[tor-talk] Fwd: CALL FOR TESTING: new port scanning subsystem (allows scanning behind proxies, including Tor!)
david at bamsoftware.com
Sat Jul 4 15:20:52 UTC 2015
On Fri, Jul 03, 2015 at 11:25:26PM +0200, Jacek Wielemborek wrote:
> W dniu 03.07.2015 o 22:01, grarpamp pisze:
> >> One of the features that my modifications enable is performing port
> >> scanning behind proxies. I only scanned it using SOCKS4 server built
> >> into Tor
> >> ./nmap -sT --proxy socks4://localhost:9050 scanme.nmap.org
> >> Please do note that even though port scanning within Tor is possible,
> >> you cannot scan .onion names due to lack of SOCKS4A support.
> > SOCKS4 and SOCKS4A are old and deprecated and should not
> > be implemented (unless you're also implementing the current SOCKS5
> > and adding in 4/4A as a bonus).
> > Tor supports SOCKS5 (and the deprecated 4/4A but it will complain).
> > So scanning onions and anything else by name should be possible.
> > SOCKS5 also supports IPv6 which is becoming the way of things.
> > Therefore, implement SOCKS5 :)
> I think that SOCKS5 support within Nsock library (on which my
> modification depends) is planned. SOCKS5 also supports UDP, so it could
> bring even more benefits. For now, SOCKS4 has to do though.
Yeah. Jacek's post wasn't about adding proxy support to Nmap per se--Nmap
has been able to use a proxy for certain operations for quite some time
now, through the --proxies command line option. The proxy support worked
for things like version detection and NSE (Nmap Scripting Engine), but
it notably did not work for port scanning, because the port-scanning
code in Nmap uses sockets much differently than the rest of it. Jacek's
patch is about overcoming certain architectural difficulties and
extending proxy support to the port scanning phase too.
The patch doesn't actually add new SOCKS code to Nmap. It just uses what
is already there. Supporting SOCKS5 is a good project but it is separate
from this one.
Doing domain name resolution through the proxy (which would prevent DNS
leaks and enable scanning of onion sites) is also a separate and kind of
large project. Many parts of Nmap's code assume that they have an IP
address to work with, so it will take some rearchitecting too.
More information about the tor-talk