Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Andrew's GSoC Summary

From: Andrew Jason Farabee <afarabee () uci edu>
Date: Fri, 21 Aug 2015 11:54:25 -0700
Hi everyone,

It's been a fun summer of code! Now that it's the firm "pencil's
down" date, I'd like to go over the status of my project.


== PROOF OF CONCEPT ===============================================

I started my GSoC by working on a couple of "proof of concept"s
(detail on the last one: http://seclists.org/nmap-dev/2015/q2/317).
This branch has quite a few issues. It relies on experimental NSE
scanning code that isn't as efficient for port scanning.  It is
also necessary to specify -Pn in order to prevent nmap's host
discovery, which operates outside of a proxy.

The code also uses socks4a instead of socks5 for script scanning,
so without some elaborate timeout magic nmap will be unable to
determine whether the proxy server won't allow the connection due
to a timeout or due to a reset packet.  This means all ports that
are filtered will be mislabeled as closed.  Since socks5 specifies
a dedicated response for a timeout, I should be able to determine
if a port is filtered.

There is also an issue when scanning through tor.  Many malicious
exit node operators will spoof responses to port 25 (smtp) requests
in order to get credentials for sending spam.  Unfortunately, this
means that about 25% of the time smtp is marked as open even though
it is closed on the target.

https://svn.nmap.org/nmap-exp/pasca1/nmap-nseportscan-socks4a


== SOCKS4A ========================================================

The socks4a code that was added to nsock works by calling a
separate connection handler from the other proxy types.  This uses
the targetname when creating the proxy connection instead of an IP.
This means that as it is socks4a is unable to be used in a chain of
proxies unless it is the last node.

Merging the socks4a code won't make sense until after a new address
structure is created that is able to contain hostnames or IPs.
This will also make it easier to implement Socks5 connections by
hostname later.

It might make more sense to not explicitly support socks4a at all.
Instead, we could use socks4a by default and only use socks4 when
the user only provides target IP addresses, which would be
reflected by the new address structure.

https://svn.nmap.org/nmap-exp/pasca1/nmap-nsock-socks4a


== NCAT PROXYCHAINS ===============================================

I got pretty distracted by this part of the project.  In order to
test and demonstrate nsock's proxy functionality, we decided to
refactor ncat client proxy functionality into nsock's proxychains.
This turned out to be a larger issue because ncat already supported
proxy authentication and socks5 while nsock did not.

Merging this branch alone would be a sizable regression in
functionality.  The current tests which can be seen in
https://svn.nmap.org/nmap-exp/pascal/tests show that this branch
currently fails most HTTP tests and all SOCKS5 tests.

Even with the socks5 code included, ncat-test.pl fails for
unauthenticated socks5 connections.  This is due to ncat-test.pl
requesting a proxy connection from localhost instead of ::1 or
127.0.0.1.  It might just be my machine, but I don't know enough
about IPv6 to figure this out right away.

There is still an ugly piece of code here to check if the argument
to --proxies is empty when the string is non-NULL.  This is
necessary at the moment because the calling code in nsock does not
check if the string is empty before accessing it.  This could be a
small fix.

https://svn.nmap.org/nmap-exp/pasca1/nmap-ncat-proxychains


== PROXY AUTHENTICATION ===========================================

Nsock proxy authentication should be able to be merged on its own
once a few things are complete:

The http digest code included is temporary.  A better solution to
what is currently in this branch can be found in nmap-ncat-socks4a.
This temporary http digest authentication code fails 2 tests in
ncat-test.pl when merged with nmap-ncat-proxychains (although this
would probably be an easy fix).  The current http digest doesn't
support as many possible challenge scenarios as the ncat http
digest code does.

Socks5 authentication is also missing.  This is only an issue if
the socks5 branch is merged as well.  Adding this might need a
couple extra states to nsock/src/proxy_socks4.c but it shouldn't
take too much work.

Finally, any usernames or passwords included to the --proxies
option are displayed in cleartext to other users on that machine
when using commands like 'ps -aux' or 'history'.

https://svn.nmap.org/nmap-exp/pasca1/nmap-nsock-proxyauth


== SOCKS5 =========================================================

Socks5 code is working well right now.  As with the other branches,
all the relevant test results can be found in
nmap-exp/pasca1/tests/nmap-nsock-socks5.

If nmap-nsock-proxyauth and nmap-nsock-socks5 are merged together,
there will be an issue with socks5 authentication missing.  Again,
this shouldn't take long to add.

Also, the socks5 code supports IPv6 scanning.  I haven't tested
this thoroughly because (embarrassingly) I don't know much about
IPv6.

Requesting socks5 tunnels by domain name should also be added, but
this doesn't make much sense until a new structure is created to
pass different target specification types (IPv4,IPv6, domain name).

https://svn.nmap.org/nmap-exp/pasca1/nmap-nsock-socks5


== LIBHTTP ========================================================

This branch is a combination of nmap-nsock-socks4a, nmap-nsock-
socks5, nmap-ncat-proxychains, and nmap-nsock-proxyauth.  The only
difference is that instead of the temporary http digest code, this
branch contains the start of a separate library "libhttp" (name in
progress) which attempts to move the existing http digest code to
be used by both nsock and ncat.

This branch currently does not compile due to issues with libhttp.
https://svn.nmap.org/nmap-exp/pasca1/temporary-nsock-http-digest
is a copy of this branch that using the temporary http digest code
is nsock instead.

https://svn.nmap.org/nmap-exp/pasca1/nmap-ncat-socks4


== PORT VULN SCRIPTS TO VULNS LIBRARY =============================

This folder was created to solve "Port 5 *-vuln NSE scripts to the
`vulns` library" (https://github.com/nmap/nmap/issues/147).  I
believe it is ready to be merged.

I created vulnerable virtual machines to test http-iis-webdav-vuln
and smtp-vuln-cve-2010-4344.  I tested http-vmware-path-vuln and
http-vuln-cve2010-0738 by using fake functions.  Some of the test
results are available here:

https://gist.github.com/andrewfarabee/dffc9e8c245d29271db4

smb-check-vulns was not included because it will have to be split
up in order to address https://github.com/nmap/nmap/issues/171 ,
which is "Split smb-check-vulns into separate smb-vuln-msXX-XXX.nse
scripts".

https://svn.nmap.org/nmap-exp/pasca1/issue147


== HOSTNAME PROXY SCANNING OUTLOOK ================================

When I started the summer, my main goal was to get scanning working
by name through proxies.  Unfortunately this goal is still very far
away.

The next step is to create a structure that will allow for
specifying a domain name without an IP (or along with an IP,
depending on the situation).  This struct may just contain a struct
sockaddr_storage ss (which would allow for an IPv4 or IPv6 address)
and a char* targetname.  The difficult part would be deciding where
it is implemented and moving from using sockaddr_storage to this
new struct throughout nsock and other parts of nmap.

There are a lot of open questions on what to do next, though there
are a lot of good ideas here:

http://seclists.org/nmap-dev/2015/q3/att-66/meeting.txt


== TL;DR ==========================================================

So what will it take to merge this mess of intertwined branches?
Here is a breakdown by functionality:

Socks5:
        Nothing!
        Okay, IPv6 testing.

Proxy Authentication:
        Better http digest challenge handling (or libhttp).
        Masking passwords.

Ncat Proxychains: (if you want to reduce regression in ncat)
        Merging Proxy Authentication.
        Merging Socks5.
        Adding Socks5 Authentication.

Socks4a:
        You probably shouldn't.
        Documentation.

All of them together:
        Socks5 authentication.
        Better http digest handling.
        Socks4a authentication (can be found in nmap-ncat-socks4a).
        Masking passwords.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: