Whenever we send a packet to our intended target, that packet contains information about network (like our public IP address) – which can ultimately then be traced back to us. In the interest of remaining anonymous, our goal here is to perform recon on a public network (using something like NMAP) with the least risk of our work being traced back to us.
To achieve this, we need two tools: Tor and proxychains. ProxyChains allows us to pipe TCP connections through a proxy, or a chain of multiple proxies, effectively masquerading our public IP address.
We can download our tools using the commands below:
apt-get install tor
apt-get install proxychains
apt-get install nmap (if you don’t already have it)
Before we get started, we want to make sure we don’t accidentally disclose our public IP to our victim by running the following command. Replace the below IP address with your target victim.
sudo iptables -A OUTPUT –dest 126.96.36.199 -j DROP
Once we do that, we can see what happens when we try to send packets to that IP address.
Prior to using Tor and ProxyChains, we should (always) determine/check what our public IP address is:
Next we need to get the Tor service running. We can run the following commands:
service tor start
service tor status
With Tor running, we can now use ProxyChains to mask our public IP address by running the following command:
proxychains curl ipecho.net/plain
We are now ready to do some NMAP scanning on our victim. This can be done using the following command:
proxychains nmap 188.8.131.52 -Pn -sV -sT -v -p 80,443
Since we have access to the victim box, let’see what a tcpdump looks like while the NMAP scan is in progress:
If we curl 184.108.40.206 using ProxyChains, we can also see that Apache logs (on the victim box) also show as coming from our new IP address on the Tor network: