graftcp 不支持端口扫描吗
Closed this issue · 5 comments
以下是用proxychains4和graftcp使用nmap进行端口扫描的结果
graftcp结果显示 全部端口打开
graftcp nmap -Pn -sT -top-ports 5 172.16.0.1
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-14 11:26 CST
Nmap scan report for 172.16.0.1
Host is up (0.0013s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
graftcp-local的设置是
graftcp-local -socks5 127.0.0.1:10808 -select_proxy_mode only_socks5
proxychains4结果
pc4 nmap -Pn -sT -top-ports 5 172.16.0.1
[proxychains] config file found: /home/ahao/.proxychains/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-14 11:26 CST
Nmap scan report for 172.16.0.1
Host is up (0.094s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
这个问题初步猜想是这样造成的:用 graftcp 将 nmap 的 TCP 流量重定向到代理后,只要和代理服务器的 TCP 三次握手成功连接建立后,nmap 的 connect 系统调用就成功返回了,于是 nmap 就认为是和扫描的目标主机目标端口成功建立了 TCP 连接,但实际上代理服务器和目标主机目标端口还不一定 connect 成功。
后面再研究下能否支持端口扫描这种场景。
nmap 扫描这种场景没有办法支持。
另外我试了下 proxychains-ng 4.14 和 nmap 7.91,发现返回结果和 graftcp 没有区别,也都全是 open 的:
$ ./proxychains4 /xxx/nmap-7.91/nmap -Pn -sT -top-ports 5 3.123.248.34
[proxychains] preloading ./libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14-git-42-g931e0df
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
[proxychains] Dynamic chain ... 127.0.0.1:1081 ... 3.123.248.34:22 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1081 ... 3.123.248.34:80 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1081 ... 3.123.248.34:21 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1081 ... 3.123.248.34:443 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1081 ... 3.123.248.34:23 ... OK
Nmap scan report for ec2-3-123-248-34.eu-central-1.compute.amazonaws.com (3.123.248.34)
Host is up (0.00031s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
直接的结果是:
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp open http
443/tcp open https
首先可以确定nmap的-sT (TCP CONNECT)是支持通过socks代理扫描的
针对3.123.248.34这个IP 我测试了几个开socks代理工具 目前只有ssh动态端口转发可以正常扫描
ssh -D 0.0.0.0:10808 root@xxx.xxx.xxx.xx
pc4 nmap -Pn -sT -top-ports 5 3.123.248.34
[proxychains] config file found: /home/ahao/.proxychains/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 17:31 CST
[proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:443 ... OK
[proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:21 <--socket error or timeout!
[proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:23 <--socket error or timeout!
[proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:80 ... OK
[proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:22 <--socket error or timeout!
Nmap scan report for ec2-3-123-248-34.eu-central-1.compute.amazonaws.com (3.123.248.34)
Host is up (0.32s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
首先可以确定nmap的-sT (TCP CONNECT)是支持通过socks代理扫描的
针对3.123.248.34这个IP 我测试了几个开socks代理工具 目前只有ssh动态端口转发可以正常扫描
ssh -D 0.0.0.0:10808 root@xxx.xxx.xxx.xx
pc4 nmap -Pn -sT -top-ports 5 3.123.248.34 [proxychains] config file found: /home/ahao/.proxychains/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.14 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 17:31 CST [proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:443 ... OK [proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:21 <--socket error or timeout! [proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:23 <--socket error or timeout! [proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:80 ... OK [proxychains] Round Robin chain ... 127.0.0.1:10808 ... 3.123.248.34:22 <--socket error or timeout! Nmap scan report for ec2-3-123-248-34.eu-central-1.compute.amazonaws.com (3.123.248.34) Host is up (0.32s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
看来还和连接的代理 socks5 代理工具有关。有空我再试下 ssh proxy 下的扫描。
看来还和连接的代理 socks5 代理工具有关。有空我再试下 ssh proxy 下的扫描。
目测上述扫描里面proxychains4是通过配置文件中的tcp_connect_time_out 超时时间来确认端口开闭情况