Jump to content

How may I tunnel nmap through TOR using SOCAT


Recommended Posts

When I set up the tunnel socat and then set nmap to use localhost and my port selection, nmap quickly returns with a result that port is open (which it is) and unknown. What I would like nmap to do is to tunnel thru the port and not actually scan the port itself. Possible?

Link to comment
Share on other sites

Doubtful. SOCAT (which I didn't know about, so thanks for that) enables the byte transfer once the connection is made. NMAP does its thing by playing tricks with the bits in the packet sent to a port prior to the actual creation of a socket. As you probably know a socket is created by the client sending a SYN, the server responding with an ACK and the client sending a SYN+ACK. NMAP's SYN packet is received by the local host, delivered to SOCAT's listener who will probably start sending a new, bog-standard SYN to the other side of the tunnel. Same with the other packets.

What makes things worse is that this tunnel is itself packaged inside TOR so effectively another tunnel. Your packets will almost certainly not be replicated bit-for-bit, but rather concept by concept. So rather than a SYN with a few weird bits up it's just a regular SYN at the other end. Same with the other packets.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...