Nmap scan through TOR

Posted on in internet, linux, security
   7 Replies

TOR (https://www.torproject.org/) is a great project if you want to take care of your privacy. You can use TOR to proxy your nmap scans making it very difficult for the scanned network to find the source.

Only scan networks that you are allowed to scan!

First check that you have TOR installed. It should be listening on a local network port tcp/9050.

tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      xxxx/tor

You also need to install a package called proxychains that will proxy all the traffic through TOR. Proxychains has its configuration file in /etc/proxychains.conf. When installed, it will add the TOR connection as one of the available proxies./

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050

Now, in order to proxy your nmap traffic through TOR, use the nmap command prepended with proxychains. Remember that due to the nature of the TOR network, you should limit your scans to TCP only. Use the sS (SYN) or sT (CONNECT) scan types.

proxychains nmap -sS -PN -n -p 21,443 

proxychains nmap -sT -PN -n -p 21,443

UPDATE

A visitor pointed out that nmap breaks out of proxychains.
Further investigation showed that nmap breaks out of proxychains for the SYN (-sS) scan. The CONNECT (-sT) scan is done via proxychains.