Nmap Development mailing list archives
Re: Scanning trough proxy, including Tor: Ethical consideration
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 14 Jul 2015 14:13:51 -0500
On Tue, Jul 14, 2015 at 6:44 AM, Fabio Pietrosanti (naif) - lists < lists () infosecurity ch> wrote:
Regarding the high-performance scanning trough proxy, including and especially Tor, did you considered the ethical aspects of such implementation? Up to now there are no point'n'click high-performance ports canning tool to work well behind Tor, this means that the Tor network abuse for ports canning exists, but it's not yet a major problem for Tor Exit Node operators. Whenever nmap will support scanning trough Tor with high-performance and high-accuracy, we will see a strong increase in amount of abuses of the Tor network. This will lead to problems to Tor Exit Node operators that on a volunteer basis support the Tor anonymity network. I'd suggest to keep the patch for scanning trough Tor, off nmap official software releases. I know it's a controversial topic, but consider the possible impact it will have on a public, free, volunteer run Tor network.
Fabio, Thanks for this interesting perspective. I think that there are a few critical points here to keep in mind, which should help ease your mind and guide our progress. First, the goal of Andrew Farabee's GSOC project should not be stated as "implement scanning through Tor" or even "scanning of Tor hidden services." The actual capability we are seeking is "extend Nsock proxy support to allow connect-by-name." This is a basic capability of many existing proxy-aware programs like proxychains, Firefox, etc. We have gotten focused on Tor because connect-by-name is the *only* way to access hidden services. For this reason, they provide a nice way to test our capability. But the capability has much broader application. Imagine being able to SSH into a network, add a dynamic port forward, and scan the network with a local copy of Nmap. Additionally, the focus is not just Nmap and port scanning; The Nsock library is used by Ncat as well, so an example use case for the capability would be connecting to an Ncat --chat server hosted as a hidden service. Second, it is unlikely that any port scanning capability through Tor will ever be considered "high-performance" or "high-accuracy." The tunneled nature of Tor, coupled with the network's notoriously low bandwidth, means that scans will have to be very slow indeed to preserve accuracy. Nmap's automatic timing adjustments will probably require considerable tuning for this type of scenario to avoid grinding to a halt. Third, the capability to do port scanning through Tor already exists. It would take me all of 2 minutes to write a one-line command to looping proxychains-wrapped netcat over a list of servers and ports. There are guides to combining Nmap with proxychains that work to varying degrees of success. If exit node operators are not dealing with this now, then either they are not paying attention or it is not an issue. Exit policies provide a simple way to lock down an exit node, and the default exit policy is quite restrictive compared to the "needs" of someone looking to anonymize their port scanning activities. I hope this helped address some of your concerns. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Scanning trough proxy, including Tor: Ethical consideration Fabio Pietrosanti (naif) - lists (Jul 14)
- Re: Scanning trough proxy, including Tor: Ethical consideration Gioacchino Mazzurco (Jul 14)
- Re: Scanning trough proxy, including Tor: Ethical consideration Jacek Wielemborek (Jul 14)
- Re: Scanning trough proxy, including Tor: Ethical consideration Daniel Miller (Jul 14)
- Re: Scanning trough proxy, including Tor: Ethical consideration Fyodor (Jul 16)
- Re: Scanning trough proxy, including Tor: Ethical consideration Fabio Pietrosanti (naif) - lists (Jul 17)