NOOB question re: NMAP and Traceroute output.

[jemima55]

Hi,

I was scanning a few targets the other night and was using the following NMAP commands:

-sS -sV -Pn -A -O -v target.info.here

I 'think' I have my stuff configured so that all connections are routed through Tor; I have the following files configured like this:

1) TORRC - DNS port 53 added to the end of this file

2) DHCP/DHCLIENT.CONF - I uncomment #prepend domain-name-servers 127.0.0.1;

3) PROXYCHAINS.CONF - I uncomment "dynamic chain" and at the bottom of the file I add these lines:

socks4  127.0.0.1 9050
socks5 127.0.0.1 9050
localnet 127.0.0.1 000 255.255.255.255

I then fire up Tor service and away I go.

I like it this way because I cannot connect to the web without first firing up Tor service.

With this set up (no VPN just Tor for the moment) my results on ipchicken.com, ipleak.net, ip-check.info and whoer.net are always as they should be ie: totally different ip and DNS servers.

At other times I will also use a VPN (Mullvad) alongside Tor. I use Mullvad's own client and uncheck "protect against DNS leaks" (I uncheck this because if left unchecked it hard-changes the resolve.conf to Mullvad only and I don't want that by virtue that I've already routed the DNS stuff through TOR which appears to be fine according to the DNS websites listed above.

So with all of that in mind, the NMAP scan returned some traceroute details that I explored further, but being the noob that I am, have left me a bit confused/worried about them.

The NMAP scans made a Traceroute list of several ip addresses, about eight in total. The final one on the list was the target ip, the ones in the middle I'm not sure of, but the first one in the list was either Mullvads (if I had the VPN running alongside Tor) or (if I wasnt using the VPN, just Tor) an ip from my ISP. This is what is bugging me, so my questions are:

- How, after routing through Tor, does the Traceroute output list those ISP addys?

- Can the target being scanned see this traceroute info, and if yes what part of it? ie: when using both Tor and a VPN, does the target see the Mullvad address or the Tor address? What about when just running through Tor? What about just the VPN? Can the target see my ISP ip?

Sorry for perhaps rambling, but I'm just trying to provide as many details as needed.

Thanks for any help.

[Nortcele]

I think this may be due to trying to route through Tor to the target destination and back, which is probably the weird things you are seeing... If you are using Tor the packets are sent through the 'Onion layers' which is probably what you mean with the weird results.

[jemima55]

I think this may be due to trying to route through Tor to the target destination and back, which is probably the weird things you are seeing... If you are using Tor the packets are sent through the 'Onion layers' which is probably what you mean with the weird results.

Hi, thanks for replying.

I'm still not sure why/how my own ISP appears on the list when using TOR though? It's definitely not a DNS leak and it only happens when going through Tor and not the VPN.

So is it the case that the remote target can see all of those ip addresses too? I ask that because i'm wondering if the NMAP Traceroute results were able to display my originating IP (whether the VPN or ISP) by virtue that the NMAP scan was being run locally on my machine?

EDIT-- HAH!!! Looks like I might have solved this one.

I was just digging through the Proxychains conf file and noticed the line that reads " #Proxy DNS requests - no leak for DNS data
proxy_dns "

I've just uncommented that line and done another scan, this time with no ISP addy in the Traceroute results.

I assume Proxychains was leaking the DNS when using NMAP through Proxychains? Whereas at all other times (ie: using programs thtat didn't go through Proxychains) my DNS was safe/hidden as the results from DNS Leak test demonstrated?

That - I assume - is why (when I had the VPN alongside the Proxychained Tor) the DNS was wrapped by the VPN and thus didn't show up in the traceroute results?

Does that sound remotely correct?

Man my head hurts and I appreciate this forum being here to ask LOL

[proxx]

Simple you cannot SYN scan over TOR, nothing more nothing less.
Use the -sT flag for a connect scan (which is also slow as shit) relies on timeout.
Also disable DNS and ICMP, you are probably leaking your own IP
A tracerout (ICMP) does not work over TOR, it doesn't send ICMP traffic, RTFM

[jemima55]

Simple you cannot SYN scan over TOR, nothing more nothing less.
Use the -sT flag for a connect scan (which is also slow as shit) relies on timeout.
Also disable DNS and ICMP, you are probably leaking your own IP
A tracerout (ICMP) does not work over TOR, it doesn't send ICMP traffic, RTFM

Hi, you absolute star!!!

Many thanks; I've just tried the -sT switch with no IP leak at all.

Can you tell me though, why (when doing nothing different other than using the -sS switch rather than -sT) my IP shows up in the logs of the host target machine? How does issuing the -sS switch through Tor cause that leak? I assume those packets simply do not get sent via Tor nodes, thus causing the transparent IP on display?

re: possible DNS leak:- My system is configured to use 127.0.0.1 as the DNS (uncommented  "prepend domain-name-servers 127.0.0.1" in dhclient.cong) Torrc is set to DNS Port 53, and in proxychains I've uncommented the "proxy dns" line. As a result of this, all is fine on the IPLeak test websites, hence my further request for assistance to understand why the IP-leak occurs when using the -sS switch but not the -sT one?

I found this article somewhat enlightening:

http://securitystreetknowledge.com/?p=283

Thanks again.

[proxx]

Can you tell me though, why (when doing nothing different other than using the -sS switch rather than -sT) my IP shows up in the logs of the host target machine? How does issuing the -sS switch through Tor cause that leak? I assume those packets simply do not get sent via Tor nodes, thus causing the transparent IP on display?

iirc when you use the -sS flag (SYN scanning) it will just route directly and not over TOR,  I cannot say why but my bet would be that there is no way of returning an awnser to the packet therefor it is not routed.
The -sT flag is a connect scan where there is a 3-way handshake between client and server, if the port is closed it will return a RST packet.

However modern firewalls will rather drop the packet and simply not respond, thus a timeout will occur.
This timeout is what makes connect scanning slow.
You can fiddle with the timeout and lower it, however too low and you will not have any results.
Its also noisy as hell.

Disable DNS for speed and yeah uh it's just good practice.
Use -PN -P0 flags to skip ICMP, this will also route over the regular network.

NMAP can be daunting at first glimpse.

[jemima55]

iirc when you use the -sS flag (SYN scanning) it will just route directly and not over TOR,  I cannot say why but my bet would be that there is no way of returning an awnser to the packet therefor it is not routed.
The -sT flag is a connect scan where there is a 3-way handshake between client and server, if the port is closed it will return a RST packet.

However modern firewalls will rather drop the packet and simply not respond, thus a timeout will occur.
This timeout is what makes connect scanning slow.
You can fiddle with the timeout and lower it, however too low and you will not have any results.
Its also noisy as hell.

Disable DNS for speed and yeah uh it's just good practice.
Use -PN -P0 flags to skip ICMP, this will also route over the regular network.

NMAP can be daunting at first glimpse.

Great info, thanks again. I guess there are a few options I have now.

On which point, and funnily enough, after Googling I found the Iptables tutorial by Oskar Andreasson that you linked to here:

https://evilzone.org/hacking-and-security/iptables-practice-firewall/

That seems like something I must learn. I wonder how many folks are leaving themselves wide open when they think they're safe? I guess its fortunate that many admins are lazy about thoroughly checking logs?

I suppose (depending on the moment and frame of mind) whether one uses iptables with a VPN/open WIFI/or all of them, there are many ways to keep oneself safely obscured. Many paths ways up the PT/hacking mountain, but of which must be learned or risk a fall.

OK, this weeks homework is iptables and high-power/long range YAGI WIFI antennas..

Cheers again.