Tor/Usage/Nmap-scan-through-tor
Jump to navigation
Jump to search
| You are here: | Usage example::Nmap scan
|
Description
This tutorial shows how to configure the tools to realize a Nmap portscan through the Tor network. This technique can be used in the shape of a pentest but it can also be used by attackers.
Special thanks to:
- my friend Aung Khant who has nicely participated to these tests and who has realized the network captures.
- Moxie Marlinspike, John Strand and Michael Douglas for their constructive reviews.
Prerequisites
First ensure you have installed necessary tools:
- Tor: the core installation to hide our IP address
- privoxy: HTTP proxy used in conjunction with Tor for Web browsing
- proxychains
- tortunnel
- nmap: the portscanner we will use to scan the target
Nmap scan through the Tor network
Configuration
In the following example, we realize a Nmap portscan with tortunnel via proxychains. The reason why we need tortunnel is that it enables to scan faster. Indeed, by default, Tor uses a minimum of 3 hops. Thanks to tortunnel, we directly use a final exit node, which makes the scan much faster.
First install privoxy and proxychains:
$ sudo apt-get install privoxy proxychains
Also install tortunnel:
$ sudo apt-get install libboost-system1.40-dev libssl-dev $ cd /data/src/ $ wget http://www.thoughtcrime.org/software/tortunnel/tortunnel-0.2.tar.gz $ tar xvzf tortunnel-0.2.tar.gz $ cd tortunnel-0.2/ $ ./configure $ make $ sudo make install
Then configure proxychains to work with tortunnel. Edit the configuration file:
$ sudo vim /etc/proxychains.conf
And modify it as follows:
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" #socks4 127.0.0.1 9050 socks5 127.0.0.1 5060
Also configure privoxy to work with tortunnel. Edit the configuration file:
$ sudo vim /etc/privoxy/config
And modify it as follows:
# A rule that uses a SOCKS 4 gateway for all destinations but no
# HTTP parent looks like this:
#
# forward-socks4 / socks-gw.example.com:1080 .
#
#
# To chain Privoxy and Tor, both running on the same system,
# you would use something like:
#
# forward-socks5 / 127.0.0.1:9050 .
forward-socks5 / 127.0.0.1:5060
Find an exit node and start torproxy
We then have to find an exit node that is stable, fast and valid. You can use getTorExitNode to get this information:
$ ./getTorExitNode.py Valid Tor exit node(s) found: 67.207.***.**
Then start torproxy with the found exit node:
$ torproxy 67.207.***.** torproxy 0.2 by Moxie Marlinspike. Retrieving directory listing... Connecting to exit node: 67.207.***.**:9001 SSL Connection to node complete. Setting up circuit. Connected to Exit Node. SOCKS proxy ready on 5060.
Start scan
Warning
Beware of the parameters you use for the scan since some of them will disclose your IP address. More information below.
For our scan, we use Nmap with following arguments:
- -Pn: to skip the host discovery (since it sends ICMP address, it would disclose our IP address)
- -sT: full Connect() scan to ensure that all packets use the Tor network.
To ensure that our IP address won't be disclosed to the target, you can add following rule to your firewall:
$ sudo iptables -A OUTPUT --dest <target> -j DROP
Now, run Nmap ad follows:
$ proxychains nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-09 22:40 CET |S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:23-<--timeout |S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:22-<--timeout |S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:443-<--timeout |S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:80-<><>-OK RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 |S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:21-<--timeout Nmap scan report for LMontsouris-156-25-20-161.w80-14.abo.wanadoo.fr (80.14.163.161) Host is up (13s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 60.86 seconds
Nmap results and tcpdump traces
Without Tor
Nmap results
$ nmap -Pn -sT 74.50.**.*** Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-11 05:21 CET Nmap scan report for 74.50.**.*** Host is up (0.16s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 10000/tcp open snet-sensor-mgmt 20000/tcp open dnp Nmap done: 1 IP address (1 host up) scanned in 23.38 seconds
tcpdump traces
Our IP address is disclosed, as shown on the following extract:
$ tcpdump -nS -c 10 -r scan-without-tor.cap "host 80.14.163.161" reading from file scan-without-tor.cap, link-type EN10MB (Ethernet) 05:21:58.052164 IP 80.14.163.161.51027 > 74.50.**.***.21: Flags [S], seq 3307142116, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0 05:21:58.052249 IP 74.50.**.***.21 > 80.14.163.161.51027: Flags [R.], seq 0, ack 3307142117, win 0, length 0 05:21:58.053041 IP 80.14.163.161.46436 > 74.50.**.***.3389: Flags [S], seq 3300984040, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0 05:21:58.053058 IP 74.50.**.***.3389 > 80.14.163.161.46436: Flags [R.], seq 0, ack 3300984041, win 0, length 0 05:21:58.054538 IP 80.14.163.161.46034 > 74.50.**.***.80: Flags [S], seq 3299162143, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0 05:21:58.054567 IP 74.50.**.***.80 > 80.14.163.161.46034: Flags [S.], seq 2576119236, ack 3299162144, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0 05:21:58.055538 IP 80.14.163.161.60357 > 74.50.**.***.8080: Flags [S], seq 3303516262, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0 05:21:58.055552 IP 74.50.**.***.8080 > 80.14.163.161.60357: Flags [R.], seq 0, ack 3303516263, win 0, length 0 05:21:58.057287 IP 80.14.163.161.43407 > 74.50.**.***.22: Flags [S], seq 3301543264, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0 05:21:58.057303 IP 74.50.**.***.22 > 80.14.163.161.43407: Flags [S.], seq 2572644408, ack 3301543265, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0
With Tor
Nmap results
$ proxychains nmap -Pn -sT 74.50.**.*** (...TRUNCATED...) Nmap scan report for 74.50.**.*** Host is up (0.35s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 10000/tcp open snet-sensor-mgmt 20000/tcp open dnp Nmap done: 1 IP address (1 host up) scanned in 420.35 seconds
tcpdump traces
Our IP address is not disclosed, as shown on the following extract:
$ tcpdump -nS -c 10 -r scan-with-tor.cap "host 80.14.163.161" reading from file scan-with-tor.cap, link-type EN10MB (Ethernet)
Conclusions
The results of the scans have shown that Tor enables to realize a Nmap portscan while not disclosing our IP address. Nevertheless, some limitations:
- Our scan must use the full Connect() handshake
- It is much slower than a normal scan (420 seconds with Tor against 23 seconds without using Tor), although we only used one exit node.
- The anonymity of the second scan remains relative. Indeed, since we only use one node, this latest could be able to disclose our identity.
Comments
 |
MrHahn
02:39, 23 February 2011 (CET)
So what happens if you get 1000 CLOSED ports results through proxychains & torproxy nmap vs 1000 ports filtered through regular nmap without tor or proxychains for same ip address.
|
|
Jeff Gordon
05:48, 26 February 2012 (MST)
Interesting post. There is a mistake in your privoxy config description...the "." at the end of the line is missing.
But something is missing in the description. Results differs with/without proxychains with same target and same options: root@debiannmaptor:~# nmap -PN -sT -p80 <testipadress> Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-26 13:40 CET Interesting ports on <testipadress>: PORT STATE SERVICE 80/tcp open http root@debiannmaptor:~# proxychains nmap -PN -sT -p80 <testipadress> ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-26 13:41 CET |S-chain|-<>-127.0.0.1:5060-<><>-<testipadress>:80-<--timeout Interesting ports on <testipadress>: PORT STATE SERVICE 80/tcp closed http |
|
Jeff Gordon
06:14, 26 February 2012 (MST)
Found out what the problem was: You cant use any tor exit node for scanning. So you shouldnt use your python script for determining an exide node (or you have to change it..). The scans only work through Tor exit nodes with
.... 443 9030 s Exit Fast Running V2Dir Valid ... You can search for an appropriate Exit Node on http://128.31.0.34:9031/tor/status/all |