Search the Community

Scan .onion hidden services with nmap using Tor, proxychains and dnsmasq in a minimal alpine Docker container. docker-onion-nmap Use nmap to scan hidden "onion" services on the Tor network. Minimal image based on alpine, using proxychains to wrap nmap. Tor and dnsmasq are run as daemons via s6, and proxychains wraps nmap to use the Tor SOCKS proxy on port 9050. Tor is also configured via DNSPort to anonymously resolve DNS requests to port 9053. dnsmasq is configured to with this localhost:9053 as an authority DNS server. Proxychains is configured to proxy DNS through the local resolver, so all DNS requests will go through Tor and applications can resolve .onion addresses. Example: $ docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion [tor_wait] Wait for Tor to boot... (might take a while) [tor_wait] Done. Tor booted. [nmap onion] nmap -p 80,443 facebookcorewwwi.onion [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:17 UTC [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:443 ... OK [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:80 ... OK Nmap scan report for facebookcorewwwi.onion (224.0.0.1) Host is up (2.7s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds How it works: When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command. Arguments: By default, args to docker run are passed to /bin/nmap which calls nmap with args -sT -PN -n "$@" necessary for it to work over Tor (via explainshell.com). For example, this: docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/nmap -sT -PN -n -p 80,443 facebookcorewwwi.onion In addition to the custom script for nmap, custom wrapper scripts for curl and nc exist to wrap them in proxychains, at /bin/curl and /bin/nc. To call them, simply specify curl or nc as the first argument to docker run. For example: docker run --rm -it milesrichardson/onion-nmap nc -z 80 facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/nc -z 80 facebookcorewwwi.onion and docker run --rm -it milesrichardson/onion-nmap curl -I https://facebookcorewwwi.onion will be executed as: proxychains4 -f /etc/proxychains.conf /usr/bin/curl -I https://facebookcorewwwi.onion If you want to call any other command, including the original /usr/bin/nmap or /usr/bin/nc or /usr/bin/curl you can specify it as the first argument to docker run, e.g.: docker run --rm -it milesrichardson/onion-nmap /usr/bin/curl -x socks4h://localhost:9050 https://facebookcorewwwi.onion Environment variables: There is only one environment variable: DEBUG_LEVEL. If you set it to anything other than 0, more debugging info will be printed (specifically, the attempted to connections to Tor while waiting for it to boot). Example: $ docker run -e DEBUG_LEVEL=1 --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion [tor_wait] Wait for Tor to boot... (might take a while) [tor_wait retry 0] Check socket is open on localhost:9050... [tor_wait retry 0] Socket OPEN on localhost:9050 [tor_wait retry 0] Check SOCKS proxy is up on localhost:9050 (timeout 2 )... [tor_wait retry 0] SOCKS proxy DOWN on localhost:9050, try again... [tor_wait retry 1] Check socket is open on localhost:9050... [tor_wait retry 1] Socket OPEN on localhost:9050 [tor_wait retry 1] Check SOCKS proxy is up on localhost:9050 (timeout 4 )... [tor_wait retry 1] SOCKS proxy DOWN on localhost:9050, try again... [tor_wait retry 2] Check socket is open on localhost:9050... [tor_wait retry 2] Socket OPEN on localhost:9050 [tor_wait retry 2] Check SOCKS proxy is up on localhost:9050 (timeout 6 )... [tor_wait retry 2] SOCKS proxy UP on localhost:9050 [tor_wait] Done. Tor booted. [nmap onion] nmap -p 80,443 facebookcorewwwi.onion [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/libproxychains4.so [proxychains] DLL init: proxychains-ng 4.12 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:34 UTC [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:443 ... OK [proxychains] Dynamic chain ... 127.0.0.1:9050 ... facebookcorewwwi.onion:80 ... OK Nmap scan report for facebookcorewwwi.onion (224.0.0.1) Host is up (2.8s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds Notes: No UDP available over Tor Tor can take 10-20 seconds to boot. If this is untenable, another option is to run the proxy in its own container, or run it as the main process and then run "exec" to call commands like nmap gr33tz @jessfraz tor-proxy @zuazo alpine-tor-docker shellhacks crypto-rebels.de Download: docker-onion-nmap-master.zip or git clone https://github.com/milesrichardson/docker-onion-nmap.git Source

Movies Featuring the Nmap Security Scanner For reasons unknown, Hollywood has decided that Nmap is the tool to show whenever hacking scenes are needed. At least it is a lot more realistic than silly 3D animation approach used in many previous movies (e.g. "hacking the Gibson" on Hackers, or the much worse portrayals on Swordfish). We always like to see Nmap in the movies, so we have catalogued known instances here.

When you pentest a website an it's ok to "make a lot of noise" you can use the nmap script at http-enum.nse , that basicaly uses another script http-fingerprints.lua to find any common folders on a system, bruteforce but works. This most of the time returs folders like admin, tmp and others, but the one in particular we will discuss right now is the /.git folder. Now we need to get the /.git folder. Using git clone to download the sources will fail, so since directory listing is turned on we can download it using wget. $ mkdir git-test $ cd git-test $ wget --mirror --include-directories=/.git http://www.target.com/.git That'll take some time, depending on the size of the repository. When it's all done, go into the folder that wget created and use git --reset: $ cd www.site.com $ git reset --hard HEAD is now at [...] Then look around - you have their entire codebase! $ ls db doc robots.txt scripts test Browse this for interesting scripts (like test scripts?), passwords, configuration details, deployment, addresses, and more! You just turned your blackbox pentest into a whitebox one, and maybe you got some passwords in the deal! You can also use "git log" to get commit messages, "git remote" to get a list of interesting servers, "git branch -a" to get a list of branches, etc. Why does this happen? When you clone a git repository, it creates a folder for git's metadata - .git - in the folder where you check it out. This is what lets you do a simple "git pull" to get new versions of your files, and can make deployment/upgrades a breeze. There are a few ways to prevent this: Remove the .git folder after you check it out Use a .htaccess file (or apache configuration file) to block access to .git Keep the .git folder one level up - in a folder that's not available to the Web server Use a framework - like Rails or .NET - where you don't give users access to the filesystem Finding this in an automated way You can quickly scan an entire network by using a command like: nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> The output for an affected host will look something like: PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at 206.220.193.152:80/.git/ (found 5 of 6 expected files) | Repository description: Unnamed repository; edit this file 'description' to name the... | Remote: https://github.com/skullspace/skullspace.ca.git |_ -> Source might be at https://github.com/skullspace/skullspace.ca Credits: SkullSecurity ? Blog Archive ? Using "Git Clone" to get Pwn3D

La adresa Ghid de referinta Nmap (Pagina Man) gasiti ghidul de referinta Nmap tradus in intregime in limba romana.