Sign in Subscribe
Concepts

Nmap Postgres Binary Protocol Proxying

Andrios Robert

1 min read

The port was open, but nothing moved. Then the packets came—fast, encrypted, precise. You fire up Nmap, but this time you’re not scanning HTTP or SSH. You’re deep in the Postgres binary protocol, and you want more than banners. You want control.

Nmap Postgres Binary Protocol Proxying is about pushing past the default scripts. The Postgres binary protocol is compact, efficient, and often underestimated. By proxying it, you can capture, inspect, rewrite, or forward queries without breaking the stream. This matters for penetration testing, production observability, and defensive monitoring.

With Nmap’s scripting engine (NSE) you can build custom scripts that speak native Postgres. Pair that with a lightweight TCP proxy and you can intercept the exact bytes sent in authentication, query execution, and result delivery. When scanning environments, proxying enables you to route traffic through controlled inspection points. You see the handshake, trace SQL calls, and measure responses under real load.

Why proxy Postgres instead of using just nmap --script=pgsql-*? Direct scanning gives you surface data. Proxying gives you depth. It lets you work around network ACLs, test latency impacts, and integrate with intrusion detection tools. It’s also essential for safe replay testing—sending identical packets to staging and production without risking corruption.

Setting up binary protocol proxying requires precise stream handling. Unlike text-based protocols, you can’t just grep for keywords. You need to parse the initial startup message, handle SSL negotiation if enabled, and maintain session state. Nmap can connect, but the proxy must preserve timing and order or Postgres will terminate the session.

For engineers chasing full-stack visibility, the workflow is simple:

  1. Deploy a TCP proxy that captures raw Postgres protocol frames.
  2. Use Nmap with custom NSE scripts to initiate and route traffic through the proxy.
  3. Log, modify, and replay as needed.
  4. Feed the data into your analysis pipeline—latency metrics, auth tests, injection detection.

The result: you own the layer between client and server. You can scan, observe, and test without touching application code. You can see every byte and decide what it means.

Want to see Nmap Postgres Binary Protocol Proxying in action, without days of configuration? Visit hoop.dev and spin up a live setup in minutes.