[tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!)

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Fri Jul 3 14:55:37 UTC 2015


Hi all,

sorry for cross-posting but it's relevant to know that nmap is going to
start supporting high performance port scanning over proxy, including Tor.

That would likely means an increase in the issues for Tor Exit Relay
operators for abuses related to port-scans being reported.

Should Tor implement some kind of exit-policy-configurable-rate-limiting
on the amount of new Tcp connections that can be opened over the same
established circuit?

-------- Forwarded Message --------
Subject: CALL FOR TESTING: new port scanning subsystem (allows scanning
behind proxies, including Tor!)
Date: Fri, 03 Jul 2015 14:24:27 +0200
From: Jacek Wielemborek <d33tah at gmail.com>
To: Nmap dev <dev at nmap.org>

List,

(TL;DR: Just perform "BUILDING INSTRUCTIONS" and let me know if it
worked on your system.)

A few days ago [1][2] I mentioned that I was working on a modification
to Nmap's port scanning engine that would - among other things - allow
scanning behind proxies. I had a few issues with the code that I needed
to work on, mostly memory errors causing crashes. Right now, I am happy
to announce that this branch is ready for beta testing and I'm looking
for volunteers to help me with this task. Hopefully all the major bugs
were shaken out and the code could be integrated soon.

======================== BUILDING INSTRUCTIONS =========================

This is the same as in [1]:

1. Pull my nmap-nsock-ultrascan branch:

svn co https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-ultrascan

2. Enter nmap-nsock-ultrascan directory and build Nmap:

cd nmap-nsock-ultrascan ; ./configure && make

3. If all went well, try a simple -sT scan:

./nmap -sT scanme.nmap.org

========================== HOW TO TEST IT ==============================

Apart from a simple -sT scan I mentioned in step 3 of "BUILDING
INSTRUCTIONS", I would definitely welcome trying out more complicated
test scenarios.

One of the features that my modifications enable is performing port
scanning behind proxies. I only scanned it using SOCKS4 server built
into Tor - to repeat that, you can run the "tor" command in the
background and execute the following line to scan scanme.nmap.org:

./nmap -sT --proxy socks4://localhost:9050 scanme.nmap.org

First segfaults were found and fixed thanks to stress testing I
performed by adding "-p-" to the command, which scans all TCP ports
possible and running this command in a loop. Note that this can
sometimes take incredibly long time - probably due to "rate limiting
detection" feature, the scanning can slow down to as little as a probe
per second, which would make -p- scan take 18 hours. This is why I also
tried --top-ports=10000, which has lower chances of behaving this way.

If you run across an error (segmentation fault, assertion error or
something else), it would be perfect if you could recompile Nmap with
debugging support, add -d9 to the command line and run the command
within a diagnostic tool such as gdb or valgrind. Here's how I did this:

CXXFLAGS="-ggdb -O0" CFLAGS="-ggdb -O0" ./configure && make
valgrind ./nmap -sT scanme.nmap.org -d9 -p- >log 2>&1

I hadn't tested proxy chain support or various command-line switches. I
did very little testing outside of Tor. It might also be a good idea to
scan multiple targets and try -iR scan - I tried neither of those. Also,
please pay attention to scan timing - if the scan is much slower or
faster than the old Nmap mechanism, this is a red flag that I would like
to know about.

Please do note that even though port scanning within Tor is possible,
you cannot scan .onion names due to lack of SOCKS4A support. Also, the
changes should only affect -sT connect() scan, so don't expect any
improvements while trying to perform SYN scanning or any other
non-connect() techniques, such as UDP/SCTP/protocol scans.

===================== FEEDBACK & LOOKING FOR BUGS ======================

Any feedback is welcome! If you just built it and ran the step 3 of
"BUILDING INSTRUCTIONS" successfully, this is already some good news I'd
love to hear. Please mention what system you used, this might prove to
be useful information as well. If you ran into any errors, please tell
me how I could reproduce it (what command you ran) and what system you
used. If you could take some time and run through my comments in "HOW TO
TEST IT", your report would be even better. Thanks in advance!

Cheers,

d33tah

[1] http://seclists.org/nmap-dev/2015/q2/374
[2] http://seclists.org/nmap-dev/2015/q3/0




-------------- next part --------------
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


More information about the tor-talk mailing list