12

Using the following command:

nmap --proxy socks4://*.*.*.*:25074 -sV -O --reason scanme.nmap.org

I'm not sure if nmap is really using the proxy specified

Had an idea of scanning "localhost" or "127.0.0.1" while using netcat listening on specific port predefined in nmap arguments (other than the exact example above) but netcat doesn't reveal source address of scanning, it just echo the GET request (for port version detection i suppose)

and no matter what i put as invalid socks server ip address along with nmap it STILL do the scan

and doesn't give any error messages

the only error message i'm getting happens if i changed socks type from socks4 to socks5 which is:

Invalid protocol in proxy specification string: socks5://*.*.*.*:25074
QUITTING!

also tried tcpdump but i didn't find the packet request

so i'm not sure if it really use the socks proxy defined or not

How to make sure nmap is actually using a proxy?

Is there other ways of making sure other than setting up a remote machine myself and scanning it (i suppose it shouldn't be on same LAN which is hard to accomplish at the moment)

the same issue happens when using proxychain or scanning through vpn

Using Nmap version 7.12 on Linux

SilverShadow
  • 131
  • 1
  • 1
  • 7
  • Its not working for me. Example: *`proxychains nmap -sV --script http-wordpress-enum xx.xx.xx.xx`* Will direct connect to xx.xx.xx.xx not using proxychains – admin Nov 19 '16 at 00:36
  • I give you a downvote, representing the people don't liking the sentences without a closing point. – peterh Feb 10 '17 at 18:15
  • 2
    Possible duplicate of [How to use nmap through proxychains?](https://security.stackexchange.com/questions/122561/how-to-use-nmap-through-proxychains) – L29Ah Nov 18 '19 at 16:48

2 Answers2

19

TL;DR: proxy support is limited right now but there are also theoretical limits of what you could do when using a proxy.

nmap can do only CONNECT and SOCKS4 and these protocols can do only TCP. Apart from that using any kind of proxy means that nmap communicates with the IP stack of the proxy and not of the target. This means:

  • ICMP ping can not be done to see if a host is alive, since ICMP is not TCP. So you might need to skip the host discovery step if your targets are only accessible through the proxy (-Pn). Since (the unsupported) SOCKS5 ICMP does not support ICMP either this will not change in the future.
  • Service discovery can be done for TCP based services only. With SOCKS5 support this could be extended to UDP.
  • OS fingerprinting based on features of the IP stack is not possible because nmap does not speak with the targets IP stack when using a proxy, but instead with the proxies IP stack. This is a theoretical limit you have with any kind of proxy protocol.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Very Important Notes, Thank you very much So back from theoretical to practical limits, I should use ( -sT ) specially along with -Pn and -n with nmap ( through future completed built-in proxy support or currently available proxychains ) to force every packet nmap send out to target to go through TCP only including service discovery detection? What about Syn and Fin scans -sS and -sF arguments? and does using openvpn using predefined tcp or udp configuration files (with .ovpn extension) (with -sT or without) direct all nmap traffic through or does it leak source ip? Appreciated – SilverShadow Apr 27 '16 at 14:43
  • @SilverShadow: only normal TCP connections will be possible with the proxy, no SYN and FIN scan. I don't know if `-sT` is required or just the default if you don't set the others. It makes also sense to use `-n` since DNS lookup is not possible through the proxy. I don't understand the part with the OpenVPN files - nmap will not automatically do OpenVPN connections if it finds configuration files for it. But it will use any VPN which is active on the host because this is just transparent to nmap. – Steffen Ullrich Apr 27 '16 at 14:53
9

For now, use an external tool like proxychains.

The nmap documentation for --proxies states, that the feature is not fully implemented yet:

Warning: this feature is still under development and has limitations. It is implemented within the nsock library and thus has no effect on the ping, port scanning and OS discovery phases of a scan. Only NSE and version scan benefit from this option so far—other features may disclose your true address. SSL connections are not yet supported, nor is proxy-side DNS resolution (hostnames are always resolved by Nmap).

You can follow this guide on how to use proxychains with nmap. After setting up a ProxyList, you will simply run the command from above like this:

proxychains nmap -sV -O --reason scanme.nmap.org

Still be careful about sidechannel identity leaks (such as DNS leaks), though. Adding the -n flag to prevent DNS resolutions by nmap might be a good practice.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 1
    note, nmap appears to fail to do a half-connect port scan in some situations through proxychains. I cant explain why, but I know that on my proxy, i can do a half-connect scan, but through proxychains i can not. Through proxychains only a full connect scan works to detect ports. – n00b Jul 13 '18 at 12:45
  • @n00b: It's because proxychains is intercepting the `connect` system call, which nmap only uses when it does a full TCP connection (`-sT` scanning type), which is only default on Linux when running as non-root. To be safe, specify `-sT` as part of your scan to make sure proxychains can intercept the TCP connection and send it through the proxy. – Jeff McJunkin Jul 01 '22 at 21:22