Nmap through proxy
TL;DR: proxy support is limited right now but there are also theoretical limits of what you could do when using a proxy.
nmap can do only CONNECT and SOCKS4 and these protocols can do only TCP. Apart from that using any kind of proxy means that nmap communicates with the IP stack of the proxy and not of the target. This means:
- ICMP ping can not be done to see if a host is alive, since ICMP is not TCP. So you might need to skip the host discovery step if your targets are only accessible through the proxy (
-Pn
). Since (the unsupported) SOCKS5 ICMP does not support ICMP either this will not change in the future. - Service discovery can be done for TCP based services only. With SOCKS5 support this could be extended to UDP.
- OS fingerprinting based on features of the IP stack is not possible because nmap does not speak with the targets IP stack when using a proxy, but instead with the proxies IP stack. This is a theoretical limit you have with any kind of proxy protocol.
For now, use an external tool like proxychains.
The nmap documentation for --proxies
states, that the feature is not fully implemented yet:
Warning: this feature is still under development and has limitations. It is implemented within the nsock library and thus has no effect on the ping, port scanning and OS discovery phases of a scan. Only NSE and version scan benefit from this option so far—other features may disclose your true address. SSL connections are not yet supported, nor is proxy-side DNS resolution (hostnames are always resolved by Nmap).
You can follow this guide on how to use proxychains with nmap. After setting up a ProxyList, you will simply run the command from above like this:
proxychains nmap -sV -O --reason scanme.nmap.org
Still be careful about sidechannel identity leaks (such as DNS leaks), though. Adding the -n
flag to prevent DNS resolutions by nmap might be a good practice.