3

When I run nmap from my Ubuntu workstation Tor ports are shown (as closed) on our server.

Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-12 10:22 CDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.062s latency).
Not shown: 985 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
80/tcp   open   http
443/tcp  open   https
2020/tcp open   xinupageserver
3306/tcp open   mysql
9000/tcp closed cslistener
9001/tcp closed tor-orport
9002/tcp closed unknown
9003/tcp closed unknown
9009/tcp closed unknown
9010/tcp closed unknown
9011/tcp closed unknown
9040/tcp closed tor-trans
9050/tcp closed tor-socks

These ports are not displayed in an nmap originating from redhat:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-03-12 09:42 CDT
Interesting ports on mugglenet.com (xx.xx.xx.xx):
Not shown: 1674 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
80/tcp   open   http
443/tcp  open   https
2020/tcp open   xinupageserver
3306/tcp open   mysql

I know that the systems are running different versions of Nmap, do newer versions of nmap scan common Tor ports by default?

Chris Montanaro
  • 199
  • 1
  • 1
  • 6
  • 2
    How are you running `nmap` and can't you run the same version of `nmap` on each server? – Oli Mar 12 '13 at 15:41

2 Answers2

1

Nmap uses it's own "/etc/service" file, for reference to additional ports. On Ubuntu it is located at /usr/share/nmap/nmap-services. As this question is bit old, and I couldn't verify for Centos 4.11 version - my belief is that Nmap version on Centos uses regular /etc/services for port disclosure.

Quick grep-ing /usr/share/nmap/nmap-services on Ubuntu box provide above info:

grep '^tor' /usr/share/nmap/nmap-services
tor-orport  9001/tcp    0.001216    # Tor ORPort
tor-trans   9040/tcp    0.000301    # Tor TransPort, www.torproject.org
tor-socks   9050/tcp    0.000703    # Tor SocksPort, www.torproject.org
tor-control 9051/tcp    0.000025    # Tor ControlPort, www.torproject.org
fugitive
  • 1,146
  • 7
  • 14
1

Tor is a unique service in how it operates - a default Tor installation doesn't have any ports you can sniff with an nmap scan from another system.

Assuming you have a default install of the Tor process, without any additional configuration on it, and only running so you can stick your browser and things to a SOCKS proxy to go into and over Tor, then this is the only listening port for Tor: (this is from netstat -tulpn)

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      -

Unless you are scanning your system from locally, you won't see a Tor port, since 9050 is bound only to localhost, which is only able to be accessed from the machine itself.

So, unless you open up the Tor proxy port binding to bind to one of the IP addresses assigned to the system and NOT to the local machine's 127.0.0.1 address, you won't see anything show up on an nmap scan from an external system that is not the system running Tor itself.

The only way any port scanner, nmap or otherwise, would see this is if you're running a local portscan from your system itself, and not from another IP address on the network. So, regardless of the version of nmap it can't scan non-open ports. Something bound to your localhost (127.0.0.1) just can't be scanned from externally.

Thomas Ward
  • 72,494
  • 30
  • 173
  • 237