ ssh -N -D 10000 goomba.bamsoftware.com $ ./nmap --datadir . --script=socks-open-proxy localhost -p10000 PORT STATE SERVICE 10000/tcp open snet-sensor-mgmt $ ./nmap --datadir . --script=socks-open-proxy localhost -p10000 -sV --version-all PORT STATE SERVICE VERSION 10000/tcp open socks5 (No authentication; connection failed) The script worked fine when the proxy server was running on a standard port. As expected, it didn't run when the server was on a non-standard port. However, it should have run when version detection discovered the service "socks5". You should make the portrule match "socks4" and "socks5" as well as "socks". You can use stdnse.strsplit instead of having multiple copies of the explode function in each script. http://nmap.org/nsedoc/modules/stdnse.html#strsplit On second thought, you don't actually need a string splitting function if you're only looking at the Response-Line (first line) of the response, and not examining the header fields. I think you should not hard-code the default target IP address: local sip = "42 66 07 63" local url = "www.google.com" You already have code to resove a name in case a url script argument was received; just use that in all cases. Otherwise someday someone will change either sip or url without changing the other, or that IP address will have a different owner, or something. Don't forget up update the script documentation. It still refers to the "Server: gws" header field, even though the script doesn't use that technique anymore. When the proxy server returns "Request granted", is that enough to report the proxy as open? Is it necessary to actually retrieve the web page? Maybe coffeeshop proxies say "Request granted" and then substitute their click-through terms of service, or something? But in that case the script would still say "open proxy" because of the 200 status code returned. If it still works without retrieving the web page, you should remove that step. The script argument names are too general. "url" could mean many different things to different scripts. One way to disambiguate is to put the arguments inside a table with a name based on that of the scripts. So: --script-args='open-proxy={url=...}' Then you would access it in your script: nmap.registry.args["open-proxy"].url However, the name "url" is misleading, because the argument is only a host name. I suggest changing it to "host". Then you should add a @usage example to the documentation showing how to use the script arguments, like this: http://nmap.org/nsedoc/scripts/dns-zone-transfer.html http://nmap.org/svn/scripts/dns-zone-transfer.nse The script is nice and easy to understand. Very useful too, and fast. I think this and the HTTP script should be included when these few adjustments are made. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Scripts for proxy detection Joao Correa (May 23)
- Re: Scripts for proxy detection David Fifield (May 26)
- Re: Scripts for proxy detection Joao Correa (May 26)
- Re: Scripts for proxy detection Joao Correa (May 28)
- Re: Scripts for proxy detection DePriest, Jason R. (May 28)
- Re: Scripts for proxy detection David Fifield (Jun 01)
- Re: Scripts for proxy detection David Fifield (Jun 01)
- Re: Scripts for proxy detection Joao Correa (Jun 02)
- Re: Scripts for proxy detection Joao Correa (Jun 09)
- Re: Scripts for proxy detection David Fifield (Jun 09)
- Re: Scripts for proxy detection Joao Correa (May 26)
- Re: Scripts for proxy detection David Fifield (May 26)