SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection
An important part of securing any network is identifying
dangerous hosts. Nmap's service detection system is a flexible,
reliable way to do this. It can help identify vulnerable versions of
software, find misconfigured servers, and more. But sometimes actually
trying to misuse services in ways the stock version scan doesn't dare
to is the best way to determine if they are actually
Open proxies are servers that will blindly relay requests from untrusted
hosts to servers of their choosing. Running these inside a network can be
extremely dangerous for many reasons, as attackers can:
Launch attacks that appear to come from your network
Steal bandwidth or other network services from you
Pretend to be an internal client to further escalate their privileges inside your organization
This provides good motivation for hacking version detection to
specifically try to exploit open proxies. We could probably map out which
ports are proxies by using Nmap's normal proxy
match lines, but the best, and only real way to prove an application is
vulnerable is to actually exploit it yourself.
This solution was contributed by Nmap developer Doug Hoyte.
The first thing we do is copy the
nmap-service-probes file so we can
work on a temporary copy:
cp /usr/local/share/nmap/nmap-service-probes ~/proxydetect
Next we want to temporarily force Nmap to use
our temporary file:
Now we need to add a probe and match line to the file, so open up
your favorite editor and place the following text into your copy of
nmap-service-probes. A good place to put it is after all the match
lines in the NULL probe, but immediately before the next Probe line (GenericLines).
Probe TCP ProxyProbe q|GET http://insecure.org/ HTTP/1.1\r\nHost: insecure.org\r\n\r\n|
match proxy m|^HTTP/1. 200 OK\r?\n.*TITLE>Insecure.O|s p/Open HTTP Proxy!!/
Now Nmap will actually try to request an
HTTP download from
insecure.org by treating any
scanned ports as proxies. We will start to see the following in scans
of networks containing open proxies:
PORT STATE SERVICE VERSION
80/tcp open proxy Open HTTP Proxy!!
The placement of our probe, the low
rarity value, and
ports range help ensure that our custom probe
is tried very soon into the service scan so that other probes like GetRequest
don't simply identify this as a proxy before we've had a chance to use our
We also used a
totalwaitms directive to make
Nmap wait longer for this probe to time out. This
can be necessary because not only are we dealing with the latency and
unreliability of the connection between us and the proxy, but also the
latency and unreliability of the connection between the proxy and the server
containing the page we requested (
Keep in mind that many other protocols can be proxied in addition to HTTP.
Version detection will identify proxies for many of them including FTP, POP3, IMAP, and SMTP.
SOCKS proxies have special match lines that determine information on the authentication
options the proxy has configured. As we did in this solution, often we can use
version detection to tell whether such proxies are open or not by using custom
probes files. However, more complicated tests are probably best done with NSE scripts.