5

An Nmap result shows an HTTP proxy on port 8080. Without trying out the proxy, how can you tell if it's a proxy or not?

8080/tcp open http-proxy
Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Bob Ebert
  • 153
  • 1
  • 4

3 Answers3

9

It depends on the exact options you use for a port scan with nmap

  • at the most basic nmap will simply determine if a port is open and listening and do a name conversion of that port number to a service name based on /etc/services or a similar table. the actual service on a specific port such as 8080 may be something completely different and you will indeed need to do a lot more connecting and testing to get the actual service

  • when you use some of the more comprehensive options for service and version detection such as -sV —version-all Nmap will have already done a lot of finger printing and testing for you and then the service nmap reports will be pretty accurate

HBruijn
  • 77,029
  • 24
  • 135
  • 201
3

You can't tell.

Anybody can run any service on port 8080: regular HTTP proxy, HTTP CONNECT proxy, a regular HTTP server or even SSH server if you really want to!

HTTP is a protocol where the client sends a request before the server sends a greeting. Thus, if you connect to the port, you don't see anything. While this could be an indication of HTTP as the protocol, you can't tell if it's a server or a proxy, and also you can't be 100% certain the protocol is HTTP.

Many protocols have the server send a greeting before the client, like mail protocols, SSH, TLS (well, in SSH and TLS both client and server send a greeting). Thus, you can rule out some protocols by connecting to the port and observing whether there's a greeting. But you can't rule out them all, and even then, if you suspect the protocol is HTTP, you don't really know if it's a proxy or a server.

Correction: actually, in TLS the server greeting (ServerHello) is dependent on the client greeting, so the server first inspects the client greeting before sending the ServerHello message.

juhist
  • 302
  • 1
  • 3
  • 10
  • In SSH it used to be the case that clients would wait for the server to send its banner before the client would respond. However if you completely disable support for version 1 of the protocol it is possible for the client to send its banner without waiting for the server to say anything. For maximum compatibility SSH servers still need to send a banner before it has heard anything for the client. In the case of TLS it is different. The hello message from the server cannot be sent until after the client has sent a hello message. – kasperd Dec 25 '18 at 21:48
  • 1
    In TLS the client hello message contains a list of supported cipher suites. And the server picks one of the cipher suites supported by the client and in the server hello message tells the client which one it picked. For this reason it's not possible for the server to send a server hello message before it has received the client hello message. Moreover in some setups (usually involving a reverse proxy) the SNI field from the client hello is required before the server will be able to terminate the TLS connection. – kasperd Dec 25 '18 at 21:51
0

If your port is not the default of 3128, nmap does not seem to detect an http proxy.

However, I was able to spoof a bad request to a port which will cause a proxy to spit out a response which will contain identifiers which can help to identify the service.

% echo foo | nc <proxy_ip> <proxy_port> | grep Server

Of course the server admin could harden by removing identifying headers but still its probably pretty easy to detect with this methodology.

Timothy C. Quinn
  • 299
  • 1
  • 2
  • 10