How to use nmap or netcat to scan Tor hidden services

If you want to scan (port scans, service scans, availability) a .onion address (also called "hidden service") you can use nmap or netcat to do that.

Of course you can also scan "normal" IP-Addresses resp. hosts through Tor for staying anonymous while doing port scans. Please do not abuse that!
Due to the fact that Tor does not accept UDP or ICMP (mostly used for Ping) traffic, scans with these protocols won't work. Except also a longer scan time because of the Tor protocol.
Also you can perform a test if an .onion address (for websites use port 80 resp. 443) is available ("if it's up").

netcat scanning

Netcat is a really small and beautiful tool for simple (and also really complex) network procedures. It is also able to perform simple scans for open ports (zero I/O-Mode).
You can use Torify, Torsocks or Proxychains-ng to perform your scan through Tor. For further instructions on Proxychains-ng please read the section Install proxychains-ng on this page.

Example Code

Feel free to use netcat with the -v option for verbose output.

Torify or usewithtor:

torify nc -w 2 -z targetaddress.onion targetport

or Torsocks:

torsocks nc -w 2 -z targetaddress.onion targetport

or Torchains-ng:

torchains4 nc -w 2 -zv targetaddress.onion targetport

Results

If the port you selected to scan is open: The port is reachable now and a service is running behind it.
If a port says connection refused: There is no service on that port or the service is down at the moment.
If a connection times out after few seconds you can assume that a firewall is running and blocking your request.
You can also set a higher value on the option -w to increase the wait time for a response (timeout).

Simple check if a service is up (including rudimentary response time output)

Copy & paste the following code in your terminal and modify the address (use your preferred program to send the traffic through Tor):

$(date +'%F %H:%M:%S.%N'); torsocks -z targetaddress.onion targetport; $(date +'%F %H:%M:%S.%N');

This will show the start and end time of your request.

nmap scanning

Install proxychains-ng

Install package

There will also be a Debian package provided in the next days.
Arch Linux is providing ready packages.

Compiling from source

You can of course also compile proxychains-ng from source.

To do so, follow these steps:
  1. Download the latest source code from here
  2. Extract the files from the archive using: tar xvfj filename.tar.bz2
  3. Execute following commands:
    ./configure --prefix=/usr --sysconfdir=/etc
    make
    [optional] sudo make install
    [optional] sudo make install-config (installs proxychains.conf)
  4. That's it! If no error occurred, proxychains will be now available as: proxychains4

Running proxychains-ng from directory itself without installation

  1. Download the latest source code from here
  2. Extract the files from the archive using: tar xvfj filename.tar.bz2
  3. Run ./proxychains4 -f src/proxychains.conf nmap targetaddress.onion

Scanning

Be aware of the fact that nmap through Tor won't work with UDP or Ping. So use always the -Pn option.
It is also recommended to specify desired ports due to long scan times (-p portnumber)

Example Code

proxychains4 nmap -Pn -sV -v -p targetport targetaddress.onion

Sample Output

user@hostname:~$ proxychains4 nmap -Pn -sV -v -p 22 mlaaki4cwrclnsmf.onion
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.8.1

Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-15 23:32 CEST
NSE: Loaded 17 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 23:32
Completed Parallel DNS resolution of 1 host. at 23:32, 0.01s elapsed
Initiating Connect Scan at 23:32
Scanning mlbbki4cwrclnsmf.onion (224.0.0.1) [1 port]
[proxychains] Strict chain ... 127.0.0.1:9050 ... mlaaki4cwrclnsmf.onion:22 ... OK
Discovered open port 22/tcp on 224.0.0.1
Completed Connect Scan at 23:32, 2.44s elapsed (1 total ports)
Initiating Service scan at 23:32
Scanning 1 service on mlaaki4cwrclnsmf.onion (224.0.0.1)
[proxychains] Strict chain ... 127.0.0.1:9050 ... mlaaki4cwrclnsmf.onion:22 ... OK
Completed Service scan at 23:32, 1.05s elapsed (1 service on 1 host)
NSE: Script scanning 224.0.0.1.
Nmap scan report for mlaaki4cwrclnsmf.onion (224.0.0.1)
Host is up (2.4s latency).
rDNS record for 224.0.0.1: all-systems.mcast.net
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.64 seconds

Multiple ports

user@hostname:~$ proxychains4 nmap -Pn -sV -v -p 22,80,443 kpvz7ki2v5agwt35.onion
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.8.1

Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-15 23:38 CEST
NSE: Loaded 17 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 23:38
Completed Parallel DNS resolution of 1 host. at 23:38, 0.01s elapsed
Initiating Connect Scan at 23:38
Scanning kpvz7ki2v5agwt35.onion (224.0.0.1) [3 ports]
[proxychains] Strict chain ... 127.0.0.1:9050 ... kpvz7ki2v5agwt35.onion:80 ... OK
Discovered open port 80/tcp on 224.0.0.1
[proxychains] Strict chain ... 127.0.0.1:9050 ... kpvz7ki2v5agwt35.onion:22 <--denied
[proxychains] Strict chain ... 127.0.0.1:9050 ... kpvz7ki2v5agwt35.onion:443 <--denied
Completed Connect Scan at 23:38, 2.40s elapsed (3 total ports)
Initiating Service scan at 23:38
Scanning 1 service on kpvz7ki2v5agwt35.onion (224.0.0.1)
[proxychains] Strict chain ... 127.0.0.1:9050 ... kpvz7ki2v5agwt35.onion:80 ... OK
Completed Service scan at 23:38, 7.83s elapsed (1 service on 1 host)
NSE: Script scanning 224.0.0.1.
Nmap scan report for kpvz7ki2v5agwt35.onion (224.0.0.1)
Host is up (0.76s latency).
rDNS record for 224.0.0.1: all-systems.mcast.net
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http nginx 1.2.1
443/tcp closed https

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.39 seconds

Notice! You can use seperate hidden service for each port/service running on your machine.