Whats the most anonymous active scanning technique?



Hello guys,

That’s my very first post here. I’m new to hacking and I’m learning the Reconnaissance phase. I’m also completely new to Networking… but I’m always thinking how anonymize all my techniques. I would like to ask which are the most anonymous active recon technique that you guys are applying today.

I already started doing a little research. Trying to figure it out, I gathered some interesting techniques that I would like to talk/share with you guys:

  • Idle / Zombie Scan
  • Proxychains + Tor + Nmap
  • Decoy and Fragmentation attacks

Well, since I’m just learning, I’m a little bit lost with all that info. My first intention was understand how could I anonymize the following tools on the network: SpiderFoot, ReconDog, Red Hawk v.2, Devploit, Sn1per, etc…

But digging into it I found some technical issues about some techniques(nmap with proxy), for example:

  • “only normal TCP connections will be possible with the proxy, no SYN and FIN scan. (…) DNS lookup is not possible through the proxy”
  • “ICMP ping can not be done to see if a host is alive, since ICMP is not TCP. So you might need to skip the host discovery step if your targets are only accessible through the proxy (-Pn)”

From here, I found:

  • “To hide the scanning computer’s IP address, it was necessary to eliminate pinging by setting the –Pn flag. The –sT flag needed to be set in order to run the scan using TCP instead of UDP 4. The –sV flag allows for version scanning and does not leak the scanner’s IP address. The –O (OSDetection), and -A (OS detection, version detection, script scanning, and traceroute) did reveal the IP address because Nmap bypassed Proxychains during part of the execution”

From my little research, almost all of the content was directed to “Proxy + Tor + Nmap”, but what about the other tools? How can I manage them to run through Tor too? If Nmap + Tor doesn’t accept SYN scan, OS detection, traceroute, etc (without reveal IP)… how can I run an anonymous recon? The Idle Scan could handle the host discovering, but what about the rest of the recon? I was reading the post “How to Become Anonymous like Notorious Blackhats - Stealthiest Setup” and saw that: “don’t hack over tor” so… I’m kind confused now. I really appreciate any opinion about that.

Ps: Sorry if it is a silly question, or if it sounds script kiddie because of the tools, but I’m really trying to understand and learn everything as possible here. So I really really really appreciate all answers from the Masters here! :fire:

Ps2: Sorry if my question wasn’t clear enough, english is not my main language.

(fxbg) #2

I have never heard of any of the tools you mentioned but nmap and tor. I use proxychains for scans through nmap that I want anonymous. You can route just about anything through tor using proxychains. You can also use whatever proxies you want, not just tor, when using proxychains.


Hi @SapereAude,

Giving a straight answer is almost impossible. Indeed, beeing stealthy not relies entirely to your proxies setup, your machine must be hardened too in order to avoid network fingerprinting, etc.

The best tip that I can give you is to setup a VPS then ask, to your provider, for a pentesting authorization. This will allow you to conduct aggressive scan forward your target from a legal manner. It is surely the best way to improve your knowledge as well as figure out your issue.

P.S: Keep in mind that a lot of tools such as Nmap is not reliable behind proxies, triggering falsing and by consequence skewing your recon.

Hope it helps.

(Command-Line Ninja) #4

Proxychains with a standard nmap scan will work. My question to you would be why you would need TCP syn scans? Of course, they’re nice, but for ordinary recon, a standard nmap -A scan will do plenty.

Another thing I would recommend looking into is hooking into the Shodan database. They’ve scanned a lot of hosts slowly and with fragmentation, and they’ve already done the hard work.

Nmap actually has a NSE script to link in shodan, so potentially you could “scan” a public IP just by querying the shodan database, and that is the stealthiest you can get.

If you want something more aggressive. You may want to consider spinning up with a bulletproof host, or a VPS rented with cryptocurrency. This generally is what the bad guys will do. They’ll spin up a host with a fake identity, do their dirty work, and then burn it. I am not condoning doing anything shady, if they want to catch you they could get you through a correlation attack, so always use tor when connecting/provisioning a ‘burnable box’.

On top of this idea. I have had the idea to use Ansible to quickly provision pentesting boxes. @fraq :wink:

(A Scrub) #5

Have you looked into FIN scan or a connection less scan? It’s all based upon how the packets work (correct me if I’m wrong).


First of all, thanks for all the answers! :grin:

Yes, I’m searching and learning about that. But my concern is about the IP leakage when Nmap bypasses the Proxychain during the part of the execution, as mentioned here


Do you have any guide/link about that in hands to share? I would really appreciate that.

About “conduct aggressive scan” it’s totally the opposite of what I’m searching for. Sorry, but I would disagree with you about the best way to learn. In my opinion, I think that try to achieve the most precise reconnaissance goals with anonymous methods requires the most solid understanding of work flow and core concepts of networking, which provides a much deeper comprehension about what the fuck you’re doing, than just yelling for open ports. And of course, it doesn’t necessarily means that’s an illegal scan. :innocent:


Actually, the SYN and FIN scans were just examples of what Nmap with --proxy can’t do. For my understanding, it’s a bad thing, and that’s what I’m trying to learn here. Since SYN scan can be logged too with the right config, FIN scan would be the best choice if my focus is anonymize the scan. But like SYN, FIN is not possible. Which means that if I want use Nmap with proxy I would use TCP connect() method, that uses the full 3-way handshake to connect and it’s easily spotted and logged. As mentioned here, "The –O (OS Detection), and -A (OS detection, version detection, script scanning, and traceroute) did reveal the IP address because Nmap bypassed Proxychains during part of the execution. "

About Shodan, I never dig into it. I’ll read about, thank you.


I can’t correct you since I’m just learning it too :stuck_out_tongue_closed_eyes: but what I can s̶a̶y̶ copy about is that FIN scan employs the use of invalid packet header flags to elicit a response from a host regarding open ports.

(fxbg) #7

The paper you posted describes which scans will leak the IP, you would simply avoid those combinations, which I don’t use any of those anyway. Sometimes OS detection but that can be done through plenty of other techniques.


What combinations do you use? What’s your technique?

Yes, now I’m trying to understand which kind of scan I necessarily need leak my IP address to obtain the specific recon goal…


Well, aggressive scan or others. The point of my post was to encourage you to test by yourself several scanning way in order to understand the inner working of networking as well as find the steathliest way to reach your goal :slight_smile:

Will be posted soon


That’s exactly what I’m trying to learn. I’m just trying to connect all the dots. At the moment, it’s a lot of fucking dots floating around. :stuck_out_tongue_closed_eyes:

Please, let me be the first to know! Thanks for your help. :slight_smile:

(pico) #11

If you want to understand why/how nmap leaks IPs maybe these post two post may help you to get started:


SELFPROMO MODE OFF :slight_smile:


Normal HTTP proxies, as well as SOCKSv4, only support TCP traffic, therefore any nmap flag that requires the transmission of UDP or ICMP packets will just not go through the proxy connection. That’s why, in your table you need to use -Pn to avoid leaking your IP by ICMP packets.

SOCKSv5 supports UDP, but looks like nmap does not support that (not yet) so, also anything that sends UDP packets will also be transmitted outside the proxy connection and therefore leak your IP. This is what happens with the -O flag. This flag will force nmap to send some UDP packets even when you specify -sT. Check the nmap documentation or the man page for details.

Anyway, as @Nitrax said, the best you can do is to try yourself and see what happens. You can use VMs or some cheap computer (Rpi) to set up a test environment and then just fire tcpdump at each end and see what you get.

Hope it helps.


@0x00pf Thanks a lot for sharing. I read both articles and now I understand much more about how anonymize my scanning (and searching for more). :smile:

I’m still learning, but maybe we can discuss more about some techniques and approaches in the future as I’m testing and learning… if you don’t mind. :male_detective:

(pico) #13

Sure… that is exactly what this community is for :slight_smile:


I’m not sure if anyone mentioned this, but try to also think of this from another angle. (Which is a core fundamental of infosec :wink: )

Research passive information gathering. The more information you have about the target the more ways you can reduce your ‘active information gathering’. You could utilize tools like theharvester or sites like www.shodan.io which allows you to first check cached information without ever connecting to your target or target network.


@mf_redstars Thanks for your suggestion, but as the title says, I’m searching for an active scanning technique. I’m trying to collect information that no more passive gathering can give.


Sure thing, good luck.

(BSD Weirdo) #17

just use reverse worm scanning, listen on every port on every protocol and mirror attacks back at the origin and link in to the stream for known protocols, lazy scanning :slight_smile: