I looked at how to reduce your exposure using Tor earlier in the week. We installed Tor and Privoxy and configured our system to browse the Internet anonymously. We can use Tor and another great program called proxychains to Torify our network scans with nmap.
Before I continue I would like to recommend to anyone who doesn’t know what Tor is to read the aforementioned post. My post will walk you through installing Tor and provide additional background information. For anyone who doesn’t know what nmap is, you must be stuck on stuck on a Bell 103. All joking aside, ,map, short for network mapper, is a free and open source utility for network exploration or security auditing. It was created by Gordon “Fyodor” Lyon and has come a long way since its inception. A brief summary of its transformation: nmap’s original source code contained lines such as “fprintf(stderr, “Your ftp bounce server sucks, it won’t let us feed bogus ports!n”);” and transformed itself into a movie star when it was featured in The Matrix Reloaded. It is used by network admins, system admins, and security professionals alike. You can find more detailed information at nmap.org.
If you already have nmap installed diregard this paragraph. For those of you who don’t have nmap, I’m going to take the short road this time and direct you nmap’s guide for obtaining, compiling, installing, and removing nmap.
The only remaining component to protecting our anonymity while scanning is to install ProxyChains. ProxyChains allows you to use SSH, Telnet, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers with the keywords being “any other Internet application”. This program allows TCP and DNS tunneling through proxies. Keep this in mind as we install ProxyChains.
Step One: Install ProxyChains
Browse to ProxyChains at SourceForge and download the latest source (as of this writing the current version is 3.1).
Now we need to unpack ProxyChains:
tar -xzvf proxychains-3.1.tar.gz
You should see a directory named proxychain-3.1. Make this new directory your working directory and issue the following commands at your terminal:
./configure make make install
That’s all there is to installing ProxyChains now let’s give it a try.
Step Two: Nmap
With ProxyChains installed we can now tunnel our scan through Tor. An essential piece of information that you should know prior to scanning a host or network through Tor is that you need to use TCP. ProxyChains will only tunnel TCP and DNS traffic. You should specify specific options with nmap to use TCP. This means not using options that involve host discovery through ICMP. This also means avoiding UDP. It’s probably best to tread lightly while using proxychains and Tor (avoid DNS, etc.). Another good reason for this is that the Tor network is slow enough as it is and there’s no reason on your end to slow it down even more, you do want to see results of a scan eventually don’t you?
Open up your terminal again and issue the following command:
proxychains nmap -sT -PN -n -sV -p21,25,80 192.168.1.10
You’ll notice an nmap scan being performed. What we did was scan ourself through Tor via ProxyChains. We specified a full connect() scan using -sT, to skip host discovery using -PN, to avoid DNS resolves with -n, to perform a version scan with -sV, what to ports to scan with -p 21,25,80, and lastly what host to look at with our IP address. What you’ll see after running the above command is something similar to this:
ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-26 14:44 CDT
What nmap will spit back at you should look something like this:
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.10:80-<--timeout |S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.10:25-<--denied |S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.10:21-<--denied Interesting ports on 192.168.1.10: PORT STATE SERVICE VERSION 21/tcp closed ftp 25/tcp closed smtp 80/tcp closed http
Keep TCP in the back of your mind as you perform scans with Tor. Again, as always please get permission before attempting a scan. If you would like to practice on a test system you can use a system Fyodor was nice enough to set up for you. Browse to scanme.nmap.org to find out more.
For those of you with some basic sniffing ability I recommend capturing packets on your system while trying out a few commands through Tor just to see what happens. There's no better way to learn what's happening then to be able to see both sides of the communication stream. I would also suggest reading the documentation provided at nmap.org especially the Nmap Reference Guide.