Nmap Development mailing list archives
Instructions: How to scan tor hidden services
From: Andrew Jason Farabee <afarabee () uci edu>
Date: Fri, 19 Jun 2015 22:15:31 -0700
Hi everyone,
I've had a lot of fun testing the basic socks4a functionality that
I've been working on to scan hidden services, and I thought I'd open
it up to anyone else who could use this basic functionality now.
Testing scripts has been pretty successful so far. Some of the most
interesting outputs have come from http-enum, dns-brute,
http-useragent-tester, http-headers, http-csrf, and ssl-enum-ciphers.
Currently -sV is not working and -sC may not be working
("script=default" works, but many of the scripts don't work with
socks4a). In general, any script that requires building unusual
packets will not work. Please note that script scanning using
connectscan.nse is not optimized.
Feel free to message me with any feedback or to point out any
interesting results. Please report vulnerabilities to the hidden
service's admins.
Happy hacking!
== INSTRUCTIONS ===================================
[1] Create a local copy of the branch by running "svn export
https://svn.nmap.org/nmap-exp/pasca1/nmap-nseportscan-socks4a";
[2] Move to the new directory and run "./configure" and then "make"
[3] When targetting tor hidden services, you will have to add an entry
to /etc/hosts to bypass host discovery/DNS resolution. It should look
like this:
127.0.0.1 localhost
127.0.1.1 {hostname}
127.0.0.1 {.onion address to scan}
Make sure that there is no http:// in front of the .onion address and
that the whitespace between the IP and the URI is a tab.
[4] Start tor on your local machine
(https://www.torproject.org/download/download-unix.html.en)
[5] As root, run nmap.
* Script scanning requires the use of "-sK" and "--script connectscan".
* Redirect the connections to tor by including "--proxy
socks4a://127.0.0.1:9050" (which should be the tor default port).
* The latency on tor is high, so you may want to limit the ports
scanned with "-p 80,443" or at least "-F"
== SAMPLE ==========================================
# ./nmap -sK --script connectscan,discovery --proxy
socks4a://127.0.0.1:9050 facebookcorewwwi.onion -F
Starting Nmap 6.46 ( http://nmap.org ) at 2015-06-19 16:55 PDT
Pre-scan script results:
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| http-icloud-findmyiphone:
|_ ERROR: No username or password was supplied
| http-icloud-sendmsg:
|_ ERROR: No username or password was supplied
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
sendto in send_ip_packet_sd: sendto(28, packet, 65536, 0, 127.0.0.1,
16) => Message too long
Offending packet: TCP 127.0.0.1:19062 > 127.0.0.1:80 S ttl=128 id=0
iplen=0 seq=302095196 win=3072 <mss 1460>
Nmap scan report for facebookcorewwwi.onion (127.0.0.1)
Host is up.
rDNS record for 127.0.0.1: localhost
Not shown: 98 closed ports
PORT STATE SERVICE
80/tcp open http
|_http-chrono: Request times for /; avg: 1362.49ms; min: 1244.80ms;
max: 1440.99ms
|_http-comments-displayer: Couldn't find any comments.
|_http-date: Sat, 20 Jun 2015 00:06:41 GMT; +10m02s from local time.
|_http-devframework: Couldn't determine the underlying framework or
CMS. Try increasing 'httpspider.maxpagecount' value to spider more
pages.
|_http-drupal-modules:
| http-enum:
| /crossdomain.xml: Adobe Flash crossdomain policy
|_ /images/printer.gif: Lexmark Printer
|_http-errors: Couldn't find any error pages.
|_http-feed: Couldn't find any feeds.
|_http-google-malware: [ERROR] No API key found. Update the variable
APIKEY in http-google-malware or set it in the argument
http-google-malware.api
| http-grep:
|_ ERROR: Argument http-grep.match was not set
| http-headers:
| Location: https://facebookcorewwwi.onion/
| Vary: Accept-Encoding
| Content-Type: text/html
| X-FB-Debug:
Dj3E5YMdrK7EvMNUFKE3S+xpbi9WmhALiunkWtz5BPapB01vkp+sgHWxWxQQJG3oP8PcZSxGbUubTSog8Aep3w==
| Date: Sat, 20 Jun 2015 00:06:41 GMT
| Connection: close
| Content-Length: 0
|
|_ (Request type: GET)
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
|_http-title: Did not follow redirect to https://facebookcorewwwi.onion/
| http-useragent-tester:
|
| Allowed User Agents:
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
| WWW-Mechanize/1.34
|_
| http-vhosts:
| 126 names had status 301
|_mobile.onion : 302 ->
http://mobile.facebook.com/?locale2=en_US&refsrc=http%3A%2F%2Fmobile.onion%2F&_rdr
|_http-wordpress-plugins: nothing found amongst the 100 most popular
plugins, use --script-args http-wordpress-plugins.search=<number|all>
for deeper analysis)
|_http-xssed: No previously reported XSS vuln.
443/tcp open https
|_http-chrono: Request times for /; avg: 2780.11ms; min: 2251.55ms;
max: 3003.73ms
| http-cisco-anyconnect:
|_ ERROR: Not a Cisco ASA or unsupported version
|_http-comments-displayer: Couldn't find any comments.
|_http-default-accounts: [ERROR] HTTP request table is empty. This
should not happen since we at least made one request.
|_http-devframework: Couldn't determine the underlying framework or
CMS. Try increasing 'httpspider.maxpagecount' value to spider more
pages.
|_http-errors: ERROR: Script execution failed (use -d to debug)
|_http-feed: Couldn't find any feeds.
|_http-google-malware: [ERROR] No API key found. Update the variable
APIKEY in http-google-malware or set it in the argument
http-google-malware.api
| http-grep:
|_ ERROR: Argument http-grep.match was not set
| http-headers:
|_ (Request type: GET)
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
| http-sitemap-generator:
| Directory structure:
| Longest directory structure:
| Depth: 0
| Dir: /
| Total files found (by extension):
|_
| http-useragent-tester:
|
| Allowed User Agents:
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
| WWW-Mechanize/1.34
|_
| http-vhosts:
|_127 names had status ERROR
|_http-waf-detect: [ERROR] Initial HTTP request failed
|_http-xssed: No previously reported XSS vuln.
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 1990-07-13T14:52:47+00:00; -24y341d9h03m53s from local time.
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
|_ssl-google-cert-catalog: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
| tls-nextprotoneg:
| spdy/3.1
| spdy/3
|_ http/1.1
Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| mx0.facebookcorewwwi.onion - 92.242.140.2
| mx1.facebookcorewwwi.onion - 92.242.140.2
| mysql.facebookcorewwwi.onion - 92.242.140.2
| noc.facebookcorewwwi.onion - 92.242.140.2
| ns.facebookcorewwwi.onion - 92.242.140.2
| devel.facebookcorewwwi.onion - 92.242.140.2
| ns0.facebookcorewwwi.onion - 92.242.140.2
| development.facebookcorewwwi.onion - 92.242.140.2
| ns1.facebookcorewwwi.onion - 92.242.140.2
| devsql.facebookcorewwwi.onion - 92.242.140.2
| ns2.facebookcorewwwi.onion - 92.242.140.2
| devtest.facebookcorewwwi.onion - 92.242.140.2
| ns3.facebookcorewwwi.onion - 92.242.140.2
| dhcp.facebookcorewwwi.onion - 92.242.140.2
| direct.facebookcorewwwi.onion - 92.242.140.2
| ops.facebookcorewwwi.onion - 92.242.140.2
| dmz.facebookcorewwwi.onion - 92.242.140.2
| oracle.facebookcorewwwi.onion - 92.242.140.2
| dns.facebookcorewwwi.onion - 92.242.140.2
| owa.facebookcorewwwi.onion - 92.242.140.2
| dns0.facebookcorewwwi.onion - 92.242.140.2
| pbx.facebookcorewwwi.onion - 92.242.140.2
| dns1.facebookcorewwwi.onion - 92.242.140.2
| s3.facebookcorewwwi.onion - 92.242.140.2
| dns2.facebookcorewwwi.onion - 92.242.140.2
| secure.facebookcorewwwi.onion - 92.242.140.2
| download.facebookcorewwwi.onion - 92.242.140.2
| server.facebookcorewwwi.onion - 92.242.140.2
| en.facebookcorewwwi.onion - 92.242.140.2
| shop.facebookcorewwwi.onion - 92.242.140.2
| erp.facebookcorewwwi.onion - 92.242.140.2
| eshop.facebookcorewwwi.onion - 92.242.140.2
| exchange.facebookcorewwwi.onion - 92.242.140.2
| sql.facebookcorewwwi.onion - 92.242.140.2
| f5.facebookcorewwwi.onion - 92.242.140.2
| squid.facebookcorewwwi.onion - 92.242.140.2
| fileserver.facebookcorewwwi.onion - 92.242.140.2
| ssh.facebookcorewwwi.onion - 92.242.140.2
| firewall.facebookcorewwwi.onion - 92.242.140.2
| ssl.facebookcorewwwi.onion - 92.242.140.2
| forum.facebookcorewwwi.onion - 92.242.140.2
| stage.facebookcorewwwi.onion - 92.242.140.2
| ftp0.facebookcorewwwi.onion - 92.242.140.2
| git.facebookcorewwwi.onion - 92.242.140.2
| gw.facebookcorewwwi.onion - 92.242.140.2
| help.facebookcorewwwi.onion - 92.242.140.2
| helpdesk.facebookcorewwwi.onion - 92.242.140.2
| home.facebookcorewwwi.onion - 92.242.140.2
| host.facebookcorewwwi.onion - 92.242.140.2
| http.facebookcorewwwi.onion - 92.242.140.2
| id.facebookcorewwwi.onion - 92.242.140.2
| images.facebookcorewwwi.onion - 92.242.140.2
| info.facebookcorewwwi.onion - 92.242.140.2
| internal.facebookcorewwwi.onion - 92.242.140.2
| internet.facebookcorewwwi.onion - 92.242.140.2
| intra.facebookcorewwwi.onion - 92.242.140.2
| ipv6.facebookcorewwwi.onion - 92.242.140.2
| lab.facebookcorewwwi.onion - 92.242.140.2
| ldap.facebookcorewwwi.onion - 92.242.140.2
| linux.facebookcorewwwi.onion - 92.242.140.2
| local.facebookcorewwwi.onion - 92.242.140.2
| log.facebookcorewwwi.onion - 92.242.140.2
| mail2.facebookcorewwwi.onion - 92.242.140.2
| mail3.facebookcorewwwi.onion - 92.242.140.2
| mailgate.facebookcorewwwi.onion - 92.242.140.2
| main.facebookcorewwwi.onion - 92.242.140.2
| manage.facebookcorewwwi.onion - 92.242.140.2
| mgmt.facebookcorewwwi.onion - 92.242.140.2
| mirror.facebookcorewwwi.onion - 92.242.140.2
| mobile.facebookcorewwwi.onion - 92.242.140.2
| monitor.facebookcorewwwi.onion - 92.242.140.2
| mssql.facebookcorewwwi.onion - 92.242.140.2
| mta.facebookcorewwwi.onion - 92.242.140.2
| admin.facebookcorewwwi.onion - 92.242.140.2
| administration.facebookcorewwwi.onion - 92.242.140.2
| ads.facebookcorewwwi.onion - 92.242.140.2
| adserver.facebookcorewwwi.onion - 92.242.140.2
| alerts.facebookcorewwwi.onion - 92.242.140.2
| alpha.facebookcorewwwi.onion - 92.242.140.2
| ap.facebookcorewwwi.onion - 92.242.140.2
| apache.facebookcorewwwi.onion - 92.242.140.2
| app.facebookcorewwwi.onion - 92.242.140.2
| apps.facebookcorewwwi.onion - 92.242.140.2
| appserver.facebookcorewwwi.onion - 92.242.140.2
| aptest.facebookcorewwwi.onion - 92.242.140.2
| auth.facebookcorewwwi.onion - 92.242.140.2
| backup.facebookcorewwwi.onion - 92.242.140.2
| beta.facebookcorewwwi.onion - 92.242.140.2
| blog.facebookcorewwwi.onion - 92.242.140.2
| cdn.facebookcorewwwi.onion - 92.242.140.2
| chat.facebookcorewwwi.onion - 92.242.140.2
| citrix.facebookcorewwwi.onion - 92.242.140.2
| cms.facebookcorewwwi.onion - 92.242.140.2
| corp.facebookcorewwwi.onion - 92.242.140.2
| crs.facebookcorewwwi.onion - 92.242.140.2
| cvs.facebookcorewwwi.onion - 92.242.140.2
| database.facebookcorewwwi.onion - 92.242.140.2
| db.facebookcorewwwi.onion - 92.242.140.2
| demo.facebookcorewwwi.onion - 92.242.140.2
| dev.facebookcorewwwi.onion - 92.242.140.2
| stats.facebookcorewwwi.onion - 92.242.140.2
| svn.facebookcorewwwi.onion - 92.242.140.2
| syslog.facebookcorewwwi.onion - 92.242.140.2
| test.facebookcorewwwi.onion - 92.242.140.2
| test1.facebookcorewwwi.onion - 92.242.140.2
| test2.facebookcorewwwi.onion - 92.242.140.2
| testing.facebookcorewwwi.onion - 92.242.140.2
| upload.facebookcorewwwi.onion - 92.242.140.2
| vm.facebookcorewwwi.onion - 92.242.140.2
| vnc.facebookcorewwwi.onion - 92.242.140.2
| vpn.facebookcorewwwi.onion - 92.242.140.2
| web.facebookcorewwwi.onion - 92.242.140.2
| web2test.facebookcorewwwi.onion - 92.242.140.2
| whois.facebookcorewwwi.onion - 92.242.140.2
| wiki.facebookcorewwwi.onion - 92.242.140.2
| www.facebookcorewwwi.onion - 92.242.140.2
| www2.facebookcorewwwi.onion - 92.242.140.2
|_ xml.facebookcorewwwi.onion - 92.242.140.2
|_ipidseq: Unknown
|_path-mtu: 65535 <= PMTU < 65536
| qscan:
| PORT FAMILY MEAN (us) STDDEV LOSS (%)
| 7 0 0.00 -0.00 100.0%
| 80 1 74.00 -nan 90.0%
|_443 2 61.00 -nan 90.0%
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Instructions: How to scan tor hidden services Andrew Jason Farabee (Jun 19)