Nmap Development mailing list archives

By Date By Thread Instructions: How to scan tor hidden services From: Andrew Jason Farabee <afarabee () uci edu>

Date: Fri, 19 Jun 2015 22:15:31 -0700

Hi everyone, I've had a lot of fun testing the basic socks4a functionality that I've been working on to scan hidden services, and I thought I'd open it up to anyone else who could use this basic functionality now. Testing scripts has been pretty successful so far. Some of the most interesting outputs have come from http-enum, dns-brute, http-useragent-tester, http-headers, http-csrf, and ssl-enum-ciphers. Currently -sV is not working and -sC may not be working ("script=default" works, but many of the scripts don't work with socks4a). In general, any script that requires building unusual packets will not work. Please note that script scanning using connectscan.nse is not optimized. Feel free to message me with any feedback or to point out any interesting results. Please report vulnerabilities to the hidden service's admins. Happy hacking! == INSTRUCTIONS =================================== [1] Create a local copy of the branch by running "svn export https://svn.nmap.org/nmap-exp/pasca1/nmap-nseportscan-socks4a" [2] Move to the new directory and run "./configure" and then "make" [3] When targetting tor hidden services, you will have to add an entry to /etc/hosts to bypass host discovery/DNS resolution. It should look like this: 127.0.0.1 localhost 127.0.1.1 {hostname} 127.0.0.1 {.onion address to scan} Make sure that there is no http:// in front of the .onion address and that the whitespace between the IP and the URI is a tab. [4] Start tor on your local machine (https://www.torproject.org/download/download-unix.html.en) [5] As root, run nmap. * Script scanning requires the use of "-sK" and "--script connectscan". * Redirect the connections to tor by including "--proxy socks4a://127.0.0.1:9050" (which should be the tor default port). * The latency on tor is high, so you may want to limit the ports scanned with "-p 80,443" or at least "-F" == SAMPLE ========================================== # ./nmap -sK --script connectscan,discovery --proxy socks4a://127.0.0.1:9050 facebookcorewwwi.onion -F Starting Nmap 6.46 ( http://nmap.org ) at 2015-06-19 16:55 PDT Pre-scan script results: | broadcast-eigrp-discovery: |_ ERROR: Couldn't get an A.S value. | http-icloud-findmyiphone: |_ ERROR: No username or password was supplied | http-icloud-sendmsg: |_ ERROR: No username or password was supplied | targets-asn: |_ targets-asn.asn is a mandatory parameter sendto in send_ip_packet_sd: sendto(28, packet, 65536, 0, 127.0.0.1, 16) => Message too long Offending packet: TCP 127.0.0.1:19062 > 127.0.0.1:80 S ttl=128 id=0 iplen=0 seq=302095196 win=3072 <mss 1460> Nmap scan report for facebookcorewwwi.onion (127.0.0.1) Host is up. rDNS record for 127.0.0.1: localhost Not shown: 98 closed ports PORT STATE SERVICE 80/tcp open http |_http-chrono: Request times for /; avg: 1362.49ms; min: 1244.80ms; max: 1440.99ms |_http-comments-displayer: Couldn't find any comments. |_http-date: Sat, 20 Jun 2015 00:06:41 GMT; +10m02s from local time. |_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. |_http-drupal-modules: | http-enum: | /crossdomain.xml: Adobe Flash crossdomain policy |_ /images/printer.gif: Lexmark Printer |_http-errors: Couldn't find any error pages. |_http-feed: Couldn't find any feeds. |_http-google-malware: [ERROR] No API key found. Update the variable APIKEY in http-google-malware or set it in the argument http-google-malware.api | http-grep: |_ ERROR: Argument http-grep.match was not set | http-headers: | Location: https://facebookcorewwwi.onion/ | Vary: Accept-Encoding | Content-Type: text/html | X-FB-Debug: Dj3E5YMdrK7EvMNUFKE3S+xpbi9WmhALiunkWtz5BPapB01vkp+sgHWxWxQQJG3oP8PcZSxGbUubTSog8Aep3w== | Date: Sat, 20 Jun 2015 00:06:41 GMT | Connection: close | Content-Length: 0 | |_ (Request type: GET) |_http-mobileversion-checker: No mobile version detected. |_http-referer-checker: Couldn't find any cross-domain scripts. | http-sitemap-generator: | Directory structure: | Longest directory structure: | Depth: 0 | Dir: / | Total files found (by extension): |_ |_http-title: Did not follow redirect to https://facebookcorewwwi.onion/ | http-useragent-tester: | | Allowed User Agents: | libwww | lwp-trivial | libcurl-agent/1.0 | PHP/ | Python-urllib/2.5 | GT::WWW | Snoopy | MFC_Tear_Sample | HTTP::Lite | PHPCrawl | URI::Fetch | Zend_Http_Client | http client | PECL::HTTP | Wget/1.13.4 (linux-gnu) | WWW-Mechanize/1.34 |_ | http-vhosts: | 126 names had status 301 |_mobile.onion : 302 -> http://mobile.facebook.com/?locale2=en_US&refsrc=http%3A%2F%2Fmobile.onion%2F&_rdr |_http-wordpress-plugins: nothing found amongst the 100 most popular plugins, use --script-args http-wordpress-plugins.search=<number|all> for deeper analysis) |_http-xssed: No previously reported XSS vuln. 443/tcp open https |_http-chrono: Request times for /; avg: 2780.11ms; min: 2251.55ms; max: 3003.73ms | http-cisco-anyconnect: |_ ERROR: Not a Cisco ASA or unsupported version |_http-comments-displayer: Couldn't find any comments. |_http-default-accounts: [ERROR] HTTP request table is empty. This should not happen since we at least made one request. |_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. |_http-errors: ERROR: Script execution failed (use -d to debug) |_http-feed: Couldn't find any feeds. |_http-google-malware: [ERROR] No API key found. Update the variable APIKEY in http-google-malware or set it in the argument http-google-malware.api | http-grep: |_ ERROR: Argument http-grep.match was not set | http-headers: |_ (Request type: GET) |_http-mobileversion-checker: No mobile version detected. |_http-referer-checker: Couldn't find any cross-domain scripts. | http-sitemap-generator: | Directory structure: | Longest directory structure: | Depth: 0 | Dir: / | Total files found (by extension): |_ | http-useragent-tester: | | Allowed User Agents: | libwww | lwp-trivial | libcurl-agent/1.0 | PHP/ | Python-urllib/2.5 | GT::WWW | Snoopy | MFC_Tear_Sample | HTTP::Lite | PHPCrawl | URI::Fetch | Zend_Http_Client | http client | PECL::HTTP | Wget/1.13.4 (linux-gnu) | WWW-Mechanize/1.34 |_ | http-vhosts: |_127 names had status ERROR |_http-waf-detect: [ERROR] Initial HTTP request failed |_http-xssed: No previously reported XSS vuln. |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: 1990-07-13T14:52:47+00:00; -24y341d9h03m53s from local time. | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong |_ssl-google-cert-catalog: ERROR: Script execution failed (use -d to debug) |_ssl-known-key: ERROR: Script execution failed (use -d to debug) | tls-nextprotoneg: | spdy/3.1 | spdy/3 |_ http/1.1 Host script results: | dns-brute: | DNS Brute-force hostnames: | mx0.facebookcorewwwi.onion - 92.242.140.2 | mx1.facebookcorewwwi.onion - 92.242.140.2 | mysql.facebookcorewwwi.onion - 92.242.140.2 | noc.facebookcorewwwi.onion - 92.242.140.2 | ns.facebookcorewwwi.onion - 92.242.140.2 | devel.facebookcorewwwi.onion - 92.242.140.2 | ns0.facebookcorewwwi.onion - 92.242.140.2 | development.facebookcorewwwi.onion - 92.242.140.2 | ns1.facebookcorewwwi.onion - 92.242.140.2 | devsql.facebookcorewwwi.onion - 92.242.140.2 | ns2.facebookcorewwwi.onion - 92.242.140.2 | devtest.facebookcorewwwi.onion - 92.242.140.2 | ns3.facebookcorewwwi.onion - 92.242.140.2 | dhcp.facebookcorewwwi.onion - 92.242.140.2 | direct.facebookcorewwwi.onion - 92.242.140.2 | ops.facebookcorewwwi.onion - 92.242.140.2 | dmz.facebookcorewwwi.onion - 92.242.140.2 | oracle.facebookcorewwwi.onion - 92.242.140.2 | dns.facebookcorewwwi.onion - 92.242.140.2 | owa.facebookcorewwwi.onion - 92.242.140.2 | dns0.facebookcorewwwi.onion - 92.242.140.2 | pbx.facebookcorewwwi.onion - 92.242.140.2 | dns1.facebookcorewwwi.onion - 92.242.140.2 | s3.facebookcorewwwi.onion - 92.242.140.2 | dns2.facebookcorewwwi.onion - 92.242.140.2 | secure.facebookcorewwwi.onion - 92.242.140.2 | download.facebookcorewwwi.onion - 92.242.140.2 | server.facebookcorewwwi.onion - 92.242.140.2 | en.facebookcorewwwi.onion - 92.242.140.2 | shop.facebookcorewwwi.onion - 92.242.140.2 | erp.facebookcorewwwi.onion - 92.242.140.2 | eshop.facebookcorewwwi.onion - 92.242.140.2 | exchange.facebookcorewwwi.onion - 92.242.140.2 | sql.facebookcorewwwi.onion - 92.242.140.2 | f5.facebookcorewwwi.onion - 92.242.140.2 | squid.facebookcorewwwi.onion - 92.242.140.2 | fileserver.facebookcorewwwi.onion - 92.242.140.2 | ssh.facebookcorewwwi.onion - 92.242.140.2 | firewall.facebookcorewwwi.onion - 92.242.140.2 | ssl.facebookcorewwwi.onion - 92.242.140.2 | forum.facebookcorewwwi.onion - 92.242.140.2 | stage.facebookcorewwwi.onion - 92.242.140.2 | ftp0.facebookcorewwwi.onion - 92.242.140.2 | git.facebookcorewwwi.onion - 92.242.140.2 | gw.facebookcorewwwi.onion - 92.242.140.2 | help.facebookcorewwwi.onion - 92.242.140.2 | helpdesk.facebookcorewwwi.onion - 92.242.140.2 | home.facebookcorewwwi.onion - 92.242.140.2 | host.facebookcorewwwi.onion - 92.242.140.2 | http.facebookcorewwwi.onion - 92.242.140.2 | id.facebookcorewwwi.onion - 92.242.140.2 | images.facebookcorewwwi.onion - 92.242.140.2 | info.facebookcorewwwi.onion - 92.242.140.2 | internal.facebookcorewwwi.onion - 92.242.140.2 | internet.facebookcorewwwi.onion - 92.242.140.2 | intra.facebookcorewwwi.onion - 92.242.140.2 | ipv6.facebookcorewwwi.onion - 92.242.140.2 | lab.facebookcorewwwi.onion - 92.242.140.2 | ldap.facebookcorewwwi.onion - 92.242.140.2 | linux.facebookcorewwwi.onion - 92.242.140.2 | local.facebookcorewwwi.onion - 92.242.140.2 | log.facebookcorewwwi.onion - 92.242.140.2 | mail2.facebookcorewwwi.onion - 92.242.140.2 | mail3.facebookcorewwwi.onion - 92.242.140.2 | mailgate.facebookcorewwwi.onion - 92.242.140.2 | main.facebookcorewwwi.onion - 92.242.140.2 | manage.facebookcorewwwi.onion - 92.242.140.2 | mgmt.facebookcorewwwi.onion - 92.242.140.2 | mirror.facebookcorewwwi.onion - 92.242.140.2 | mobile.facebookcorewwwi.onion - 92.242.140.2 | monitor.facebookcorewwwi.onion - 92.242.140.2 | mssql.facebookcorewwwi.onion - 92.242.140.2 | mta.facebookcorewwwi.onion - 92.242.140.2 | admin.facebookcorewwwi.onion - 92.242.140.2 | administration.facebookcorewwwi.onion - 92.242.140.2 | ads.facebookcorewwwi.onion - 92.242.140.2 | adserver.facebookcorewwwi.onion - 92.242.140.2 | alerts.facebookcorewwwi.onion - 92.242.140.2 | alpha.facebookcorewwwi.onion - 92.242.140.2 | ap.facebookcorewwwi.onion - 92.242.140.2 | apache.facebookcorewwwi.onion - 92.242.140.2 | app.facebookcorewwwi.onion - 92.242.140.2 | apps.facebookcorewwwi.onion - 92.242.140.2 | appserver.facebookcorewwwi.onion - 92.242.140.2 | aptest.facebookcorewwwi.onion - 92.242.140.2 | auth.facebookcorewwwi.onion - 92.242.140.2 | backup.facebookcorewwwi.onion - 92.242.140.2 | beta.facebookcorewwwi.onion - 92.242.140.2 | blog.facebookcorewwwi.onion - 92.242.140.2 | cdn.facebookcorewwwi.onion - 92.242.140.2 | chat.facebookcorewwwi.onion - 92.242.140.2 | citrix.facebookcorewwwi.onion - 92.242.140.2 | cms.facebookcorewwwi.onion - 92.242.140.2 | corp.facebookcorewwwi.onion - 92.242.140.2 | crs.facebookcorewwwi.onion - 92.242.140.2 | cvs.facebookcorewwwi.onion - 92.242.140.2 | database.facebookcorewwwi.onion - 92.242.140.2 | db.facebookcorewwwi.onion - 92.242.140.2 | demo.facebookcorewwwi.onion - 92.242.140.2 | dev.facebookcorewwwi.onion - 92.242.140.2 | stats.facebookcorewwwi.onion - 92.242.140.2 | svn.facebookcorewwwi.onion - 92.242.140.2 | syslog.facebookcorewwwi.onion - 92.242.140.2 | test.facebookcorewwwi.onion - 92.242.140.2 | test1.facebookcorewwwi.onion - 92.242.140.2 | test2.facebookcorewwwi.onion - 92.242.140.2 | testing.facebookcorewwwi.onion - 92.242.140.2 | upload.facebookcorewwwi.onion - 92.242.140.2 | vm.facebookcorewwwi.onion - 92.242.140.2 | vnc.facebookcorewwwi.onion - 92.242.140.2 | vpn.facebookcorewwwi.onion - 92.242.140.2 | web.facebookcorewwwi.onion - 92.242.140.2 | web2test.facebookcorewwwi.onion - 92.242.140.2 | whois.facebookcorewwwi.onion - 92.242.140.2 | wiki.facebookcorewwwi.onion - 92.242.140.2 | www.facebookcorewwwi.onion - 92.242.140.2 | www2.facebookcorewwwi.onion - 92.242.140.2 |_ xml.facebookcorewwwi.onion - 92.242.140.2 |_ipidseq: Unknown |_path-mtu: 65535 <= PMTU < 65536 | qscan: | PORT FAMILY MEAN (us) STDDEV LOSS (%) | 7 0 0.00 -0.00 100.0% | 80 1 74.00 -nan 90.0% |_443 2 61.00 -nan 90.0% _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ By Date By Thread Current thread: Instructions: How to scan tor hidden services Andrew Jason Farabee (Jun 19)