Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: --proxies oddities

From: Henri Doreau <henri.doreau () gmail com>
Date: Tue, 30 Apr 2013 20:27:34 +0200
2013/4/30 David Fifield <david () bamsoftware com>:

I tried --proxies using a local Tor SOCKS proxy, and got unexpected
results. Here are the scans with no proxy:

$ ./nmap -n -Pn --script=http-title -p 80 nmap.org
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-04-29 23:27 PDT
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.025s latency).
PORT   STATE SERVICE
80/tcp open  http
|_http-title: Nmap - Free Security Scanner For Network Exploration & Securit...

$ ./nmap -n -Pn --script=ssl-cert -p 993 imap.gmail.com
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-04-29 23:27 PDT
Nmap scan report for imap.gmail.com (74.125.141.108)
Host is up (0.034s latency).
Other addresses for imap.gmail.com (not scanned): 74.125.141.109
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-cert: Subject: commonName=imap.gmail.com/organizationName=Google 
Inc/stateOrProvinceName=California/countryName=US
| Issuer: commonName=Google Internet Authority/organizationName=Google Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2013-04-15T07:44:00+00:00
| Not valid after:  2013-12-31T15:58:50+00:00
| MD5:   a52a 01f4 9bb0 ac6f c519 ab60 d117 fe26
|_SHA-1: b0ba 392b ba32 6e6f eb1a dd4d 04fa 0fb8 6cd1 73fa


Here are the results with a proxy:

$ ./nmap --proxies=socks4://localhost:9050 -n -Pn --script=http-title -p 80 nmap.org
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-04-29 23:28 PDT
NSOCK ERROR [0.0290s] nsp_set_proxychain(): Invalid call. Existing proxychain on this nsock_pool
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.019s latency).
PORT   STATE SERVICE
80/tcp open  http

$ ./nmap --proxies=socks4://localhost:9050 -n -Pn --script=ssl-cert -p 993 imap.gmail.com
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-04-29 23:29 PDT
NSOCK ERROR [0.0340s] nsp_set_proxychain(): Invalid call. Existing proxychain on this nsock_pool
Nmap scan report for imap.gmail.com (173.194.79.108)
Host is up (0.038s latency).
Other addresses for imap.gmail.com (not scanned): 173.194.79.109
PORT    STATE SERVICE
993/tcp open  imaps
|_ssl-cert: ERROR: Script execution failed (use -d to debug)

David Fifield


Here are packet traces.

$ ./nmap --proxies=socks4://localhost:9050 -n -Pn --script=http-title -p 80 nmap.org -d3
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-04-29 23:29 PDT
...
NSE: Using Lua 5.2.
NSOCK ERROR [0.0220s] nsp_set_proxychain(): Invalid call. Existing proxychain on this nsock_pool
...
NSE: Script scanning 173.255.243.189.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'http-title' (thread: 0x1f4a330) against nmap.org (173.255.243.189:80).
Initiating NSE at 23:29
NSOCK INFO [0.0220s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.0590s] nsock_connect_tcp(): TCP connection requested to 173.255.243.189:80 (IOD #1) EID 8
NSOCK INFO [0.0590s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:9050]
NSOCK INFO [0.0590s] nsock_readbytes(): Read request for 8 bytes from IOD #1 [127.0.0.1:9050] EID 26
NSOCK INFO [0.0590s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [127.0.0.1:9050]
NSOCK INFO [0.7680s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [127.0.0.1:9050] (8 bytes): 
.Z......
NSOCK INFO [0.7680s] forward_event(): Forwarding event upstream: TCP connect SUCCESS (IOD #1) EID 26
NSE: TCP 127.0.0.1:46610 > 127.0.0.1:9050 | CONNECT
NSE: TCP 127.0.0.1:46610 > 127.0.0.1:9050 | 00000000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1
00000010: 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 Connection: clos
00000020: 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d e  User-Agent: M
00000030: 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d 70 ozilla/5.0 (comp
00000040: 61 74 69 62 6c 65 3b 20 4e 6d 61 70 20 53 63 72 atible; Nmap Scr
00000050: 69 70 74 69 6e 67 20 45 6e 67 69 6e 65 3b 20 68 ipting Engine; h
00000060: 74 74 70 3a 2f 2f 6e 6d 61 70 2e 6f 72 67 2f 62 ttp://nmap.org/b
00000070: 6f 6f 6b 2f 6e 73 65 2e 68 74 6d 6c 29 0d 0a 48 ook/nse.html)  H
00000080: 6f 73 74 3a 20 6e 6d 61 70 2e 6f 72 67 0d 0a 0d ost: nmap.org
00000090: 0a

NSOCK INFO [0.7680s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [127.0.0.1:9050]
NSE: TCP 127.0.0.1:46610 > 127.0.0.1:9050 | SEND
NSOCK INFO [0.7680s] nsock_read(): Read request from IOD #1 [127.0.0.1:9050] (timeout: 8000ms) EID 42
NSOCK INFO [1.4680s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [127.0.0.1:9050] (498 bytes)
NSE: TCP 127.0.0.1:46610 < 127.0.0.1:9050 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Cannot process request!</TITLE>
<LINK REV="made" HREF="mailto:webmaster";>
</HEAD>

<link REL="SHORTCUT ICON" HREF="/shared/images/tiny-eyeicon.png" TYPE="image/png">
<META NAME="ROBOTS" CONTENT="NOARCHIVE">
<link rel="stylesheet" href="/shared/css/insecdb.css" type="text/css">
<!--Google Analytics-->
<script type="text/javascript">

  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-11009417-1']);
  _gaq.
NSE: Finished 'http-title' (thread: 0x1f4a330) against nmap.org (173.255.243.189:80).
NSE: TCP 127.0.0.1:46610 > 127.0.0.1:9050 | CLOSE
NSOCK INFO [1.4680s] nsi_delete(): nsi_delete (IOD #1)
Completed NSE at 23:29, 1.41s elapsed
Nmap scan report for nmap.org (173.255.243.189)
Host is up, received user-set (0.018s latency).
Scanned at 2013-04-29 23:29:55 PDT for 1s
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

$ ./nmap --proxies=socks4://localhost:9050 -n -Pn --script=ssl-cert -p 993 imap.gmail.com -d3
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-04-29 23:30 PDT
...
NSE: Using Lua 5.2.
NSOCK ERROR [0.0310s] nsp_set_proxychain(): Invalid call. Existing proxychain on this nsock_pool
...
NSE: Script scanning 173.194.79.108.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'ssl-cert' (thread: 0x206d320) against imap.gmail.com (173.194.79.108:993).
Initiating NSE at 23:30
NSOCK INFO [0.0310s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.0790s] nsock_connect_ssl(): SSL connection requested to 173.194.79.108:993/tcp (IOD #1) EID 9
NSOCK INFO [0.0790s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 9 [127.0.0.1:9050]
NSOCK INFO [0.0790s] nsock_readbytes(): Read request for 8 bytes from IOD #1 [127.0.0.1:9050] EID 26
NSOCK INFO [0.0790s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [127.0.0.1:9050]
NSOCK INFO [0.8190s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [127.0.0.1:9050] (8 bytes): 
.Z......
NSOCK INFO [0.8190s] forward_event(): Forwarding event upstream: TCP connect SUCCESS (IOD #1) EID 26
NSE: TCP 127.0.0.1:46617 > 127.0.0.1:9050 | CONNECT
NSE: 'ssl-cert' (thread: 0x206d320) against imap.gmail.com (173.194.79.108:993) threw an error!
/home/david/nmap-git/nselib/sslcert.lua:280: calling 'get_ssl_certificate' on bad self
stack traceback:
        [C]: in function 'get_ssl_certificate'
        /home/david/nmap-git/nselib/sslcert.lua:280: in function 'getCertificate'
        /home/david/nmap-git/scripts/ssl-cert.nse:236: in function </home/david/nmap-git/scripts/ssl-cert.nse:235>
        (...tail calls...)

NSE: TCP 127.0.0.1:46617 > 127.0.0.1:9050 | CLOSE
NSOCK INFO [0.8190s] nsi_delete(): nsi_delete (IOD #1)
Completed NSE at 23:30, 0.74s elapsed
Nmap scan report for imap.gmail.com (173.194.79.108)
Host is up, received user-set (0.035s latency).
Other addresses for imap.gmail.com (not scanned): 173.194.79.109
Scanned at 2013-04-29 23:30:58 PDT for 1s
PORT    STATE SERVICE REASON
993/tcp open  imaps   syn-ack


I think I fixed it. I introduced a regression in r30784, replacing a
constant you initially set by a sizeof(), which could return different
sizes on different architectures, given how the fields of the
structure were declared.

I reverted the faulty commit in r30819 and committed a nicer (I think)
fix in r30820.

Sorry for the regression, at least it looks good now. Do you confirm?

Regards

--
Henri
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: