Tuesday, 18 September 2012

Anonymous port scanning using proxychains and tor

When testing a web application or doing a reconnaissance Tor Browser Bundle is all we need to hide our true identity, but what about other activities? In this short post i will explain how to stay anonymous during port scanning. We will need the following tools to achieve this goal:

  • tor,
  • proxychains,
  • nmap. 
Proxychains is a proxifier supporting HTTP, SOCKS4 and SOCKS5 proxies. It is shipped with BackTrack Linux by default and already configured to use tor. You can verify this by looking up /etc/proxychain.conf, last line should be like this:

We are ready to fire up nmap:

Now, let me explain what happened there. We run nmap thru proxychains with the following options:

  • -sT - full TCP connection scan
  • -PN - do not perform host discovery
  •  -n - never perform DNS resolution (to prevent DNS leaks from tor)
  • -sV - determine service version/info
  • -p - ports to scan (for testing purposes i only gave 3 ports to scan, proxying a portscan thru tor makes it really slow, so perhaphs --top-ports  option should be taken in consideration)
  • - self explanatory
In the scan log we can see the "chain" that goes from (tor proxy) to our scanned host. It is possible that we will encounter a situation where this scan fails, because tor endpoints are often blocked (the reason is spam or other malicious activity). The solution may be adding a common, public proxy to the "chain". We can do that by simply editing the proxychains.conf and adding a new entry at the end of the [ProxyList] (be sure that random_chain option is disabled).

That's all for tonight, hope somebody will find this information useful.