Re: Scanning trough proxy, including Tor: Ethical consideration

[Daniel Miller <bonsaiviking () gmail com>]

On Tue, Jul 14, 2015 at 6:44 AM, Fabio Pietrosanti (naif) - lists <
lists () infosecurity ch> wrote:

> Regarding the high-performance scanning trough proxy, including and
> especially Tor, did you considered the ethical aspects of such
> implementation?
>
> Up to now there are no point'n'click high-performance ports canning tool
> to work well behind Tor, this means that the Tor network abuse for ports
> canning exists, but it's not yet a major problem for Tor Exit Node
> operators.
>
> Whenever nmap will support scanning trough Tor with high-performance and
> high-accuracy, we will see a strong increase in amount of abuses of the
> Tor network.
>
> This will lead to problems to Tor Exit Node operators that on a
> volunteer basis support the Tor anonymity network.
>
> I'd suggest to keep the patch for scanning trough Tor, off nmap official
> software releases.
>
> I know it's a controversial topic, but consider the possible impact it
> will have on a public, free, volunteer run Tor network.
Fabio,

Thanks for this interesting perspective. I think that there are a few
critical points here to keep in mind, which should help ease your mind and
guide our progress.

First, the goal of Andrew Farabee's GSOC project should not be stated as
"implement scanning through Tor" or even "scanning of Tor hidden services."
The actual capability we are seeking is "extend Nsock proxy support to
allow connect-by-name." This is a basic capability of many existing
proxy-aware programs like proxychains, Firefox, etc. We have gotten focused
on Tor because connect-by-name is the *only* way to access hidden services.
For this reason, they provide a nice way to test our capability. But the
capability has much broader application. Imagine being able to SSH into a
network, add a dynamic port forward, and scan the network with a local copy
of Nmap. Additionally, the focus is not just Nmap and port scanning; The
Nsock library is used by Ncat as well, so an example use case for the
capability would be connecting to an Ncat --chat server hosted as a hidden
service.

Second, it is unlikely that any port scanning capability through Tor will
ever be considered "high-performance" or "high-accuracy." The tunneled
nature of Tor, coupled with the network's notoriously low bandwidth, means
that scans will have to be very slow indeed to preserve accuracy. Nmap's
automatic timing adjustments will probably require considerable tuning for
this type of scenario to avoid grinding to a halt.

Third, the capability to do port scanning through Tor already exists. It
would take me all of 2 minutes to write a one-line command to looping
proxychains-wrapped netcat over a list of servers and ports. There are
guides to combining Nmap with proxychains that work to varying degrees of
success. If exit node operators are not dealing with this now, then either
they are not paying attention or it is not an issue. Exit policies provide
a simple way to lock down an exit node, and the default exit policy is
quite restrictive compared to the "needs" of someone looking to anonymize
their port scanning activities.

I hope this helped address some of your concerns.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/