How to use nmap through proxychains?

Question

I am running nmap through proxychains using this command:

proxychains nmap -v scanme.namp.org

This produced an error:

root@kali:~# proxychains nmap -v scanme.nmap.org
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-05-07 17:23 IST
|DNS-request| scanme.nmap.org 
|D-chain|-<>-127.0.0.1:9050-<>-127.0.0.1:9050-<--denied
|D-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| scanme.nmap.org is 45.33.32.156
45.33.32.156/0 looks like an IPv6 target specification -- you have to use the -6 option.
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.94 seconds

Then I went to this question (here) and I tried this:

 to the solution was, that I disabled the DNS through socks:

in /etc/proxychains.conf file, just add a # before the line "proxy_dns"

But when I ran nmap through proxychains the nmap scan was running, but the proxychains proxy is not working which gave me the following verbose output:

root@kali:~# proxychains nmap -v scanme.nmap.org
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-05-07 17:26 IST
Initiating Ping Scan at 17:26
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Completed Ping Scan at 17:26, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:26
Completed Parallel DNS resolution of 1 host. at 17:26, 0.00s elapsed
Initiating SYN Stealth Scan at 17:26
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Increasing send delay for 45.33.32.156 from 0 to 5 due to 11 out of 31 dropped probes since last increase.
Increasing send delay for 45.33.32.156 from 5 to 10 due to 59 out of 196 dropped probes since last increase.
Increasing send delay for 45.33.32.156 from 10 to 20 due to max_successful_tryno increase to 4
Increasing send delay for 45.33.32.156 from 20 to 40 due to max_successful_tryno increase to 5
Increasing send delay for 45.33.32.156 from 40 to 80 due to 28 out of 92 dropped probes since last increase.
Increasing send delay for 45.33.32.156 from 80 to 160 due to max_successful_tryno increase to 6
Increasing send delay for 45.33.32.156 from 160 to 320 due to max_successful_tryno increase to 7
SYN Stealth Scan Timing: About 24.82% done; ETC: 17:28 (0:01:34 remaining)
Increasing send delay for 45.33.32.156 from 320 to 640 due to 11 out of 21 dropped probes since last increase.
Increasing send delay for 45.33.32.156 from 640 to 1000 due to max_successful_tryno increase to 8
SYN Stealth Scan Timing: About 24.66% done; ETC: 17:30 (0:03:06 remaining)
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed SYN Stealth Scan at 17:28, 97.38s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.23s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
514/tcp   filtered shell
1434/tcp  filtered ms-sql-m
9929/tcp  open     nping-echo
31337/tcp open     Elite

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 97.65 seconds
           Raw packets sent: 1477 (64.936KB) | Rcvd: 1457 (58.288KB)

From this we can see that the nmap works fine, but my question is why did nmap start as soon as the command was executed without tunneling itself through the proxies?, but if I ran a command like this:

proxychains firefox www.google.com

I got the following verbose output which shows the tunneling of proxies.

root@kali:~# proxychains firefox www.duckduckgo.com
ProxyChains-3.1 (http://proxychains.sf.net)

(process:6159): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
console.error: 
  [CustomizableUI]
  Custom widget with id loop-button does not return a valid node
console.error: 
  [CustomizableUI]
  Custom widget with id loop-button does not return a valid node
|D-chain|-<>-127.0.0.1:9050-<>-127.0.0.1:9050-<--denied
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:80-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-52.19.3.28:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-117.18.237.29:80-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-74.125.130.91:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-216.58.199.174:80-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-74.125.130.102:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-46.51.216.186:443-<><>-OK
|D-chain|-<>-127.0.0.1:9050-<><>-54.251.178.52:443-<><>-OK

Be sure to use proxychains-ng, not the original proxychains, which has some known bugs especially with Nmap. — bonsaiviking, May 09 '16 at 13:21
Relevant blog: (Speeding up Proxychains with Nmap / Xargs) https://www.hackwhackandsmack.com/?p=1021 You definitely want to use -n (if applicable) -sT and -Pn Other tricks might include using --max-retries and such — Robert Cotterman, Oct 03 '19 at 17:57

score 15 · Accepted Answer · edited Mar 17 '17 at 13:21

The support for proxy with nmap is very limited. Especially you cannot do any kind of ICMP (ping) or UDP scans, no SYN stealth scan, no OS detection etc. This means that the default nmap commands you are using will not work with a proxy and depending on the implementation will either fail or will bypass the proxy. You have to limit yourself to only the kind of scanning which is supported through proxies, i.e. simple TCP connections.

For more details about this see Nmap through proxy.

score 12 · Answer 2 · edited Sep 11 '16 at 17:07

12

You have to use the -sT option -- the Connect() scan technique. Otherwise nmap will use the SYN method, canceling out proxychains. For you example, this would be

proxychains nmap -sT -v scanme.namp.org

And, by the way, proxychains-ng seems to cause more problems with nmap than the original version.

edited Sep 11 '16 at 17:07

Jens Erat

23,446
12
72
96

answered Sep 11 '16 at 16:43

gmelis

221
2
3

this does not work with `proxychains`; you will have to install `proxychains-ng` for this to work. – AK_ Dec 17 '17 at 12:34
Only way i got it to work, haven't used proxychains-ng – Robert Cotterman Oct 03 '19 at 17:56
`-sT` is the default no SYN scan `-sS` – noraj May 17 '22 at 17:55

Imtiaj Sreejon · Answer 3 · 2018-12-07T16:02:27.567

As suggested in this post Nmap through proxy :

ICMP ping can not be done to see if a host is alive, since ICMP is not TCP. So you might need to skip the host discovery step if your targets are only accessible through the proxy (-Pn). Since (the unsupported) SOCKS5 ICMP does not support ICMP either this will not change in the future.

You have to use the -Pn option to get nmap working with proxychains utility. So the command would be

proxychains nmap -sT -Pn -v www.example.com

Here, -sT is for scanning TCP ports. And also u can't use the -O flag as host discovery can not be done using TCP.

But the most easy way and workaround is to edit the /etc/proxychains.conf file.

We just have to comment out the proxy_dns line ans everything will work perfectly.

How to use nmap through proxychains?

3 Answers3

Linked

Related