Blog Tags Projects Contact

Proxychains & Nmap

Tool

During a CTF I’ve been playing recently I encountered a situation when I needed to scan an internal network of a host I had a shell on. The static nmap binary I had worked fine on the host and I enumerated open ports inside of the network, but I wanted to also perform vesion detection and run nmap scripts. Both of these require additional files which are not bundled with the static nmap and I didn’t feel like dropping a bunch of files on the host. I decided to use proxychains to proxy nmap through a SOCKS tunnel. Complications ensued.

Table of Contents

Parsing the nmap XML output

A little bit of Python that generates the following from the XML output:

nmap  -sV -sC -T4 -oA nmap/192.168.0.1 192.168.0.1 -p 80
nmap  -sV -sC -T4 -oA nmap/192.168.0.2 192.168.0.2 -p 443,8080,1080

# tranform.py
import xml.etree.ElementTree as ET
import sys
import os
import pathlib


def format_nmap_output(xml_file, flags):
    tree = ET.parse(xml_file)
    root = tree.getroot()

    if not pathlib.Path("nmap").is_dir():
        os.mkdir("nmap")

    for host in root.findall("host"):
        status = host.find("status").get("state")
        if status == "up":
            address = host.find("address").get("addr")

            ports = host.find("ports")
            open_ports = []
            for port in ports.findall("port"):
                port_state = port.find("state").get("state")
                if port_state == "open":
                    port_id = port.get("portid")
                    open_ports.append(port_id)

            if open_ports:
                ports_str = ",".join(open_ports)
                print(
                    f"nmap {flags} -sV -sC -T4 -oA nmap/{address} {address} -p {ports_str}"
                )


if __name__ == "__main__":
    if len(sys.argv) == 1:
        print(f"usage: {sys.argv[0]} FILE [FLAGS]", file=sys.stderr)
        exit(1)
    if len(sys.argv) != 3:
        flags = ""
    else:
        flags = sys.argv[2]
    format_nmap_output(sys.argv[1], flags)

Compiling nmap

I had trouble when using proxychains with nmap from the Kali repositories. After I compiled my own it worked alright. It may be an issue with the specific version, I don’t know. Here’s the script:

sudo apt update
sudo apt install g++ make automake autotools-dev libssl-dev libpcre2-dev libssh2-1-dev
git clone https://github.com/nmap/nmap.git --depth 1
cd nmap
./configure
make nmap
./nmap --version

Last final note

Don’t forget to pass the following flags to force TCP scan, disable raw sockets, and disable ping: -Pn --unprivileged -sT.

python3 transform.py results.xml "-Pn --unprivileged -sT" | sed 's/^/proxychains /'
# proxychains nmap -Pn --unprivileged -sT -sV -sC -T4 -oA nmap/192.168.0.1 192.168.0.1 -p 80
# proxychains nmap -Pn --unprivileged -sT -sV -sC -T4 -oA nmap/192.168.0.2 192.168.0.2 -p 443,8080,1080

Happy hacking!