I am trying to run Nmap through a proxychain, ie
"proxychains nmap -sS -PN 10.1.1.1", however rather than going via the proxy server configured in the proxychains.conf file it trys to connect directly.
If I use another program such as telnet it works ok, ie "proxychains telnet 10.1.1.1 25" connects via the proxy server configured in the proxychain.conf file.
I've confirm that the nmap app is not going via the proxy with wireshark etc and i don't get the usual |S-chain| string etc, however i do get a Proxy-chains-3.1 (http://proxychains.sf.com) string displayed, then it goes direct....
Has anybody any ideas on why Nmap won't work via proxychains? or what the fix is.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
y0z - saw this post.. you can't do that because libproxychains.so only preloads for a connect() call. nmap option -sS is using raw sockets (SYN scan) and there is no real connect happening (hence the name: 1/2 open scan).
You really can't do this with proxy chaining unless your proxy can forward 1/2 open connects (which would be a nice proxy to have). AND... even if proxychains supported the raw sendto/sendmsg socket calls... you would end up scanning the proxy unless your proxy could fwd/rcv the syn's holding state(s).
use the -sT with nmap and it will work.
/sm4x
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i have to admit that i don't understand it completely. What i understand is that nmap creates for a -sS port scan a raw socket. Raw means that nmap itself has to care about the whole packet, because the OS is not asked for creating it. So nmap creates the header, the adresses, the checksum ...
When nmap starts a -sT portscan, these packets are created by the protocol stack from the OS. So it is a tcp (or udp) socket. But the raw packet nmap creates for the -sS scan has to look identically to a "normal" tcp packet with the syn bit. Or ? Otherwise the portscan without proxychains would not work. The application which answers should see no difference between a TYP SYN packet from the protocol stack or a TCP SYN packet created from nmap. Or ? So, when these packets are identical (which i assume), why can it be forwarded by a proxy in one case and not in the other ? Or is it that proxychains sees that the packet from nmap -sS is a raw socket and the other (-sT) is a tcp socket, as it can be found out by netstat ?
Thanks for any clarification.
Bernd
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am trying to run Nmap through a proxychain, ie
"proxychains nmap -sS -PN 10.1.1.1", however rather than going via the proxy server configured in the proxychains.conf file it trys to connect directly.
If I use another program such as telnet it works ok, ie "proxychains telnet 10.1.1.1 25" connects via the proxy server configured in the proxychain.conf file.
I've confirm that the nmap app is not going via the proxy with wireshark etc and i don't get the usual |S-chain| string etc, however i do get a Proxy-chains-3.1 (http://proxychains.sf.com) string displayed, then it goes direct....
Has anybody any ideas on why Nmap won't work via proxychains? or what the fix is.
y0z - saw this post.. you can't do that because libproxychains.so only preloads for a connect() call. nmap option -sS is using raw sockets (SYN scan) and there is no real connect happening (hence the name: 1/2 open scan).
You really can't do this with proxy chaining unless your proxy can forward 1/2 open connects (which would be a nice proxy to have). AND... even if proxychains supported the raw sendto/sendmsg socket calls... you would end up scanning the proxy unless your proxy could fwd/rcv the syn's holding state(s).
use the -sT with nmap and it will work.
/sm4x
Hi,
i have to admit that i don't understand it completely. What i understand is that nmap creates for a -sS port scan a raw socket. Raw means that nmap itself has to care about the whole packet, because the OS is not asked for creating it. So nmap creates the header, the adresses, the checksum ...
When nmap starts a -sT portscan, these packets are created by the protocol stack from the OS. So it is a tcp (or udp) socket. But the raw packet nmap creates for the -sS scan has to look identically to a "normal" tcp packet with the syn bit. Or ? Otherwise the portscan without proxychains would not work. The application which answers should see no difference between a TYP SYN packet from the protocol stack or a TCP SYN packet created from nmap. Or ? So, when these packets are identical (which i assume), why can it be forwarded by a proxy in one case and not in the other ? Or is it that proxychains sees that the packet from nmap -sS is a raw socket and the other (-sT) is a tcp socket, as it can be found out by netstat ?
Thanks for any clarification.
Bernd