graftcp 不支持端口扫描吗

[freeAhao]

以下是用proxychains4和graftcp使用nmap进行端口扫描的结果

graftcp结果显示 全部端口打开

graftcp nmap -Pn -sT -top-ports 5 172.16.0.1
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-14 11:26 CST
Nmap scan report for 172.16.0.1
Host is up (0.0013s latency).

PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

graftcp-local的设置是

graftcp-local -socks5 127.0.0.1:10808 -select_proxy_mode only_socks5

proxychains4结果

pc4 nmap -Pn -sT -top-ports 5 172.16.0.1
[proxychains] config file found: /home/ahao/.proxychains/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-14 11:26 CST
Nmap scan report for 172.16.0.1
Host is up (0.094s latency).

PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  open   telnet
80/tcp  open   http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds

[hmgle]

这个问题初步猜想是这样造成的：用 graftcp 将 nmap 的 TCP 流量重定向到代理后，只要和代理服务器的 TCP 三次握手成功连接建立后，nmap 的 connect 系统调用就成功返回了，于是 nmap 就认为是和扫描的目标主机目标端口成功建立了 TCP 连接，但实际上代理服务器和目标主机目标端口还不一定 connect 成功。 后面再研究下能否支持端口扫描这种场景。

[hmgle]

nmap 扫描这种场景没有办法支持。

另外我试了下 proxychains-ng 4.14 和 nmap 7.91，发现返回结果和 graftcp 没有区别，也都全是 open 的：

$ ./proxychains4 /xxx/nmap-7.91/nmap -Pn -sT -top-ports 5 3.123.248.34

[proxychains] preloading ./libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14-git-42-g931e0df
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.

[proxychains] Dynamic chain  ...  127.0.0.1:1081  ...  3.123.248.34:22  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1081  ...  3.123.248.34:80  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1081  ...  3.123.248.34:21  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1081  ...  3.123.248.34:443  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1081  ...  3.123.248.34:23  ...  OK
Nmap scan report for ec2-3-123-248-34.eu-central-1.compute.amazonaws.com (3.123.248.34)
Host is up (0.00031s latency).

PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

直接的结果是：

PORT    STATE    SERVICE
21/tcp  filtered ftp
22/tcp  filtered ssh
23/tcp  filtered telnet
80/tcp  open     http
443/tcp open     https

[freeAhao]

首先可以确定nmap的-sT (TCP CONNECT)是支持通过socks代理扫描的

针对3.123.248.34这个IP 我测试了几个开socks代理工具 目前只有ssh动态端口转发可以正常扫描

ssh -D 0.0.0.0:10808 root@xxx.xxx.xxx.xx

pc4 nmap -Pn -sT -top-ports 5 3.123.248.34
[proxychains] config file found: /home/ahao/.proxychains/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 17:31 CST
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:443  ...  OK
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:21 <--socket error or timeout!
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:23 <--socket error or timeout!
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:80  ...  OK
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:22 <--socket error or timeout!
Nmap scan report for ec2-3-123-248-34.eu-central-1.compute.amazonaws.com (3.123.248.34)
Host is up (0.32s latency).

PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

[hmgle]

首先可以确定nmap的-sT (TCP CONNECT)是支持通过socks代理扫描的

针对3.123.248.34这个IP 我测试了几个开socks代理工具 目前只有ssh动态端口转发可以正常扫描

ssh -D 0.0.0.0:10808 root@xxx.xxx.xxx.xx

pc4 nmap -Pn -sT -top-ports 5 3.123.248.34
[proxychains] config file found: /home/ahao/.proxychains/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 17:31 CST
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:443  ...  OK
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:21 <--socket error or timeout!
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:23 <--socket error or timeout!
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:80  ...  OK
[proxychains] Round Robin chain  ...  127.0.0.1:10808  ...  3.123.248.34:22 <--socket error or timeout!
Nmap scan report for ec2-3-123-248-34.eu-central-1.compute.amazonaws.com (3.123.248.34)
Host is up (0.32s latency).

PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

看来还和连接的代理 socks5 代理工具有关。有空我再试下 ssh proxy 下的扫描。

[freeAhao]

看来还和连接的代理 socks5 代理工具有关。有空我再试下 ssh proxy 下的扫描。

目测上述扫描里面proxychains4是通过配置文件中的tcp_connect_time_out 超时时间来确认端口开闭情况