Tor/Usage/Nmap-scan-through-tor

From aldeid
Share/Save/Bookmark
Jump to: navigation, search
You are here:
Usage example::Nmap scan

Description

This tutorial shows how to configure the tools to realize a Nmap portscan through the Tor network. This technique can be used in the shape of a pentest but it can also be used by attackers.

Special thanks to:

Prerequisites

First ensure you have installed necessary tools:

  • Tor: the core installation to hide our IP address
  • privoxy: HTTP proxy used in conjunction with Tor for Web browsing
  • proxychains
  • tortunnel
  • nmap: the portscanner we will use to scan the target

Nmap scan through the Tor network

Configuration

In the following example, we realize a Nmap portscan with tortunnel via proxychains. The reason why we need tortunnel is that it enables to scan faster. Indeed, by default, Tor uses a minimum of 3 hops. Thanks to tortunnel, we directly use a final exit node, which makes the scan much faster.

First install privoxy and proxychains:

$ sudo apt-get install privoxy proxychains

Also install tortunnel:

$ sudo apt-get install libboost-system1.40-dev libssl-dev
$ cd /data/src/
$ wget http://www.thoughtcrime.org/software/tortunnel/tortunnel-0.2.tar.gz
$ tar xvzf tortunnel-0.2.tar.gz
$ cd tortunnel-0.2/
$ ./configure
$ make
$ sudo make install

Then configure proxychains to work with tortunnel. Edit the configuration file:

$ sudo vim /etc/proxychains.conf

And modify it as follows:

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5 127.0.0.1 5060

Also configure privoxy to work with tortunnel. Edit the configuration file:

$ sudo vim /etc/privoxy/config

And modify it as follows:

#      A rule that uses a SOCKS 4 gateway for all destinations but no
#      HTTP parent looks like this:
#
#        forward-socks4   /               socks-gw.example.com:1080  .
#
#
#      To chain Privoxy and Tor, both running on the same system,
#      you would use something like:
#
#        forward-socks5   /               127.0.0.1:9050 .
         forward-socks5   /               127.0.0.1:5060

Find an exit node and start torproxy

We then have to find an exit node that is stable, fast and valid. You can use getTorExitNode to get this information:

$ ./getTorExitNode.py
Valid Tor exit node(s) found:
67.207.***.**

Then start torproxy with the found exit node:

$ torproxy 67.207.***.**
torproxy 0.2 by Moxie Marlinspike.
Retrieving directory listing...
Connecting to exit node: 67.207.***.**:9001
SSL Connection to node complete.  Setting up circuit.
Connected to Exit Node.  SOCKS proxy ready on 5060.

Start scan

Ssh-img013.png
Warning
Beware of the parameters you use for the scan since some of them will disclose your IP address. More information below.

For our scan, we use Nmap with following arguments:

  • -Pn: to skip the host discovery (since it sends ICMP address, it would disclose our IP address)
  • -sT: full Connect() scan to ensure that all packets use the Tor network.

To ensure that our IP address won't be disclosed to the target, you can add following rule to your firewall:

$ sudo iptables -A OUTPUT --dest <target> -j DROP

Now, run Nmap ad follows:

$ proxychains nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-09 22:40 CET
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:23-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:22-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:443-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:80-<><>-OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:21-<--timeout
Nmap scan report for LMontsouris-156-25-20-161.w80-14.abo.wanadoo.fr (80.14.163.161)
Host is up (13s latency).
PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 60.86 seconds

Nmap results and tcpdump traces

Without Tor

Nmap results

$ nmap -Pn -sT 74.50.**.***

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-11 05:21 CET
Nmap scan report for 74.50.**.***
Host is up (0.16s latency).
Not shown: 992 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
443/tcp   open     https
445/tcp   filtered microsoft-ds
10000/tcp open     snet-sensor-mgmt
20000/tcp open     dnp

Nmap done: 1 IP address (1 host up) scanned in 23.38 seconds

tcpdump traces

Our IP address is disclosed, as shown on the following extract:

$ tcpdump -nS -c 10 -r scan-without-tor.cap "host 80.14.163.161"
reading from file scan-without-tor.cap, link-type EN10MB (Ethernet)
05:21:58.052164 IP 80.14.163.161.51027 > 74.50.**.***.21: Flags [S], seq 3307142116, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.052249 IP 74.50.**.***.21 > 80.14.163.161.51027: Flags [R.], seq 0, ack 3307142117, win 0, length 0
05:21:58.053041 IP 80.14.163.161.46436 > 74.50.**.***.3389: Flags [S], seq 3300984040, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.053058 IP 74.50.**.***.3389 > 80.14.163.161.46436: Flags [R.], seq 0, ack 3300984041, win 0, length 0
05:21:58.054538 IP 80.14.163.161.46034 > 74.50.**.***.80: Flags [S], seq 3299162143, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.054567 IP 74.50.**.***.80 > 80.14.163.161.46034: Flags [S.], seq 2576119236, ack 3299162144, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0
05:21:58.055538 IP 80.14.163.161.60357 > 74.50.**.***.8080: Flags [S], seq 3303516262, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.055552 IP 74.50.**.***.8080 > 80.14.163.161.60357: Flags [R.], seq 0, ack 3303516263, win 0, length 0
05:21:58.057287 IP 80.14.163.161.43407 > 74.50.**.***.22: Flags [S], seq 3301543264, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.057303 IP 74.50.**.***.22 > 80.14.163.161.43407: Flags [S.], seq 2572644408, ack 3301543265, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0

With Tor

Nmap results

$ proxychains nmap -Pn -sT 74.50.**.***
(...TRUNCATED...)
Nmap scan report for 74.50.**.***
Host is up (0.35s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 420.35 seconds

tcpdump traces

Our IP address is not disclosed, as shown on the following extract:

$ tcpdump -nS -c 10 -r scan-with-tor.cap "host 80.14.163.161"
reading from file scan-with-tor.cap, link-type EN10MB (Ethernet)

Conclusions

The results of the scans have shown that Tor enables to realize a Nmap portscan while not disclosing our IP address. Nevertheless, some limitations:

  • Our scan must use the full Connect() handshake
  • It is much slower than a normal scan (420 seconds with Tor against 23 seconds without using Tor), although we only used one exit node.
  • The anonymity of the second scan remains relative. Indeed, since we only use one node, this latest could be able to disclose our identity.

Comments

Anonymous.png
MrHahn
02:39, 23 February 2011 (CET)
So what happens if you get 1000 CLOSED ports results through proxychains & torproxy nmap vs 1000 ports filtered through regular nmap without tor or proxychains for same ip address.
Anonymous.png
Jeff Gordon
05:48, 26 February 2012 (MST)
Interesting post. There is a mistake in your privoxy config description...the "." at the end of the line is missing.

But something is missing in the description. Results differs with/without proxychains with same target and same options:

root@debiannmaptor:~# nmap -PN -sT -p80 <testipadress>

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-26 13:40 CET
Interesting ports on <testipadress>:
PORT   STATE SERVICE
80/tcp open  http
root@debiannmaptor:~# proxychains nmap -PN -sT -p80  <testipadress>
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-26 13:41 CET
|S-chain|-<>-127.0.0.1:5060-<><>-<testipadress>:80-<--timeout
Interesting ports on <testipadress>:
PORT   STATE  SERVICE
80/tcp closed http
Anonymous.png
Jeff Gordon
06:14, 26 February 2012 (MST)
Found out what the problem was: You cant use any tor exit node for scanning. So you shouldnt use your python script for determining an exide node (or you have to change it..). The scans only work through Tor exit nodes with

.... 443 9030 s Exit Fast Running V2Dir Valid ...

You can search for an appropriate Exit Node on http://128.31.0.34:9031/tor/status/all

blog comments powered by Disqus