1

I get false positive ports that are marked open when using nmap with proxychains-ng (Using a proxy list that contains socks5 proxies). I've tried a couple of techniques to debug this strange behavior (by following this tutorial False Positive TCP) but I could not find a proper explanation (note that I am a beginner at networking and security but I do understand the functionality of these tools).

  • Without proxychains-ng
nmap -sT -F -Pn --reason 172.253.118.101

PORT    STATE SERVICE REASON
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack
  • With proxychains-ng
proxychains4 -f proxychains.conf nmap -sT -F -Pn --reason 172.253.118.101
PORT     STATE SERVICE    REASON
80/tcp   open  http       no-response
587/tcp  open  submission no-response
8443/tcp open  https-alt  no-response

And this is proxychains config file:

random_chain
proxy_dns

chain_len = 1

tcp_read_time_out 15000
tcp_connect_time_out 8000

I am using CentOS 7 Linux server to run nmap and proxychains.

Update 04/07/21:

I discovered that running the command proxychains4 nmap -v --reason --packet-trace -p 8443 172.253.118.101 with sudo gives a correct output:

Initiating SYN Stealth Scan at 19:46
Scanning 172.253.118.101 [1 port]
SENT (1.4756s) TCP 192.168.2.70:50645 > 172.253.118.101:8443 S ttl=39 id=50704 iplen=44  seq=495063578 win=1024 <mss 1460>
SENT (1.5758s) TCP 192.168.2.70:50646 > 172.253.118.101:8443 S ttl=54 id=26670 iplen=44  seq=495129115 win=1024 <mss 1460>
Completed SYN Stealth Scan at 19:46, 0.22s elapsed (1 total ports)
Nmap scan report for 172.253.118.101
Host is up, received echo-reply (0.0031s latency).
PORT     STATE    SERVICE   REASON
8443/tcp filtered https-alt no-response

while, same command without sudo will output:

Initiating Connect Scan at 19:46
[proxychains] Random chain  ...  192.111.135.21:4145  ...  172.253.118.101:8443  ...  OK
Scanning 172.253.118.101 [1 port]
CONN (3.7825s) TCP localhost > 172.253.118.101:8443 => Connected
Discovered open port 8443/tcp on 172.253.118.101
Completed Connect Scan at 19:46, 0.83s elapsed (1 total ports)
Nmap scan report for 172.253.118.101
Host is up, received unknown-response (1.1s latency).
PORT     STATE SERVICE   REASON
8443/tcp open  https-alt no-response

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
Galilej25
  • 11
  • 2
  • 1
    When asking for help with a command, always run the commands with a higher verbosity level. The command might be trying to tell you what's going on. – schroeder Jun 30 '21 at 15:01
  • Can you actually connect to anything through the configured proxy? – multithr3at3d Jul 01 '21 at 00:49
  • Thank you all! @schroeder: I did run another help command, such as --traceroute, but I could not figure out anything wrong there. All routes have almost similar timings – Galilej25 Jul 01 '21 at 13:11
  • @multithr3at3d : yes, I can see that proxy is connecting to the server, and if not, it ignores it. I did not try to manually check a whole list – Galilej25 Jul 01 '21 at 13:12
  • but did you increase verbosity? – schroeder Jul 01 '21 at 13:50
  • And you do not know if nmap is scanning the target or the proxy. Please initiate network troubleshooting steps to confirm connectivity to the target,. – schroeder Jul 01 '21 at 13:50
  • Thank you! I increased verbosity and played with additional verbosity settings, and discovered that executing the command with sudo gives a correct output, while without sudo I am getting a false positive. My post is updated – Galilej25 Jul 04 '21 at 11:23
  • So, this isn't looking like a security issue, but a networking and OS command permissions issue. – schroeder Jul 04 '21 at 11:43
  • Yes, it seems so. Thank you for your help! – Galilej25 Jul 04 '21 at 12:19

0 Answers0