On some networks, the outbound traffic to web servers (ports 80 and 443) might be intercepted on the fly by a transparent proxy.
A simple way to try to detect such a proxy with nmap is to run the following command:
nmap -sT cn.pool.ntp.org -p 80
Starting Nmap 6.00 ( http://nmap.org )
Nmap scan report for cn.pool.ntp.org (18.104.22.168)
Host is up (0.00042s latency).
rDNS record for 22.214.171.124: dns1.synet.edu.cn
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
It tells nmap to initiate a standard TCP connection (-sT) with an NTP server that is far way from me, e.g. China (cn.pool.ntp.org), on port 80 (-p 80).
In the output of nmap, we can see that:
- the connection was successful
- the network latency is 42ms
It’s certain in this case that there is a transparent proxy, because the typical latency from Europe to China is almost 10 times higher (370ms vs. 42ms), and typically, NTP server don’t have their port 80 often.
The reason why this is working is that this transparent proxy will blindly intercept the connections to web servers independently of their existence. It’s only when the client sends the HTTP headers that the proxy will try to contact the remote server.
If you want to double check, you can ping the same server from the command line, that will give you the latency using ICMP packets (instead of TCP):
$ ping 126.96.36.199
PING 188.8.131.52 56(84) bytes of data.
64 bytes from dns1.synet.edu.cn (184.108.40.206): icmp_seq=1 ttl=46 time=376 ms
64 bytes from dns1.synet.edu.cn (220.127.116.11): icmp_seq=2 ttl=46 time=378 ms
Compare this latency with the one from nmap.
You may also call the same nmap command from a host that is known not to be behind a proxy, and compare the results. If one nmap tells the port is open and another one the port is closed, and no firewall comes into play, then it’s one more sign for a proxy.
So in this case, we are able to prove the existence of the proxy, but be aware that if the results were negative, it wouldn’t prove its absence. The proxy might well behave in a way that is not detectable using this method, for instance if it contacts the target server before replying to the TCP connection request from the client.