How to detect a transparent proxy with nmap

On some networks, the outbound traffic to web servers (ports 80 and 443) might be intercepted on the fly by a transparent proxy.
A simple way to try to detect such a proxy with nmap is to run the following command:


nmap -sT cn.pool.ntp.org -p 80

Starting Nmap 6.00 ( http://nmap.org )
Nmap scan report for cn.pool.ntp.org (202.112.29.82)
Host is up (0.00042s latency).
rDNS record for 202.112.29.82: dns1.synet.edu.cn
PORT   STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

It tells nmap to initiate a standard TCP connection (-sT) with an NTP server that is far way from me, e.g. China (cn.pool.ntp.org), on port 80 (-p 80).

In the output of nmap, we can see that:

  • the connection was successful
  • the network latency is 42ms

It’s certain in this case that there is a transparent proxy, because the typical latency from Europe to China is almost 10 times higher (370ms vs. 42ms), and typically, NTP server don’t have their port 80 often.

The reason why this is working is that this transparent proxy will blindly intercept the connections to web servers independently of their existence. It’s only when the client sends the HTTP headers that the proxy will try to contact the remote server.

If you want to double check, you can ping the same server from the command line, that will give you the latency using ICMP packets (instead of TCP):


$ ping 202.112.29.82
PING 202.112.29.82 56(84) bytes of data.
64 bytes from dns1.synet.edu.cn (202.112.29.82): icmp_seq=1 ttl=46 time=376 ms
64 bytes from dns1.synet.edu.cn (202.112.29.82): icmp_seq=2 ttl=46 time=378 ms

Compare this latency with the one from nmap.

You may also call the same nmap command from a host that is known not to be behind a proxy, and compare the results. If one nmap tells the port is open and another one the port is closed, and no firewall comes into play, then  it’s one more sign for a proxy.

So in this case, we are able to prove the existence of the proxy, but be aware that if the results were negative, it wouldn’t prove its absence. The proxy might well behave in a way that is not detectable using this method, for instance if it contacts the target server before replying to the TCP connection request from the client.

 

Advertisements
This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s