Thursday, 12 January 2012

How To Perform Anonymous Port scanning using Nmap and Tor (Part-2)

The Solution:
A distributed, anonymous, secure network

To reduce the risks of both simple and sophisticated traffic analysis by distributing your web traffic over several places / servers, so no single point can link you to your location helps defending your privacy. Its like taking a zig-zag random, hard to follow path to deceive somebody who is tracing you (what the heroes usually do against the villain in action films : ) ) , then periodically erasing your footprints. In lieu of taking a direct route from source to location, information packets on TOR take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the information came from or where it is going.

TOR incrementally builds a circuit of encrypted connections through servers on the network which is extended one hop at a time, and each server along the way knows only which server gave it information and which server it is giving information to. No individual server ever knows the whole path that a knowledge packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to make positive that each hop cannot trace these connections as they pass through.

Two times a circuit has been established any information can be exchanged and because each server sees no over one hop in the circuit, neither an eavesdropper nor a compromised server can use traffic analysis to link the connection's source and location.

Tor only works for TCP streams and can be used by any application with SOCKS support.
to experiment and write this small how-to, I setup a server on the Web that I desired to scan from my home network using Nmap, Nessus, and metasploit from my bacttrack suite installed in a VM. Here are the steps I followed to launch the scan / exploitation method by Tor:

A. Installing TOR: Detailed instructions can be viewed on the net site.
B) Download socat .This gizmo is an excellent multipurpose relay and will permit to setup a local TCP 
listener that will tunnel my connections by the Tor SOCKS server (listening on 9050).

Unfortunately socat comes only on bsd and *nix systems. To make use of TOR on windows I would recommend using Privoxy, or better installing the whole TorCP bundle.

Let us assume that the IP address of the host I desired to scan was
I invoked socat:
[talha@localhost#] ./socat TCP4-LISTEN:8080,fork SOCKS4:, socksport=9050

The above command causes socat to listen on port 8080, and tunnel all incoming connections to (port 80) by the Tor SOCKS server.

For using on windows you will need to:

1. Install privoxy
2. permit HTTP CONNECT requests by 80 through your firewall
3. Browse to
C. I assume Nmap, Nessus and metasploit are already installed and running. If not you can find the detailed instrucations on respective website.
D. Launch an nmap connect or nessus scan against port 8080. Configure Nessus to limit the scan to port 8080 in the “Scan Options” tab.

 Next part you'll see the apache log with some more details

No comments:

Post a Comment