Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: nmap & tor

nmap & tor

From: J.J.Green <j.j.green_at_sheffield.ac.uk>
Date: Wed, 18 May 2005 22:54:23 +0100 (BST)

Hi nmappers

I've been experimenting with Tor

  http://tor.eff.org/

for the last couple of days and was wondering how well
nmap would play with it.

Tor runs a SOCKS server and forwards connections through
a series of routers; the connections emerge from the
network on a random node and it is apparently rather
difficult to identify the source of the conections.

I used the transparent socks wrapper tsocks to
forward nmap's connections through the tor network.
This seems to work OK, but I did notice a few
oddities:

Here "home" & "work" are machines I run, each behind
a firewall with the home machines firewall being "hfw"

- running

    tsocks nmap -P0 -p22 hfw

  on "work" as a normal user results, usually, in

    Starting nmap 3.81
    Mismatch!!!! we think we have port 22 but we really have a different one
    Interesting ports on hfw (x.x.x.x):
    PORT STATE SERVICE
    22/tcp open ssh

    Nmap finished: 1 IP address (1 host up) scanned in 0.747 seconds

  which is correct -- but is the warning significant?

- occasionally the same command will return

    PORT STATE SERVICE
    22/tcp filtered ssh

    Nmap finished: 1 IP address (1 host up) scanned in 12.020 seconds

  I guess that this is connection timeout on the tor network (note scan
  time).

- running "tsocks nmap" as root seems to always make a direct connection
  and not use the socks proxy at all (the only time Ive ever seen root
  able to do less than a normal user!) I found this out by running

     tsocks nmap -P0 -p80 hfw

  at "work" as different users, and looking at the firewall logs.
  I think that this is something to do with how tsocks runs
  (using LD_PRELOAD) but I'm not clear on the details.

- running

    tsocks nmap -P0 -p22 hfw

  at "home" always gives a

    PORT STATE SERVICE
    22/tcp filtered ssh

    Nmap finished: 1 IP address (1 host up) scanned in 12.129 seconds

  Again I think this is tor network latency, but is there any way
  to adjust this? --max_rtt_timeout seems to have no effect.

Does anyone have any ideas or other tips for using tor & nmap?

Cheers!

-j 

-- 
J. J. Green, Department of Applied Mathematics, Hicks Bd.,
Hounsfield Rd.,  University of Sheffield,  Sheffield, UK.
+44 (0114) 222 3742,  http://www.vindaloo.uklinux.net/jjg
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on May 18 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos