Add to collection(s) Add to saved
  1. No category
Uploaded by Johnhpe johnhpe

Anonymous Port Scanning

advertisement 
Anonymous Port Scanning
Performing Network Reconnaissance Through Tor
Rodney Rohrmann, Mark W. Patton, Hsinchun Chen
University of Arizona
Department of Management Information Systems
Tucson, AZ 85721, USA
rodneyr@email.arizona.edu, mpatton@email.arizona.edu, hchen@eller.arizona.edu
Abstract—The anonymizing network Tor is examined as one
method of anonymizing port scanning tools and avoiding
identification and retaliation. Performing anonymized port scans
through Tor is possible using Nmap, but parallelization of the
scanning processes is required to accelerate the scan rate.
Keywords—Scanning, Tor, Anonymization
Scans of web traffic in a hostile part of the web have the
potential to result in retaliatory attacks. The anonymizing
network Tor is examined as one method of anonymizing port
scanning tools and avoiding identification and retaliation. One
recipient of retaliatory threats is the University of Michigan,
which developed ZMap and has been researching its speed.
They used an opt-out email address, and 15 of the 145
responses threatened retaliatory action [1]. Developing a
method to perform rapid scanning through Tor eliminates this
risk.
The industry standard tool Nmap was chosen due to its
benefits and capabilities, as well as the likelihood of its
performing well through Tor. Nmap can use TCP when
scanning instead of UDP, while other scanning tools such as
ZMap and Masscan cannot. Nmap is a connection-oriented
scanner and maintains stateful connections during scanning,
further increasing reliability [2]. The Proxychains tool was
used to route Nmap’s scans through Tor.
Initially, base configurations were evaluated for IP address
leakage by port scanning a device and logging the scan
information received. To test, the following environments were
set up [3][4]:
Machine
Host
VM
Operating System
Windows 10
Kali Linux, Gnome 3.14.1
Target
Ubuntu 14.0.4
instead of UDP [4]. The –sV flag allows for version scanning
and does not leak the scanner’s IP address. The –O (OS
Detection), and -A (OS detection, version detection, script
scanning, and traceroute) [5] did reveal the IP address because
Nmap bypassed Proxychains during part of the execution.
Scan rates dropped dramatically through Tor. Using
Proxychains prevented Nmap from using multiple processes so
it could no longer scan hundreds of ports a second [6].
Scanning ports serially resulted in roughly one port per second.
As Nmap cannot run scans in parallel through Proxychains,
parallelization work was undertaken to run multiple separate
Nmap processes. To test parallelization, three scans of 1,000
ports each were run and recorded, with durations of 17 to 19
minutes. Ports 1-150 scan more slowly than other ports so were
broken out separately. Scans for ports 151 and above were
scanning at around 1.5 scans per second.
In conclusion, performing anonymized port scans through
Tor is possible
Average ports/second
using Nmap,
but
parallelization of the
scanning processes is required to accelerate the scan
rate.
Anonymization
is not automatic and the
Fig. 1. Total Ports scanned per Second vs Number
correct flags
of Parallel Nmap processes being utilized
must be set.
Future work
includes scanning larger organizations and using more
powerful machines to run hundreds or thousands of processes
to test scalability limits.
120.0
PORTS PER SECOND
100.0
80.0
60.0
40.0
20.0
0.0
0
Software
Wireshark 2.0.1
Nmap 7.0.1, Wireshark 1.12.6,
Proxychains
Wireshark 2.0.1
The target machine had a public IP address. Wireshark
packet captures were taken in the host, VM, and target of every
scan. Multiple scans were run. It took 150 seconds to scan and
probe 65,535 ports and perform OS detection. After the control
scans, different Nmap configurations were scanned through
Tor to see which configurations revealed an IP address.
[1]
[2]
The Wireshark packet captures were analyzed for five
configurations. To hide the
IP Address Leak
scanning
computer’s
IP Flags used
"-A"
Yes
address, it was necessary to
Yes
eliminate pinging by setting "-sT, -A"
No
the –Pn flag. The –sT flag "-sT, -Pn"
No
needed to be set in order to "-sT, -Pn, -sV"
run the scan using TCP "-sT, -Pn, -sV, -O" Yes
[3]
[4]
[5]
[6]
10
20
30
40
PARALLEL SCANS
50
60
70
REFERENCES
Zakir Durumeric, Eric Wustrow, J. Alex Halderman, “ZMap: Fast
Internet-wide scanning and its security applications,” Proceedings of the
22nd USENIX Security Symposium, August 2013.
Gordon Lyon, “Nmap Network Scanning” Sunnyvale, CA:
Insecure.com, LLC, 2002 p.129.
Unknown Author, “Kali Linux TuTorial: Setting Up ProxyChains + Tor
For Anonymity And Security,”
http://www.picateshackz.com/2015/05/kali-linux-tuTorial-setting-up.html.
John Strand, “Pen Testing through the Tor Network”,
http://securitystreetknowledge.com/?p=283. January 1, 2011.
https://nmap.org/book/man-briefoptions.html.
https://nmap.org/book/man-performance.html.
This material is based upon work supported by the U.S. National
Science Foundation under Grant No. DUE-1303362 and SES-1314631.
978-1-5090-3865-7/16/$31.00 ©2016 IEEE
217
Authorized licensed use limited to: European University Cyprus. Downloaded on December 25,2020 at 20:58:17 UTC from IEEE Xplore. Restrictions apply.
Related documents
Scan Instructions 2
Scan Instructions 2
Document15136012 15136012
Document15136012 15136012
Old MIDTERM EXAM for 154
Old MIDTERM EXAM for 154
Reading online - practising skimming and scanning in a variety of
Reading online - practising skimming and scanning in a variety of
Brendan Innen Scan
Brendan Innen Scan
Konica Multifunction Printer: Scan to Email Guide
Konica Multifunction Printer: Scan to Email Guide
Download
advertisement