How to tell if a port is an HTTP proxy

An Nmap result shows an HTTP proxy on port 8080. Without trying out the proxy, how can you tell if it's a proxy or not?

8080/tcp open http-proxy

It depends on the exact options you use for a port scan with nmap

  • at the most basic nmap will simply determine if a port is open and listening and do a name conversion of that port number to a service name based on /etc/services or a similar table. the actual service on a specific port such as 8080 may be something completely different and you will indeed need to do a lot more connecting and testing to get the actual service

  • when you use some of the more comprehensive options for service and version detection such as -sV —version-all Nmap will have already done a lot of finger printing and testing for you and then the service nmap reports will be pretty accurate


You can't tell.

Anybody can run any service on port 8080: regular HTTP proxy, HTTP CONNECT proxy, a regular HTTP server or even SSH server if you really want to!

HTTP is a protocol where the client sends a request before the server sends a greeting. Thus, if you connect to the port, you don't see anything. While this could be an indication of HTTP as the protocol, you can't tell if it's a server or a proxy, and also you can't be 100% certain the protocol is HTTP.

Many protocols have the server send a greeting before the client, like mail protocols, SSH, TLS (well, in SSH and TLS both client and server send a greeting). Thus, you can rule out some protocols by connecting to the port and observing whether there's a greeting. But you can't rule out them all, and even then, if you suspect the protocol is HTTP, you don't really know if it's a proxy or a server.