Anonymous Port Scanning: Nmap + Tor + ProxyChains
如何匿名使用nmap(国内的靠人品咯,,就像tor一样)
In this article i will explain how to stay anonymous during port scanning with Nmap(utility for network discovery and security auditing).
I’ll show how to perform an anonymous port scanning through the Tor network, using ProxyChains utility.
I’ll also show how to get round a situation where scan fails, because Tor endpoints are blocked.
Install Tor + Nmap + ProxyChains
To perform an anonymous port scanning, we need to install the following tools:
|
Package
|
Description
|
|
tor
|
Anonymizing overlay network for TCP
|
|
nmap
|
Network port scanner
|
|
proxychains
|
Redirect connections through proxy servers
|
Tor
Install Tor from the standard repositories:
$ sudo apt-get install tor
Nmap
$ sudo apt-get install nmap
ProxyChains
$ sudo apt-get install proxychains
ProxyChains is already configured to use Tor by default.
You can verify this by looking up /etc/proxychains.conf.
The last lines should be like these:
[ProxyList] # add proxy here … # meanwile # defaults set to “tor” socks4 127.0.0.1 9050
Anonymous Port Scanning Through Tor
Run the following command to perform an anonymous Nmap scanning through Tornetwork:
$ proxychains nmap -sT -PN -n -sV -p 80,443,21,22 217.xx.xx.xx ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.00 ( http://nmap.org ) at 2014-03-24 17:34 EET |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:443-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:21-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-217.xx.xx.xx:22-<–denied Nmap scan report for 217.xx.xx.xx Host is up (0.14s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.26 ((CentOS)) 443/tcp open ssl/http Apache httpd 2.2.26 ((CentOS))
In the scan log we can see the ‘chain’ that goes from Tor-proxy (127.0.0.1:9050) to our scanned host (217.xx.xx.xx).
Nmap Through Tor: Get Round Blocked Endpoints
It is possible that we will encounter a situation where scan fails, because Tor endpoints are blocked.
The solution may be in adding common public proxy server to the ‘chain’.
We can do that by simply editing the /etc/proxychains.conf and adding a new entry at the end of the [ProxyList] (be sure that random_chain option is disabled).
[ProxyList] # add proxy here … # meanwile # defaults set to “tor” socks4 127.0.0.1 9050 socks4 115.71.237.212 1080
The new ‘chain’ goes through the Tor-proxy (127.0.0.1:9050) to some public proxy server(115.71.237.212:1080) and then to our scanned host (217.xx.xx.xx).
$ proxychains nmap -sT -PN -n -sV -p 21 217.xx.xx.xx ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 6.00 ( http://nmap.org ) at 2014-03-25 11:05 EET |S-chain|-<>-127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK |S-chain|-<>-127.0.0.1:9050-<>-115.71.237.212:1080-<><>-217.xx.xx.xx:21-<><>-OK Nmap scan report for 217.xx.xx.xx Host is up (1.2s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd
In the examples above, i run Nmap with the following options:
|
Option
|
Description
|
|
-sT
|
full TCP connection scan
|
|
-PN
|
do not perform host discovery
|
|
-n
|
never perform DNS resolution (to prevent DNS leaks)
|
|
-sV
|
determine service version/info
|
|
-p
|
ports to scan
|
Scanning through Tor is very slow. That is why, i’ve scanned only several specified ports in the examples above.
Even if you are using proxy, all your DNS queries still go to the DNS server of your ISP.
To prevent DNS leaks, use tor-resolve command to resolve a hostname to an IP address via Tor network
$ tor-resolve google.com 173.194.34.174
proxychains + linux命令
例如proxychains w3m http://www.baidu.com 就可以匿名访问网络
在国内会发现dns timeout 的情况 下面以电信网络 dns为 114.114.114.114
vim /etc/resolv.conf 中的nameserver 114.114.114.114
国内需要 把/usr/lib/proxychains3/proxyresolv中的DNS_SERVER设置成“114.114.114”
