Tunneling nmap through Tor

Posted June 26, 2009 at 11:05 pm in Pen Testing, Privacy

I looked at how to reduce your exposure using Tor earlier in the week. We installed Tor and Privoxy and configured our system to browse the Internet anonymously. We can use Tor and another great program called proxychains to Torify our network scans with nmap.

Before I continue I would like to recommend to anyone who doesn’t know what Tor is to read the aforementioned post. My post will walk you through installing Tor and provide additional background information. For anyone who doesn’t know what nmap is, you must be stuck on stuck on a Bell 103. All joking aside, ,map, short for network mapper, is a free and open source utility for network exploration or security auditing. It was created by Gordon “Fyodor” Lyon and has come a long way since its inception. A brief summary of its transformation: nmap’s original source code contained lines such as “fprintf(stderr, “Your ftp bounce server sucks, it won’t let us feed bogus ports!n”);” and transformed itself into a movie star when it was featured in The Matrix Reloaded. It is used by network admins, system admins, and security professionals alike. You can find more detailed information at nmap.org.

If you already have nmap installed diregard this paragraph. For those of you who don’t have nmap, I’m going to take the short road this time and direct you nmap’s guide for obtaining, compiling, installing, and removing nmap.

The only remaining component to protecting our anonymity while scanning is to install ProxyChains. ProxyChains allows you to use SSH, Telnet, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers with the keywords being “any other Internet application”. This program allows TCP and DNS tunneling through proxies. Keep this in mind as we install ProxyChains.

Step One: Install ProxyChains

Browse to ProxyChains at SourceForge and download the latest source (as of this writing the current version is 3.1).

Now we need to unpack ProxyChains:

tar -xzvf proxychains-3.1.tar.gz

You should see a directory named proxychain-3.1. Make this new directory your working directory and issue the following commands at your terminal:

./configure
make
make install

That’s all there is to installing ProxyChains now let’s give it a try.

Step Two: Nmap

With ProxyChains installed we can now tunnel our scan through Tor. An essential piece of information that you should know prior to scanning a host or network through Tor is that you need to use TCP. ProxyChains will only tunnel TCP and DNS traffic. You should specify specific options with nmap to use TCP. This means not using options that involve host discovery through ICMP. This also means avoiding UDP. It’s probably best to tread lightly while using proxychains and Tor (avoid DNS, etc.). Another good reason for this is that the Tor network is slow enough as it is and there’s no reason on your end to slow it down even more, you do want to see results of a scan eventually don’t you?

Open up your terminal again and issue the following command:

proxychains  nmap -sT -PN -n -sV -p21,25,80 192.168.1.10

You’ll notice an nmap scan being performed. What we did was scan ourself through Tor via ProxyChains. We specified a full connect() scan using -sT, to skip host discovery using -PN, to avoid DNS resolves with -n, to perform a version scan with -sV, what to ports to scan with -p 21,25,80, and lastly what host to look at with our IP address. What you’ll see after running the above command is something similar to this:

ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-26 14:44 CDT

What nmap will spit back at you should look something like this:

|S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.10:80-<--timeout
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.10:25-<--denied
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.10:21-<--denied
Interesting ports on 192.168.1.10:
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
25/tcp closed smtp
80/tcp closed http

Keep TCP in the back of your mind as you perform scans with Tor. Again, as always please get permission before attempting a scan. If you would like to practice on a test system you can use a system Fyodor was nice enough to set up for you. Browse to scanme.nmap.org to find out more.

For those of you with some basic sniffing ability I recommend capturing packets on your system while trying out a few commands through Tor just to see what happens. There's no better way to learn what's happening then to be able to see both sides of the communication stream. I would also suggest reading the documentation provided at nmap.org especially the Nmap Reference Guide.



Commentary

+
  1. kny8mare
    21 January 2011 at 09:49  

    I have tried this method myself, using ssh -D to setup a socks server on a test machine (pivot). Scanning this method yielded wrong results (at least in my case). I am not very familiar with socks and hence dunno why it didnt work.
    I used proxychains nmap -sP x.x.x.*, and it yielded me a list of all the ips, saying that ‘host is up’. Also when trying proxychains nmap -p 22 x.x.x.x, it returned that port 22 is closed, whereas nmap without proxychains shows it to be up.
    Any thoughts ?

  2. Donny Viszneki
    25 January 2011 at 21:22  

    > There’s no better way to learn what’s happening then to be able to see both sides of the communication stream

    Of course anything tunneled through Tor will be encrypted when it leaves your computer.

    If you’re using a proxy to reach the Tor network, then you will be able to see the packets, but I believe commands like torify and proxychains trap the syscalls that communicate over the network and “rewrite” the syscall after doing encryption and figuring out which connection to send the encrypted data to.

  3. dirt
    1 July 2011 at 17:46  

    Thankyou! This is really helpful!

  4. Al Reaud
    8 December 2011 at 21:31  

    Absolutely most helpful, LOL. I’ve been fighting this problem for months, and one command later it’s solved. It’s a tool I need for backtracking to origins of attacks on the secure shell/testing server CMS. Some of the findings are being posted on the HCT site, BTW.

    I’m using “proxychains zenmap” as the command actually, and it seems to be working fine.
    |S-chain|–127.0.0.1:9050–x.y.z.t:80–OK
    |S-chain|–127.0.0.1:9050–x.y.z.t:443–OK
    |S-chain|–127.0.0.1:9050–x.y.z.t:443–OK
    |S-chain|–127.0.0.1:9050–x.y.z.t:443–OK

    Happy Holidays!

  5. [...] tcp client to follow through proxy (or proxy chain).” I mentioned using proxychains in my Tunneling nmap Through Tor post but didn’t elaborate much on this [...]

Add Your Comment

Your email address will never be shared or published.

Your Name:

Your Email:

Your Site: