What’s the point in using proxychains for an nmap scan when you could use Tor?

Question

I always hear on YouTube and other places on the internet that Tor is the best option to stay anonymous. Tor is used by many activists, journalists etc. hiding from oppressive governments and so on. Not a VPN nor a proxy would guarantee the same level of anonymity as the Tor browser because of the possibility to keep logs etc. I am aware of the rough difference between a VPN and Tor.

Therefore my question is if using only Tor to perform a nmap scan on a host wouldn’t be the safest „untraceable“ option out of the others available? Why would anyone bother to use proxychains if Tor already provides a very high layer of anonymity and privacy? Wouldn’t that scan be considered as almost „untraceable“? More untraceable than a scan done through proxychains?

Why would someone use proxychains? Performance. If you hope to get that scan completed any time soon... — schroeder, Mar 20 '21 at 12:11
If I were to nmap over Tor, I probably would still be using proxychains to funnel the traffic through Tor's socks proxy. Or do you just mean the use of proxies vs Tor? — multithr3at3d, Mar 21 '21 at 13:21
@multithr3at3d why would you still use proxychains? Yes I also meant the use of Proxies vs Tor. Tor should provide more anonymity than any proxychain? — Ethan Brown, Mar 23 '21 at 20:23
@EthanBrown using proxychains is the easiest way to get selective non-browser traffic through Tor, besides using firewall rules. — multithr3at3d, Mar 23 '21 at 21:30

score 0 · Answer 1 · answered Jun 04 '21 at 20:10

Assuming you need to scan a network (or a host) and that host is extremely selective of the IP address range in which the requests originate from it would be "more efficient" to use proxychains so that the originating ip would be accepted by the target network/host you wish to scan

Gh0st · Answer 2 · 2022-06-19T10:49:22.063

0

If you use Wireshark you will see it breaks out of proxychains (not Tor) & uses system settings for DNS etc. Tor only affects it's DNS that way. You might have better luck with an elite socks proxychain. I do not mean the nmap flag for proxies... Run nmap through proxychains vs flag option in nmap.

SSH would be ok too... Tor has exit nodes that can be intercepted by MitM where the data is no longer encrypted. SSH creates a full tunnel vs partial (your case).

You could SSH through Tor but it will come at the expense of speed. In Theory it is an encrypted full tunnel through an encrypted partial tunnel. It will possibly slow things a lot.

Not sure if someone can double tunnel an nmap scan like that. It's purely theoretical.

edited Jun 19 '22 at 10:49

answered Jun 12 '22 at 09:57

Gh0st

1
1

Also, Tor only supports TCP as far as I know. – Sir Muffington Jun 12 '22 at 17:24
"*Tor only affects it's DNS that way. You might have better luck with an elite socks proxychain.*" This makes no sense. I think you might be as confused as the person who asked this question. I posted [an answer here](https://security.stackexchange.com/a/262684/10863) to clarify some things, hope this helps! – Luc Jun 12 '22 at 22:24
That was a typeo... it breaks out of proxychains. Thank you for commenting. – Gh0st Jun 19 '22 at 10:50

score 0 · Answer 3 · answered Jun 12 '22 at 22:22

I think you misunderstand the words.

Proxychains is software. Like using one calculator app instead of another.

Tor, the way that you use it, refers mainly to the network. Your Tor client software connects to the Tor network, consisting of many servers, where your traffic is routed encrypted and randomly for anonymisation (I am simplifying of course, this is only an overview of what it is, not how it works in detail).

Proxies is a generic term for anything that forwards traffic. Tor can be a proxy, there exist web proxies, socat is a proxy, a VPN proxies your traffic, you can have tools that proxy traffic for your inspection like mitmproxy... the term is very broad. These may even be misconfigured servers that act as open http/web proxies (people scan the internet for these constantly and abuse them as soon as they come online).

VPN... okay bear with me here:

What the word VPN means is literally what it stands for: Virtual Private Network. For example, take a random office network: this is private because it's just internal and you can't send packets there from the outside (it uses private IP ranges). To have this without physically connecting, you could create a virtual network, and that's what a VPN is. It's just some software that pretends you're all on an internal network, even if you're not physically connected to it. Of course, it's not limited to office use: you can have a VPN with some friends to play a game that doesn't work on the internet (Hamachi was very popular for this, not sure if anyone still uses it).
The word VPN is abused by commercial services to mean this: "some magic that changes your IP address". You're not connected to a private network at all. Well, technically this is how it works under the hood, but it's not for the purpose of talking to various nodes on an internal network, you just want your traffic to be forwarded so it appears to originate from somewhere else. The use of virtual networking software is kind of overkill, but was the easiest to adapt for the purpose.

SSH is software for creating an encrypted connection to some server. Often used for entering commands on a shell, it it versatile enough to also allow doing things like proxying traffic through that server. But you still need to configure this ssh client as proxy in the software whose traffic needs to be proxied (like nmap).

In summary, where I think you are confused:

a VPN, like Tor, commonly refers to a server that makes traffic appear to originate from another IP address than the one you got from your ISP
proxychains is software that makes other software (e.g. nmap or firefox) use a proxy (e.g. Tor or ProtonVPN), even if this software doesn't support using a proxy. In Firefox, you can just open the preferences and configure the proxy, so proxychains here is not necessary. Nmap also has a --proxies argument. But there are some programs that do not have such options or commands, and that's where you use proxychains.

Now that you know this, I think the answers to your questions can be short:

[would] using only Tor [for an nmap scan] be the safest „untraceable“ option[?]

That depends on what you're afraid of. This answer to "Differences between using Tor browser and VPN" provides a great overview (see also the other answers on that page).

Why would anyone bother to use proxychains if Tor already provides a very high layer of anonymity and privacy?

(I'll assume that "proxychains" here means using some proxy service like ProtonVPN.)

Tor is slower because it goes through multiple layers to provide better anonymity. If your traffic needs to go from you to Cambodia to Germany to Argentina before being sent out to the target system, that is slower than if you configure just one proxy in a nearby city. It's a trade-off depending on what is important to you.

Attacking systems via Tor leads to administrators blocking Tor network nodes. That means that these "many activists, journalists etc. hiding from oppressive governments and so on" (as you say) cannot use it anymore to browse the internet normally, because they will be blocked in many places. It harms everyone's ability to be anonymous online. For legitimate scanning, you should not need to use Tor.

What’s the point in using proxychains for an nmap scan when you could use Tor?

3 Answers3