Archive | security RSS feed for this section

nmap vulnerability scanning | HowTo

17 Dec

Port and vulnerability scanners are common tools used by good as bad guys. Performing a port scanning is one of the first operations required to find potential vulnerabilities on a target system. That’s why vulnerability scanners have built-in port scanners. Writing a port scanner is really easy with a few lines of Perl:

#!/usr/bin/perl
use IO::Socket;
while ($ARGV[1] < 65536) {
  print STDOUT "$ARGV[0]:".($ARGV[1] - 1) . " open\n" if \
(IO::Socket::INET->new(PeerAddr=>"$ARGV[0]:" .$ARGV[1]++, Proto=>'tcp', Timeout=>1));
}

(Source: okc2600.com)

However, “real” port scanners offer much more options like evading techniques to work “below the radar” or fingerprinting. Nmap is the best tools for this purpose.

Synergies already exist between different scanning products. A good example is the integration of Nessus with Nmap. Nmap can save the scan results in XML format. The produced XML content can be re-used by Nessus to scan for vulnerabilities. By using this method, the power of Nessus is combined with the one of Nmap. For more information, read this article.

Performing a vulnerability scan  is highly resources consuming. Why not add a simple vulnerability scan feature to Nmap? This primary goal is to save time and be less intrusive. Nmap has a built-in script interpreter called NSE (“Nmap Scripting Engine“) which allows developers to write extensions for Nmap. It comes by default with a lot of scripts. If you’re interested, I posted an introduction article on NSE a few months ago.

Marc Ruef developed a NSE script which adds a basic vulnerability scanner feature to your Nmap. Technically, the script does NOT perform a vulnerability scan by itself. With the powerful fingerprinting feature of Nmap (using the “-sV” flag), the running applications and versions can be detected. Those information are used as lookup keys in a DB export of OSVDB, the Open Source Vulnerability Data Base. The matching entries are displayed in the script output. The script installation is extremely simple, just copy the files in your existing scripts repository (something like “$NMAP_INSTALL_PATH/share/nmap/scripts/“). Invoke it like any standard script:

# nmap -PN -sS -sV --script=vulscan -p80 www.company.tld

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-06-03 11:11 CEST
Nmap scan report for www.company.tld (10.0.0.1)
Host is up (0.00074s latency).
rDNS record for 10.0.0.1: www.company.tld
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.11 ((Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch)
| vulscan: [48] Apache HTTP Server on Debian /usr/doc Directory Information Disclosure
| [143] Apache HTTP Server printenv.pl Multiple Method CGI XSS
| [222] Apache HTTP Server test-cgi Arbitrary File Access

[Stuff Deleted]

| [63895] Apache HTTP Server mod_headers Unspecified Security Issue
| [64023] Apache Tomcat WWW-Authenticate Header Local Host Information Disclosure
| [64020] Apache ActiveMQ Jetty ResourceHandler Crafted Request JSP File Source Disclosure
| [64307] Apache Tomcat Web Application Manager/Host Manager CSRF
| [64517] Apache Open For Business Project (OFBiz) View Profile Section partyId Parameter XSS
| [64518] Apache Open For Business Project (OFBiz) Show Portal Page Section start Parameter XSS
| [64519] Apache Open For Business Project (OFBiz) Control Servlet URI XSS
| [64520] Apache Open For Business Project (OFBiz) ecommerce/control/ViewBlogArticle contentId Parameter XSS
| [64521] Apache Open For Business Project (OFBiz) Web Tools Section entityName Parameter XSS
|_[64522] Apache Open For Business Project (OFBiz) ecommerce/control/contactus Multiple Parameter XSS

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

My first impression was disappointing: The scan reported too much vulnerabilities (>500 hits!). Unusable in a real environment. But, after reading the script (remember: RTFM!), Marc was aware of this problem (caused by a naming convention issue between Nmap & OSVDB). He added a correlation feature to reduce those false positives. To activate this option, just pass the following parameter:

# nmap -PN -sS -sV --script=vulscan --script-args vulscancorrelation=1 -p80 www.company.tld

Hopefully, this second test generated much less hits (26) but, side effect, required more time to complete.

This is a very nice feature for Nmap. By using this script, you can quickly have an overview of the potential vulnerabilities on a target host. And, if necessary, use a more classic tool to focus on specific cases. Don’t forget that false positives or false negatives and results must always be analyzed by a competent person.

To keep the vulnerability scanner accurate, the vulnerability DB must be kept up to date. To achieve this, you can automate the update using the CSV export available on osvdb.org (updated daily). First you have to register. Once done, you will be able to download the CSV updates via a permalink generated with your API key.  The upgrade can be fully automated via a simple daily cron and a script:

NMAPHOME=/usr/local/nmap
FILES="object_correlations.txt object_links.txt object_products.txt vulnerabilities.txt"
cd /tmp
wget -o /dev/null http://osvdb.org/file/get_latest_csv/xxxxx/osvdb-csv.latest.tar.gz
for FILE in $FILES
do
	tar xzf osvdb-csv.latest.tar.gz ./osvdb/$FILE
	mv osvdb/$FILE $NMAPHOME/share/nmap/scripts/vulscan
done
rm -rf osvdb
rm osvdb-csv.latest.tar.gz
exit 0

Marc released the version 0.6 is his script and has already a nice todolist (integration with other vulnerability databases). Great job!

Advertisements

fail2ban | How To | Ubuntu

19 Sep

fail2Ban is a very handy tool to prevent alot of unwanted traffic from consuming bandwidth on your servers. It’s a very small and relatively simple IDS Type Tool that comes with some predefined Filters to automatically lock out potentially dangerous or bandwidth consuming type attacks.

This tutorial covers basic installation and setup along with giving you an example of a simple custom filter to help you on the way to writing your own custom Event Based Blocking rules (filters) for use across the applications you run.

The installation is described at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Debian  I used apt-get and it went painlessly

$ sudo apt-get install fail2ban
Configuration

I’m on Ubuntu 12.04 and the install location is /etc/fail2ban. Log location for jail’s is located /var/log/fail2ban.log.

filters, actions and jails

fail2ban uses the concept of filters, actions and jails.

    • Filters are the regular expressions you want to look for
    • Actions are the steps you want to take when you find something.
    • Jails are what you create to tie together a log file, a filter and an action
.local files

Don’t edit the .conf files you find. Instead, create a .local file of the same name for your settings. The settings that you specify in the .local will override the .conf, and you will not be troubled by upgrades.

Getting Started

fail2ban should have installed itself in /etc/fail2ban. Take a look at the jail.conf  file and you will see some of the jails are already enabled by default, such as the ssh. The first thing you may want to do is enable some of the others.

Enabling a Predefined Jail

Don’t edit the jail.conf. Rather create a jail.local in the same directory to override the .conf settings. You can copy the whole file, but I recommend just copying the relevant section setting the enabled to true. (You can also turn jails off in this fashion for ones that are enabled by default).

#
# HTTP servers
#[apache]

enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

Since no action is explicitly specified, the default action is taken. That action is defined at the top of the jail.conf and is currently to use ban the hacker’s IP address for a short while using iptables. If you are not using iptables, you may wish to do so or to take a more advanced action.

Advanced Uses

The real power of fail2ban comes when you create custom filters, actions and jails. I use as an example how to look at pure-FTPd logs and issue a block to the router, effectively blocking the offending IP Address from your entire network.

Creating a Custom Filter

The basic goal is to find a specific error message and an IP address associated with it. Examine the log file you are concerned about.

pure-FTPd example

In my case pure-FTPd logs to /var/log/messages and it had entries such as:

# Aug  8 17:43:10 NAS pure-ftpd: (?@91.121.174.74) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
# Aug  8 15:05:45 NAS pure-ftpd: (?@192.168.1.148) [WARNING] Authentication failed for user [schmoe]

Then go to the filter.d directory and create a new file named pure-ftpd-TLS.local. You’re looking put in the error message and replace the IP address with the fail2ban reserved word <HOST>. Here’s an example:

[Definition]
failregex = pure-ftpd: \(.+?@<HOST>\) \[WARNING\] Sorry, cleartext sessions are not accepted on this server
            pure-ftpd: \(.+?@<HOST>\) \[WARNING\] Authentication failed for userignoreregex =

The interesting part is the \(.+?@<HOST>\). This is an escaped “(”  a “.+” the characters “?@” and then the keyword <HOST>. The “.+” is important for the regex because there can be a username in front of the “@”. The <HOST> is specific to fail2ban and is required for it to know what IP to take action against.

There are other features you can take advantage of (though not well documented) but this example represents the minimum approach.

Creating a Custom Action

You can think of an action file as a collection of commands. Some you want to issue when fail2ban starts, others when it stops so as to clean up after itself. They are contained in the action.d directory. The predefined iptables-multiport.conf is great one to start with. The iptables-allports.conf takes it a step further and you may want to do that instead.

Banning at the Boarder example

To modify it to work with a tomato based router, simply paste a ssh root@tomato '....'  command in front of the existing iptable commands. And make sure to enable ssh logins on the router and place the hosts public key in the authorized_keys file

change

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

to

actionban = ssh root@tomato 'iptables -t nat -I fail2ban-<name> 1 -s <ip> -j DROP'

Note the addtion of -t nat after the iptable command. This is needed because this is being used on a router, as opposed to something that wasn’t forwarding traffic.

Since iptable’s order of inspection is 1) mangle table’s PREROUTING chain, 2) nat table’s PREROUTING, 3) filter table’s FORWARD or back to mangle table’s INPUT chain, it made sense to cut it off at step 2 were I could use one rule for both the firewall itself and the protected network.

See the attached file at the bottom for all the rule changes needed.

Creating a New Jail

To turn on a jail you will create a jail.local file. In mine I changed the default ban action to the new action I just created and created a jail for Pure-FTPd. In both cases you simply use the file name without the extension to identify the filter and action file you want to use,

#
# ACTIONS
#

# (Default banning action)[DEFAULT]

banaction =  iptables-allports-router

#
# JAILS
#

[pure-FTPd]

enabled  = true
port     = all
filter   = pure-ftpd-TLS
logpath  = /var/log/messages
maxretry = 5
Checking the status of a jail
$ sudo fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           pure-ftpd-TLS, ssh
 
$ sudo fail2ban-client status pure-ftpd-TLS
Status for the jail: pure-ftpd-TLS
|- filter
|  |- File list:        /var/log/messages
|  |- Currently failed: 1
|  `- Total failed:     76
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     8
Troubleshooting
Filters

It’s a good idea to test your filter. For instance, the default filter for pure-ftpd is set up for an older release and does not work. Do this by creating a couple intentionally failed log on attempts, then use the utility fail2ban-regex like so

$ fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/pure-ftpd-TLS.local
Starting fail2ban

If you try and start fail2ban manually or check it’s status, you’ll see a variation of this error message

  $ /etc/init.d/fail2ban start
   * Socket file /var/run/fail2ban/fail2ban.sock is present

This is because you must sudo commands to fail2ban in some distros (ubuntu at least)

Crashing fail2ban

Sometimes fail2ban starts, but aborts as soon as I ask it what it’s status is. The way to see the error is to start the server in console mode, and ask it via another shell what its status is. Do that with

# /usr/bin/fail2ban-server -x -f

In one shell and in another

 $ fail2ban-client status pure-ftpd-TLS

You may find that fail2ban must be run with python2.4 when on an arm architecture, for things such as the DNS-323

$ apt-get install python2.4
$ python2.4 /usr/bin/fail2ban-server -x -f

 rm /usr/bin/python
 ln -s /usr/bin/python2.4  /usr/bin/python
Blocking all ports V/S specific ones

I choose to block all ports. This means if you fail to login to FTP you are totally banned, rather than just be blocked from FTP. This is somewhat heavy handed as I deny all services based on one service’s attempted exploit. However the exterme is to block an entire subnet. The suspicion being that where there is one ‘bot there is probably more.

NMAP 2 XML | Generate NMAP Reports

12 Jun

I was looking a technique outside of Metasploit’s db_nmap command, which stores NMAP results in a database for later analysis, that enables me to generate some kind of reporting on scanned hosts.

Enter NMAP’s -oX switch. This switch coupled with the default style sheet of http://insecure.org/nmap/data/nmap.xsl generates this :

nmap -A -oX --stylesheet http://insecure.org/nmap/data/nmap.xsl scanreport.xml http://www.example.com

 

  • xsltproc is the first external example. It applies different type of XSLT to the NMAP results in the following way: xsltproc nmap-output.xml -o nmap-output.html
  • Saxon a similart xslt processor. You can try in the following way: java -jar saxon9.jar -s:nmap-output.xml -o:nmap-output.html
  • xalan-java which is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. You can try it in the following way: java -jar xalan.jar -IN nmap-output.xml -OUT nmap-output.html
  • PowerShellScript . This script converts an XML file into a .NET object within properties. Perfect if you need to write a software that keeps as input the NMAP xml output format. For example if you are building your own report software or a NMAP wrapper.
  • NMAP-XML Flat File converts NMAP xml file format into a HTML or EXCEL table. It’s written in java and it’s pretty “download ‘n run”. java XMLNMAPReader nmap-output.xmll > OutputFile.[html/xls]
  • PBNJ. Well it does much more that parsing NMAP XML, but for this post it is able to save NMAP xml file into a database.
  • NMAP2DB is a great tool for popolating SQLite databases with NMAP results
  • Ruby Nmap Parser Library. Great library for rubyans providing Ruby interface to Nmap’s scan data. It can run Nmap and parse its XML output directly from the scan, parse a file containing the XML data from a separate scan, parse a String of XML data from a scan, or parse XML data from an object via its read() method.

How to install mod_security | Apache2 | Ubuntu 11.10

3 Apr
What is mod_security?
Mod_security is a filter for requests and responses sent to and from an Apache web server. It is the “snort” of web applications. Check our their official website for more details modsecurity.org.

As an example, lets say “super haxor,” starts up their kiddie “Auto Haxs 4000” script and begins to pummel your web server with every known vulnerability for every known web application – perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor’s requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.

In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.

mod_security adds another layer of protection to your web server and frees up your time usually spent surfing apache logs.

How do I install mod_security?

This guide covers installing mod_security on Ubuntu 11.10 for Apache 2. In this example, we are going to install from source.

Use the Source

Download the latest mod security tars from the mod_security site. modsecurity downloads. You will only need the current modsecurity-apache archive.

Now get the necessary packages for compiling mod_security on Ubuntu with this command:

$ sudo apt-get install automake g++ apache2-threaded-dev dpkg-dev libxml2 libxml2-dev

Now compile and install mod_security with the following commands:

$ cd <modsecurity download directory>/apache2
$ ./configure
$ make
$ sudo make install
Apache Conf Files

Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.

Create a file called /etc/apache2/mods-available/security2.load with the following contents:

LoadFile /usr/lib/libxml2.so 
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so 
<IfModule !mod_security2.c> 
error_mod_security2_is_not_loaded 
</IfModule>
<IfModule mod_security2.c>
Include /etc/apache2/modsecurity_crs/*.conf 
</IfModule> 

Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it. Be aware that some of the optional rules explained later on may require some of the .data files in addition to the .conf files.

$ sudo mkdir /etc/apache2/modsecurity_crs
$ sudo cp -R <mod_security download directory> /rules/*.conf /etc/apache2/modsecurity_crs/

You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:

SecUploadDir /var/log/modsecurity/SecUploadDir 
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log 
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir 
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log 
SecDataDir /var/log/modsecurity/SecDataDir 
SecTmpDir /var/log/modsecurity/SecTmpDir 

After the settings were made I created the directories and set proper permissions with the following commands:

$ sudo mkdir /var/log/modsecurity
$ sudo mkdir /var/log/modsecurity/SecDataDir
$ sudo mkdir /var/log/modsecurity/SecTmpDir
$ sudo mkdir /var/log/modsecurity/SecUploadDir
$ sudo mkdir /var/log/modsecurity/SecAuditLog
$ sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir
$ sudo mkdir /var/log/modsecurity/SecDebugLog
$ sudo chown -R www-data:www-data /var/log/modsecurity
$ sudo chmod -R a-rwx /var/log/modsecurity/
$ sudo chmod -R u+rwx /var/log/modsecurity/

There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.

Enable and Test

You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.

$ sudo a2enmod security2
$ sudo /etc/init.d/apache2 reload

Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.

Lastly
You may also need to enable mod_unique_id as my error.log for apache was throwing out this requirement. This can be done by
$ sudo a2enmod unique_id
$ sudo /etc/init.d/apache2 reload
Conclusion

If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.

nmap scan via TOR | hidemyip

9 Mar
Description

This tutorial shows how to configure the tools to do a Nmap portscan through the Tor network. This technique can be used in the shape of a pentest but it can also be used by attackers. Please be careful of the type of nmap scans you do as some options send your ip. You can add an entry to iptables to drop all outbound traffic to the destination for a particular scan. See further on for a how to.

Pre-requisites

First ensure you have installed necessary tools:

Configuration

In the following example, we do a Nmap portscan with tortunnel via proxychains. The reason why we need tortunnel is that it enables to scan faster. Indeed, by default, Tor uses a minimum of 3 hops. Thanks to tortunnel, we directly use a final exit node, which makes the scan much faster.

First install tor and configure it and install proxychains:

$ sudo apt-get install tor tor-geoipdb proxychains 
$ sudo service tor status 
tor is running $ sudo vi /etc/tor/torrc
# add the line below to allow local ip range to use tor proxy # SocksPolicy accept 10.1.1.0/24

Also install tortunnel:

$ sudo apt-get install libboost-system1.40-dev libssl-dev
$ cd /data/src/
$ wget http://www.thoughtcrime.org/software/tortunnel/tortunnel-0.2.tar.gz
$ tar xvzf tortunnel-0.2.tar.gz
$ cd tortunnel-0.2/
$ ./configure
$ make
$ sudo make install

Then configure proxychains to work with tortunnel. Edit the configuration file:

$ sudo vim /etc/proxychains.conf

And modify it as follows:

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5 127.0.0.1 9050
Find an exit node and start torproxy

We then have to find an exit node that is stable, fast and valid. Most tor exit nodes do not support nmap scanning. You could use this :

$ curl http://128.31.0.34:9031/tor/status/all | grep --before-context=1 'Exit Fast Running V2Dir Valid' | awk '{ print $7 }' | sed '/^$/d'

to return a list of exit nodes that support nmap scanning.

Then start torproxy with the found exit node using the -n switch and bind to local port 9900 :

$ torproxy -n 178.73.***.** -p 9900
torproxy 0.3 by Moxie Marlinspike.
Retrieving directory listing...
Connecting to exit node: 178.73.*.*:9001
SSL Connection to node complete.  Setting up circuit.
Connected to Exit Node.  SOCKS proxy ready on 9900.
Start scan
Ssh-img013.png
Warning -> Beware of the parameters you use for the scan since some of them will disclose your IP address. More information below.

For our scan, we use Nmap with following arguments:

  • -Pn: to skip the host discovery (since it sends ICMP address, it would disclose our IP address)
  • -sT: full Connect() scan to ensure that all packets use the Tor network.

To ensure that our IP address won’t be disclosed to the target, you can add following rule to your firewall:

$ sudo iptables -A OUTPUT --dest <target> -j DROP

Now, run Nmap ad follows:

$ proxychains nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-09 22:40 CET
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:23-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:22-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:443-<--timeout
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:80-<><>-OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|-<>-127.0.0.1:5060-<><>-80.14.163.161:21-<--timeout
Nmap scan report for LMontsouris-156-25-20-161.w80-14.abo.wanadoo.fr (80.14.163.161)
Host is up (13s latency).
PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 60.86 seconds
Nmap results and tcpdump traces

Nmap results – without tor

$ nmap -Pn -sT 74.50.**.***

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-11 05:21 CET
Nmap scan report for 74.50.**.***
Host is up (0.16s latency).
Not shown: 992 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
443/tcp   open     https
445/tcp   filtered microsoft-ds
10000/tcp open     snet-sensor-mgmt
20000/tcp open     dnp

Nmap done: 1 IP address (1 host up) scanned in 23.38 seconds

tcpdump traces – without tor
Our IP address is disclosed, as shown on the following extract:

$ tcpdump -nS -c 10 -r scan-without-tor.cap "host 80.14.163.161"
reading from file scan-without-tor.cap, link-type EN10MB (Ethernet)
05:21:58.052164 IP 80.14.163.161.51027 > 74.50.**.***.21: Flags [S], seq 3307142116, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.052249 IP 74.50.**.***.21 > 80.14.163.161.51027: Flags [R.], seq 0, ack 3307142117, win 0, length 0
05:21:58.053041 IP 80.14.163.161.46436 > 74.50.**.***.3389: Flags [S], seq 3300984040, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.053058 IP 74.50.**.***.3389 > 80.14.163.161.46436: Flags [R.], seq 0, ack 3300984041, win 0, length 0
05:21:58.054538 IP 80.14.163.161.46034 > 74.50.**.***.80: Flags [S], seq 3299162143, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.054567 IP 74.50.**.***.80 > 80.14.163.161.46034: Flags [S.], seq 2576119236, ack 3299162144, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0
05:21:58.055538 IP 80.14.163.161.60357 > 74.50.**.***.8080: Flags [S], seq 3303516262, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.055552 IP 74.50.**.***.8080 > 80.14.163.161.60357: Flags [R.], seq 0, ack 3303516263, win 0, length 0
05:21:58.057287 IP 80.14.163.161.43407 > 74.50.**.***.22: Flags [S], seq 3301543264, win 5840, options [mss 1416,sackOK,TS val 148568 ecr 0,nop,wscale 6], length 0
05:21:58.057303 IP 74.50.**.***.22 > 80.14.163.161.43407: Flags [S.], seq 2572644408, ack 3301543265, win 5792, options [mss 1460,sackOK,TS val 2639903416 ecr 148568,nop,wscale 5], length 0

Nmap results – with tor

$ proxychains nmap -Pn -sT 74.50.**.***
(...TRUNCATED...)
Nmap scan report for 74.50.**.***
Host is up (0.35s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
443/tcp   open  https
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 420.35 seconds

tcpdump traces – with tor
Our IP address is not disclosed, as shown on the following extract:

$ tcpdump -nS -c 10 -r scan-with-tor.cap "host 80.14.163.161"
reading from file scan-with-tor.cap, link-type EN10MB (Ethernet)
Conclusions

The results of the scans have shown that Tor enables to realize a Nmap portscan while not disclosing our IP address. Nevertheless, some limitations:

  • Our scan must use the full Connect() handshake
  • It is much slower than a normal scan (420 seconds with Tor against 23 seconds without using Tor), although we only used one exit node.
  • The anonymity of the second scan remains relative. Indeed, since we only use one node, this latest could be able to disclose our identity.

Shoutout to http://www.aldeid.com/ for this post