Nmap is one of the most popular network scanning and discovery tools used by network administrators, cybersecurity professionals, and ethical hackers. It allows collecting detailed information about network hosts such as open ports, services, operating systems, etc.
However, using Nmap directly from your IP address can expose your identity and location. That‘s where proxychains come in. Proxychains is a tool that forces traffic destined for a target network through multiple proxies, providing anonymity and hiding your real IP address.
In this comprehensive guide, you‘ll learn:
- What is Proxychains and how it works
- Installing and configuring Proxychains
- Proxychains modes and options
- Limitations of Nmap with Proxychains
- Step-by-step tutorials on using Nmap with Proxychains
What is Proxychains and How Does It Work?
Proxychains is a Linux tool that routes traffic through multiple proxy servers to anonymize connections. This prevents the destination network from knowing your real IP address or location.
Here‘s a quick overview of how Proxychains work:
-
Proxychains intercepts traffic from applications on your system destined for other networks.
-
It routes the connections through a chain of proxies instead of sending it directly.
-
At each proxy "hop", the source IP gets replaced so the destination only sees the last proxy‘s IP.
-
Responses take the same proxy path back to your system so it seems you‘re located at the proxy exit node.
This proxy chaining provides better anonymity than connecting through a single proxy. If one proxy fails, Proxychains automatically skips to the next one.
The proxies can use various protocols like SOCKS4, SOCKS5 or HTTP to transport traffic.
Installing and Configuring Proxychains
Proxychains is available for most Linux distributions either through the default repositories or third-party PPAs.
On Debian/Ubuntu
sudo apt install proxychains
On CentOS/RHEL
sudo yum install proxychains
On Arch Linux
sudo pacman -S proxychains-ng
Once installed, edit the Proxychains configuration file:
sudo nano /etc/proxychains.conf
This is where you control Proxychains behavior and define the proxies to use.
Proxychains Modes
There are three proxy chaining modes:
Dynamic: Proxychains will skip unavailable proxies and use only working ones. At least one proxy must be online.
Strict: All proxies in the chain must be available, otherwise proxychains won‘t work. Useful for stability.
Random: Proxychains will pick proxies randomly out of the defined list.
Enable the mode you prefer by uncommenting the appropriate line:
# Dynamic Mode
dynamic_chain
# Strict Mode
# strict_chain
# Random Mode
# random_chain
Note: Using dynamic chaining is recommended
Adding Proxies
Further down the configuration file, you can specify proxies to use in the chain – one proxy per line.
The format is:
<proxy_type> <proxy_IP> <proxy_port> <username> <password>
For example:
socks5 23.212.45.6 8080
socks4 15.211.153.193 7070
You can find publicly available proxies to use from sites like free-proxy-list.net and socks-proxy.net.
Tip: Use proxies from different providers, countries and IP ranges for better anonymity.
Other Options
Proxychains has a few other useful options:
proxy_dns
– Resolves domain names through the proxy chain instead of your default DNS. Prevents DNS data leaks.tcp_read_time_out
– Increase if you get broken pipe errors.tcp_connect_time_out
– Defines timeout period for establishing TCP connections.
Once you‘ve setup your proxies and options, save the config file and you‘re ready to use Proxychains!
Limitations of Using Nmap with Proxychains
Before diving into examples, it‘s vital to understand some limitations when using Nmap via Proxychains:
-
ICMP, UDP and DNS scans typically don‘t work because many proxies block them. TCP scans are recommended.
-
Banner grabbing, OS detection and Script scanning features may not work properly beyond the proxy.
-
Scan speed is reduced due to latency introduced by proxy hops.
-
If using an IP blacklist, remember it will record the exit proxy‘s IP instead of your real IP.
So it‘s best to stick to basic TCP port scans and connect scans. For other scan types, connect directly or use a VPN instead.
Now let‘s look at how to run some Nmap scans anonymously using proxychains…
Step-by-Step Guide to Using Nmap with Proxychains
These examples assume you already have Nmap installed on your system. If not, run:
sudo apt install nmap
To verify Proxychains is working correctly, let‘s run an anonymous traceroute:
proxychains traceroute google.com
This should route through the proxies, preventing Google from seeing your real IP!
Finding Hidden Servers
Let‘s find some open FTP servers anonymously.
proxychains nmap -p21 --open -Pn -n -sS 163.172.103.0/24
This scans port 21 across the given subnet, without pinging hosts first. We disable reverse DNS resolution for faster scans.
It utilizes a Stealth SYN scan which is more discreet than full TCP connections.
Options breakdown:
-p21
– Scan only port 21--open
– Show only hosts with open ports-Pn
– Treat all hosts as online-n
– Disable DNS resolution-sS
– SYN scan (stealth)
Banner Grabbing
Normally Nmap can pull interesting banners from open ports giving hints about applications and versions.
Let‘s see what banners are behind an Apache web server anonymously:
proxychains nmap -sT -Pn -p 80 --script=banner 10.10.10.119
Unfortunately, this example doesn‘t return any useful banners in this case. Responses don‘t make it back fully through multiple proxies. Direct scans would work better for banner grabbing.
Note: Your mileage may vary depending on the proxy chain used!
Scanning from Randomized IPs
If the target network uses IP blocking, proxychains can help scan from different IPs each run using Random Mode.
Let‘s modify the above scan:
# In /etc/proxychains.conf
random_chain
proxychains nmap -sT 10.10.10.119
Now each Nmap scan will randomize which proxy IP is used as your exit node!
Finding Specific Services by Version
Can we spot old Samba file sharing services anonymously?
proxychains nmap -p445 -sV --script smb-check-vulns 172.20.10.0/24
This performs a vulnerability scan across SMB services looking for weak configurations prone to eternalblue and other MS17-010 vulnerabilities.
Unfortunately version detection and vulnerability scanning capabilities are limited over proxychains due to the multi-hop nature losing protocol state.
For critical scans, it may be better to use a VPN instead.
Discovering Office 365 Services
What Microsoft cloud services is a company utilizing?
proxychains nmap -p443 --script o365-enum-users -Pn 40.107.196.55
This uses a special Nmap script that interacts with Office 365 login portals to uncover details like domains, users and enabled features.
However scripts relying on banner interactions generally won‘t work across proxy chains. So we don‘t actually get useful details back in this case.
Again, it‘s best to use Proxychains just for preliminary scanning. Then switch to a VPN or direct scans for deeper inspection when required.
Conclusion
Proxychains is a useful tool for anonymizing connections when scanning with Nmap and other security tools. Chaining multiple proxies prevents target networks from knowing your real location or identity. It also helps bypass IP restrictions and blacklists in some cases.
However, Nokia has many advanced capabilities relying on TCP state and protocol banners that break over proxy hops. So it‘s best used for basic TCP scans only. For others, consider connecting via a VPN service instead to fully leverage Nmap functionality anonymously!
I hope you found this complete guide useful for covertly scanning with Nmap using proxychains! Let me know if you have any other questions.