Anonymizing your connection is one the main requirements you need to do when you want to do bad things. When you going to scan a website or target host for vulnerabilities undetected so that Interpol won’t come knocking at your door with the Female Body Inspectors. For this purpose we are going to use TOR.



Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis”. Tor network is an onion routing project that allows users to send traffic through the network, thus making your Internet traffic appear to come from the Tor exit node, not your real IP.


Tor runs your traffic through 3 hops and multiple nodes to mask your IP via their onion-routing system. But, let’s face it, Tor is slow. Having that many hops makes our ping delay increase dramatically. Moxie Marlinspike has created a nifty little tool that can send your traffic through a single Tor exit node called Tortunnel. Tortunnel is a partial onion proxy implementation that’s designed to build single-hop circuits through Tor exit nodes. This is useful in cases where you might want a very low level of anonymity, and don’t want to deal with the performance implications of using Tor’s full three-hop circuits.




This article will show you how to use Tortunnel  to push our traffic through Tor exit node, bypassing the rest of the slow Tor network, and then use proxychains so that your applications can use this tunnel, and your public IP will appear to be that of the Tor exit node with light layer of anonymity and protection.




Packages going to install:


  • Tor
  • Proxychains
  • Privoxy
  • Tortunnel (contains torproxy, requires boost libraries)
  • Boost C++ Libraries
  • Vidalia
  • Lynx
  • Nmap






#apt-get install   tor   vidalia   proxychains   privoxy   tor-geoipdb  nmap  libboost-system1.49.0



Screenshot from 2014-05-30 18:15:05




Now that everything is installed, we need to configure  privoxy  and  proxychains so that they work with torproxy.






Configuring Proxychain


proxychains – a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy.Supported auth-types: “user/pass” for SOCKS4/5, “basic” for HTTP.



#vi /etc/proxychains.conf

Comment out the last line with a # and add the line below:





#socks4 9050

socks5 9050



Screenshot from 2014-05-30 18:16:44




The biggest problem with many applications is that they leak DNS requests. That is, although they use Tor to anonymize the traffic, they first send a DNS request untorified in order to get the IP address of the target system. Then they communicate “anonymously” with that target. The problem: any eavesdropper with more stuff can conclude what website you visited, if they see that you sent a DNS request for, followed by some “anonymous” Tor traffic.



Fot that we  use Tor together with Privoxy, that prevents DNS leaks. Many non-HTTP-based applications are usually torified using a small tool called torify, but often this approach has DNS leaking problems.



Note: For Firefor Browser type about:config in the Firefox URL dialog, find the item  network.proxy.socks_remote_dns and set it to true, also find browser.safebrowsing.enabled and browser.safebrowsing.malware.enabled and set it to disable.




Configuring  Privoxy


Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.



#vi /etc/privoxy/config


#Find the line that says “forward-socks5” and change it to look like this:


forward-socks5   /      .



Screenshot from 2014-05-30 18:17:05






Configuring Tortunnel


Tortunnel is a partial Onion Proxy implementation that’s designed to build single-hop circuits through Tor exit nodes. This is useful in cases where you might want some very low level of anonymity and don’t want to deal with the performance implications of using Tor’s full three-hop circuits.


We need download it form here



#cd tortunnel-master


#make &&  make install



Screenshot from 2014-05-30 18:22:12




To connect to an exit node we first need to find exit node IP. For that open your vidalia and open the network option and choose nodes with ipaddress in the rightside of the panel.



Screenshot from 2014-05-30 18:08:34


Screenshot from 2014-05-30 18:08:52




Once you find an exit node IP, run torproxy using that IP, and put an & at the end of the command to start it as a backround job.


Now let’s set up our Tortunnel to be ready to have traffic run through it.

Let’s put a SOCKS interface on localhost port 9050:


#torproxy -p 9050 -r



That’s all you need to do, but if you have a specific exit node you want to tunnel through, use this:



#torproxy -p 9050 -n <ip of exit node>



Open your browser (or another internet program) and change your network/proxy settings to



Screenshot from 2014-05-30 18:23:36



In addition, there is the little issue that you are not completely anonymous in your scanning. I have seen a few sites that reference the exact same scan I just ran above and say it is “safe”. Not true!  Nmap by default “pings” the remote host as part of its detection of which host are alive and which are not by sending ICMP packets to the target systems.


Lets fix this by iptables rule will cause packets sent to the target environment that are not going through the Tor network to be dropped.


#iptables -A OUTPUT –dest [TargetIP] -j DROP




Speeding up NMAP with TorTunnel (Torproxy).


Lets address the issue of speed with tortunnel by Moxie Marlinspike.  Moxie wrote this program so your Tor activity goes directly to an exit node. This bypasses two of the three hops, thereby greatly improving the overall speed of your scans. For that we need to edit the /etc/tor/torrc file.



#vi /etc/tor/torrc



CircuitBuildTimeout 5

KeepalivePeriod 60

NewCircuitPeriod 15

NumEntryGuards 8





Screenshot from 2014-05-30 18:17:39





Checking the IP address of the host machine


#apt-get install lynx


#proxychains lynx



Screenshot from 2014-05-30 18:25:39


Screenshot from 2014-05-30 18:25:58

Screenshot from 2014-05-30 18:29:14




Now start scan the target with Nmap anonymously.


#proxychains nmap -Pn -sT -p 80,443,21,22,23


Screenshot from 2014-05-30 18:40:24