Nmap Development mailing list archives

nmap & tor

From: "J.J.Green" <j.j.green () sheffield ac uk>
Date: Wed, 18 May 2005 22:54:23 +0100 (BST)
Hi nmappers

I've been experimenting with Tor

  http://tor.eff.org/

for the last couple of days and was wondering how well
nmap would play with it.

Tor runs a SOCKS server and forwards connections through
a series of routers; the connections emerge from the
network on a random node and it is apparently rather
difficult to identify the source of the conections.

I used the transparent socks wrapper tsocks to
forward nmap's connections through the tor network.
This seems to work OK, but I did notice a few
oddities:

Here "home" & "work" are machines I run, each behind
a firewall with the home machines firewall being "hfw"

- running

    tsocks nmap -P0 -p22 hfw

  on "work" as a normal user results, usually, in

    Starting nmap 3.81
    Mismatch!!!! we think we have port 22 but we really have a different one
    Interesting ports on hfw (x.x.x.x):
    PORT   STATE SERVICE
    22/tcp open  ssh

    Nmap finished: 1 IP address (1 host up) scanned in 0.747 seconds

  which is correct -- but is the warning significant?

- occasionally the same command will return

    PORT   STATE    SERVICE
    22/tcp filtered ssh

    Nmap finished: 1 IP address (1 host up) scanned in 12.020 seconds

  I guess that this is connection timeout on the tor network (note scan
  time).

- running "tsocks nmap" as root seems to always make a direct connection
  and not use the socks proxy at all (the only time Ive ever seen root
  able to do less than a normal user!) I found this out by running

     tsocks nmap -P0 -p80 hfw

  at "work" as different users, and looking at the firewall logs.
  I think that this is something to do with how tsocks runs
  (using LD_PRELOAD) but I'm not clear on the details.

- running

    tsocks nmap -P0 -p22 hfw

  at "home" always gives a

    PORT   STATE    SERVICE
    22/tcp filtered ssh

    Nmap finished: 1 IP address (1 host up) scanned in 12.129 seconds

  Again I think this is tor network latency, but is there any way
  to adjust this?  --max_rtt_timeout seems to have no effect.

Does anyone have any ideas or other tips for using tor & nmap?

Cheers!

-j
-- 
J. J. Green, Department of Applied Mathematics, Hicks Bd.,
Hounsfield Rd.,  University of Sheffield,  Sheffield, UK.
+44 (0114) 222 3742,  http://www.vindaloo.uklinux.net/jjg




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:

nmap & tor J.J.Green (May 18)
- <Possible follow-ups>
- nmap & tor mattmurphy () kc rr com (May 18)