Pen Testing reconnaissance 101 : Using NMap,Tor and ProxyChains

Learning objective : How can you perform reconnaissance on a remote target to check which ports are unsecured for possible exposure to network attacks?

Step 1: Create or choose an off the shelf Network Port scanner.

Based on my research and talking to more experienced peers in this space, I choose Nmap ( https://nmap.org/) , a free & open source network security auditing tools. It is very popular among researchers and professionals alike .

I’m using a MAC and one can either choose to install using the DMG file or using Homebrew

$ brew install nmap

Nmap has it’s downsides in terms of being “noisy” and easily detectable in terms of the amount of traffic it creates while performing it’s operations.

That brought me to step 2

Step 2: Find an anonymous way to run your Network Port scanner and perform reconnaissance in a securer fashion

Find a secure “overlay” to pass you traffic through so that you can anonymously use Nmap and not be exposed to exploitation yourself. Tor network and it’s Tor browser is what I chose

Here is an excerpt from an excellent intro guide on Tor ,

You may know Tor as the hometown of online illegal activities, a place where you can buy any drug you want, a place for all things illegal.  Tor is much larger than what the media makes it out to be. According to Kings College much of Tor is legal.

When you normally visit a website, your computer makes a direct TCP connection with the website’s server. Anyone monitoring your internet could read the TCP packet. They can find out what website you’re visiting and your IP address. As well as what port you’re connecting to.

If you’re using HTTPS, no one will know what the message said. But, sometimes all an adversary needs to know is who you’re connecting to.

Using Tor, your computer never communicates with the server directly. Tor creates a twisted path through 3 Tor nodes, and sends the data via that circuit.

The core principle of Tor is onion routing which is a technique for anonymous & secure communication over a public network. In onion routing messages are encapsulated in several layers of encryption.

Step 3: Stringing above tools together to execute a reconnaissance

The plan from here is to call Nmap commands from the terminal and redirect traffic through the Tor network ( that the Tor browser initiates when an instance is launched on the local machine – default for Tor is 127.0.0.1 9050)

Further research, led me to a useful tool called Proxychains. It is a unix based OS tool that marries really well with Tor(it is configured to redirect Tor traffic be default) or any other proxy or in fact chain proxies together to redirect traffic out from your local host.

Note – In terms of this part of the post I have not yet researched a windows equivalent for ProxyChains, so the end to end solution is incomplete in that regard.

So,

a) install ProxyChains using HomeBrew – $ proxychains4 brew install proxychains-ng

b) install and run Tor service from the command line –

$ brew install tor

$ brew services start tor

c) choose a target , that allows ethical pen testing . I chose Nmap’s offering called – scanme.nmap.org

d) Goto proxychains.conf file (usually found in /usr/local/etc folder) and if your installation was successful you see already see an entry saying –

[ProxyList]

# add proxy here ...

# meanwile

# defaults set to "tor"socks4

127.0.0.1 9050

e) You are all set now to run, nmap command through Tor ,on your terminal type ->

$ proxychains4 nmap -sT -PN -n -sV -p 21 scanme.nmap.org

The switches in the above command mean –

-sTfull TCP connection scan
-PNdo not perform host discovery
-nnever perform DNS resolution (to prevent DNS leaks)
-sVdetermine service version/info
-pports to scan

i.e. We are scanning port 21 on scaneme.nmap.org anonymously through nmap and see if it is open or closed?

f) The output will look something like ->

As you can see above , the request has been denied and state of the port is closed.

So, there you are , a simple basic Pen test to perform port scanning in a “safe” environment.

Further considerations with this approach and homework –

It is common for hosts to block Tor end points , that is where ProxyChains comes in handy . You can chain one or more public proxy server (anonymous as well) to your Tor service .

Port scanning through Tor is very slow , so I will have to find a more scalable solution when it comes to perform this kind of tests in bulk


Leave a Reply