Anonymous Port Scanning: Nmap + Tor + ProxyChains

In this article i will explain how to stay anonymous during port scanning with Nmap (utility for network discovery and security auditing).

I’ll show how to perform an anonymous port scanning through the Tor network, using ProxyChains utility.

I’ll also show how to get round a situation where scan fails, because Tor endpoints are blocked.

Install Tor + Nmap + ProxyChains

To perform an anonymous port scanning, we need to install the following tools:

Package Description
tor Anonymizing overlay network for TCP
nmap Network port scanner
proxychains Redirect connections through proxy servers

Tor

Install Tor from the standard repositories:

$ sudo apt-get install tor

Nmap

$ sudo apt-get install nmap

ProxyChains

$ sudo apt-get install proxychains

ProxyChains is already configured to use Tor by default.

You can verify this by looking up /etc/proxychains.conf.

The last lines should be like these:

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050

Anonymous Port Scanning Through Tor

Run the following command to perform an anonymous Nmap scanning through Tor network:

$ proxychains nmap -sT -PN -n -sV -p 80,443,21,22 217.xx.xx.xx
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.00 ( http://nmap.org ) at 2014-03-24 17:34 EET
|S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:443-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:21-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:22-<--denied

Nmap scan report for 217.xx.xx.xx
Host is up (0.14s latency).
PORT    STATE  SERVICE  VERSION
21/tcp  open   ftp      Pure-FTPd
22/tcp  closed ssh
80/tcp  open   http     Apache httpd 2.2.26 ((CentOS))
443/tcp open   ssl/http Apache httpd 2.2.26 ((CentOS))

In the scan log we can see the ‘chain’ that goes from Tor-proxy (127.0.0.1:9050) to our scanned host (217.xx.xx.xx).

Nmap Through Tor: Get Round Blocked Endpoints

It is possible that we will encounter a situation where scan fails, because Tor endpoints are blocked.

The solution may be in adding common public proxy server to the ‘chain’.

We can do that by simply editing the /etc/proxychains.conf and adding a new entry at the end of the [ProxyList] (be sure that random_chain option is disabled).

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050
socks4 115.71.237.212 1080

The new ‘chain’ goes through the Tor-proxy (127.0.0.1:9050) to some public proxy server (115.71.237.212:1080) and then to our scanned host (217.xx.xx.xx).

$ proxychains nmap -sT -PN -n -sV -p 21 217.xx.xx.xx
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.00 ( http://nmap.org ) at 2014-03-25 11:05 EET
|S-chain|-<>-127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK
Nmap scan report for 217.xx.xx.xx
Host is up (1.2s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Pure-FTPd

In the examples above, i run Nmap with the following options:

Option Description
-sT full TCP connection scan
-PN do not perform host discovery
-n never perform DNS resolution (to prevent DNS leaks)
-sV determine service version/info
-p ports to scan

Scanning through Tor is very slow. That is why, i’ve scanned only several specified ports in the examples above.

Lists of Free Public Proxy Servers

Even if you are using proxy, all your DNS queries still go to the DNS server of your ISP.

To prevent DNS leaks, use tor-resolve command to resolve a hostname to an IP address via Tor network:

$ tor-resolve google.com
173.194.34.174

7 Replies to “Anonymous Port Scanning: Nmap + Tor + ProxyChains”

  1. Nice tutorial, thanks.

    Just a doubt: enabling proxy_dns on proxychains.conf isn’t enough to prevent DNS leak? Or it won’t work If I use a public proxy with Tor?

    Regards.

  2. how can i tweak this to scan a tor hidden service with .onion address?

  3. Hi.thanks for the article.but can you automate all this. That is scrape proxies from free proxy sites and pastes them to proxychains config file.

  4. It’s been a couple of years since I last tried, but it seems like I remember being able to simply target the hostname (.onion address).
    Also, if you want to get around all DNS leaking, setup an instance of BIND-DNS locally (say, on a rebuilt PC running Linux) and set all of your traffic to use Tor, so that any DNS lookups come from a server that you own, specifically, and not from one outside of your control. You can further strengthen this by setting up a Tor as a transparent proxy for all outbound traffic, at which point, even the lookup sent from your DNS server (internally hosted) will run it’s query over Tor.
    There are quite a few good tutorials on building transparent Tor proxies using either embedded boards (such as RPi3), or within a VM (VMWare ESXi on a repurposed quad-core with 4-8GBs ram should suffice for running at least 2 VMs per core (up to 8 in that config, so long as each one is built out for efficiency… no heavy services, else it’ll reduce the number of VMs you can run do to the trade off… but that may work just fine. YOMMV.

  5. When you get right down to it, Tor is simply a type of SOCK5 proxy, so you can run anything over it that you can run over any other SOCKS proxy.

    Privoxy and/or Polipo are HTTP/HTTP filtering proxies, and can allow for use of applications that aren’t SOCKS aware.
    Proxychains allows wrapping of any non-proxy-aware app so that its network activity is forced to use the proxy you assign. Pretty much any sort of traffic at that point can be proxied, especially if it’s handled via upstream iptables rules, or manually via something like proxychains (though, proxychains isn’t the only app of it’s type).
    So long as the app your using doesn’t require specifically IPv4 addresses, then it should work over Tor, provided you give the app the right switches for what it can support in that configuration.

  6. Actually, i have set up a Tor proxy as a router, but the problem still is the DNS !
    With Firefox, no problems ; with proxychains dig +short, i get my real IP…. Still dont know how to resolve this…

  7. Nmap trough a proxy is very limited !
    in some cases the proxy wil get bypassed witch wil lead to bad things,
    Read this article altough and you wil get a basic understanding of what i’m trying to say here !

    https://security.stackexchange.com/questions/120708/nmap-through-proxy/120723#120723

Leave a Reply