How to use nmap through proxychains?

  • I am running nmap through proxychains using this command:

    proxychains nmap -v scanme.namp.org
    

    This produced an error:

    [email protected]:~# proxychains nmap -v scanme.nmap.org
    ProxyChains-3.1 (http://proxychains.sf.net)
    
    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-05-07 17:23 IST
    |DNS-request| scanme.nmap.org 
    |D-chain|-<>-127.0.0.1:9050-<>-127.0.0.1:9050-<--denied
    |D-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
    |DNS-response| scanme.nmap.org is 45.33.32.156
    45.33.32.156/0 looks like an IPv6 target specification -- you have to use the -6 option.
    Read data files from: /usr/bin/../share/nmap
    WARNING: No targets were specified, so 0 hosts scanned.
    Nmap done: 0 IP addresses (0 hosts up) scanned in 0.94 seconds
    

    Then I went to this question (here) and I tried this:

     to the solution was, that I disabled the DNS through socks:
    
    in /etc/proxychains.conf file, just add a # before the line "proxy_dns"
    

    But when I ran nmap through proxychains the nmap scan was running, but the proxychains proxy is not working which gave me the following verbose output:

    [email protected]:~# proxychains nmap -v scanme.nmap.org
    ProxyChains-3.1 (http://proxychains.sf.net)
    
    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-05-07 17:26 IST
    Initiating Ping Scan at 17:26
    Scanning scanme.nmap.org (45.33.32.156) [4 ports]
    Completed Ping Scan at 17:26, 0.20s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 17:26
    Completed Parallel DNS resolution of 1 host. at 17:26, 0.00s elapsed
    Initiating SYN Stealth Scan at 17:26
    Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
    Discovered open port 22/tcp on 45.33.32.156
    Discovered open port 80/tcp on 45.33.32.156
    Increasing send delay for 45.33.32.156 from 0 to 5 due to 11 out of 31 dropped probes since last increase.
    Increasing send delay for 45.33.32.156 from 5 to 10 due to 59 out of 196 dropped probes since last increase.
    Increasing send delay for 45.33.32.156 from 10 to 20 due to max_successful_tryno increase to 4
    Increasing send delay for 45.33.32.156 from 20 to 40 due to max_successful_tryno increase to 5
    Increasing send delay for 45.33.32.156 from 40 to 80 due to 28 out of 92 dropped probes since last increase.
    Increasing send delay for 45.33.32.156 from 80 to 160 due to max_successful_tryno increase to 6
    Increasing send delay for 45.33.32.156 from 160 to 320 due to max_successful_tryno increase to 7
    SYN Stealth Scan Timing: About 24.82% done; ETC: 17:28 (0:01:34 remaining)
    Increasing send delay for 45.33.32.156 from 320 to 640 due to 11 out of 21 dropped probes since last increase.
    Increasing send delay for 45.33.32.156 from 640 to 1000 due to max_successful_tryno increase to 8
    SYN Stealth Scan Timing: About 24.66% done; ETC: 17:30 (0:03:06 remaining)
    Discovered open port 31337/tcp on 45.33.32.156
    Discovered open port 9929/tcp on 45.33.32.156
    Completed SYN Stealth Scan at 17:28, 97.38s elapsed (1000 total ports)
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.23s latency).
    Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
    Not shown: 992 closed ports
    PORT      STATE    SERVICE
    22/tcp    open     ssh
    80/tcp    open     http
    139/tcp   filtered netbios-ssn
    445/tcp   filtered microsoft-ds
    514/tcp   filtered shell
    1434/tcp  filtered ms-sql-m
    9929/tcp  open     nping-echo
    31337/tcp open     Elite
    
    Read data files from: /usr/bin/../share/nmap
    Nmap done: 1 IP address (1 host up) scanned in 97.65 seconds
               Raw packets sent: 1477 (64.936KB) | Rcvd: 1457 (58.288KB)
    

    From this we can see that the nmap works fine, but my question is why did nmap start as soon as the command was executed without tunneling itself through the proxies?, but if I ran a command like this:

    proxychains firefox www.google.com
    

    I got the following verbose output which shows the tunneling of proxies.

    [email protected]:~# proxychains firefox www.duckduckgo.com
    ProxyChains-3.1 (http://proxychains.sf.net)
    
    (process:6159): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
    console.error: 
      [CustomizableUI]
      Custom widget with id loop-button does not return a valid node
    console.error: 
      [CustomizableUI]
      Custom widget with id loop-button does not return a valid node
    |D-chain|-<>-127.0.0.1:9050-<>-127.0.0.1:9050-<--denied
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:80-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-52.19.3.28:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-117.18.237.29:80-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-74.125.130.91:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-216.58.199.174:80-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-74.125.130.102:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
    |D-chain|-<>-127.0.0.1:9050-<><>-54.251.178.52:443-<><>-OK
    

    Be sure to use proxychains-ng, not the original proxychains, which has some known bugs especially with Nmap.

    Relevant blog: (Speeding up Proxychains with Nmap / Xargs) https://www.hackwhackandsmack.com/?p=1021 You definitely want to use -n (if applicable) -sT and -Pn Other tricks might include using --max-retries and such

  • The support for proxy with nmap is very limited. Especially you cannot do any kind of ICMP (ping) or UDP scans, no SYN stealth scan, no OS detection etc. This means that the default nmap commands you are using will not work with a proxy and depending on the implementation will either fail or will bypass the proxy. You have to limit yourself to only the kind of scanning which is supported through proxies, i.e. simple TCP connections.

    For more details about this see Nmap through proxy.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM