Nmap scan through TOR

TOR (https://www.torproject.org/) is a great project if you want to take care of your privacy. You can use TOR to proxy your nmap scans making it very difficult for the scanned network to find the source.

Only scan networks that you are allowed to scan!

First check that you have TOR installed. It should be listening on a local network port tcp/9050.

tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      xxxx/tor        

You also need to install a package called proxychains that will proxy all the traffic through TOR. Proxychains has its configuration file in /etc/proxychains.conf. When installed, it will add the TOR connection as one of the available proxies./

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050

Now, in order to proxy your nmap traffic through TOR, use the nmap command prepended with proxychains. Remember that due to the nature of the TOR network, you should limit your scans to TCP only. Use the sS (SYN) or sT (CONNECT) scan types.

proxychains nmap -sS -PN -n -p 21,443

proxychains nmap -sT -PN -n -p 21,443

UPDATE

A visitor pointed out that nmap breaks out of proxychains.
Further investigation showed that nmap breaks out of proxychains for the SYN (-sS) scan. The CONNECT (-sT) scan is done via proxychains.

7 thoughts on “Nmap scan through TOR

  1. truth on said:

    this is post is just bullshit. nmap 5.x breaks out of proxychains, and uses your normal internet connection to scan the given host. try it yourself, use wireshark / tcpdump to monitor the outgoing connection, then run nmap with the given command “namp -sS -PN -n -p 21,443 somehost”. there is no traffic proxyed to the tor network at all. only the dns resolution will be done by the tor network.

    c&p FAIL

  2. leon Course on said:

    hello is there any new method use nmap with proxychains4 ? or any with any other tool , to be anonymous while scaning

  3. gh0st on said:

    I would figure instead of using nmap create and control a proxy and do it’s scan… proxychains nmap… like a tunnel if you will. Nmap through proxychains vs nmap with proxychains.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.