Nmap scan through TOR

TOR (https://www.torproject.org/) is a great project if you want to take care of your privacy. You can use TOR to proxy your nmap scans making it very difficult for the scanned network to find the source.

Only scan networks that you are allowed to scan!

First check that you have TOR installed. It should be listening on a local network port tcp/9050.

tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      xxxx/tor        

You also need to install a package called proxychains that will proxy all the traffic through TOR. Proxychains has its configuration file in /etc/proxychains.conf. When installed, it will add the TOR connection as one of the available proxies./

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050

Now, in order to proxy your nmap traffic through TOR, use the nmap command prepended with proxychains. Remember that due to the nature of the TOR network, you should limit your scans to TCP only. Use the sS (SYN) or sT (CONNECT) scan types.

proxychains nmap -sS -PN -n -p 21,443

proxychains nmap -sT -PN -n -p 21,443

UPDATE

A visitor pointed out that nmap breaks out of proxychains.
Further investigation showed that nmap breaks out of proxychains for the SYN (-sS) scan. The CONNECT (-sT) scan is done via proxychains.

3 thoughts on “Nmap scan through TOR

  1. truth on said:

    this is post is just bullshit. nmap 5.x breaks out of proxychains, and uses your normal internet connection to scan the given host. try it yourself, use wireshark / tcpdump to monitor the outgoing connection, then run nmap with the given command “namp -sS -PN -n -p 21,443 somehost”. there is no traffic proxyed to the tor network at all. only the dns resolution will be done by the tor network.

    c&p FAIL

Leave a Reply

Your email address will not be published. Required fields are marked *