Using Nmap With Proxychains In Kali Linux

by Sunny Hoi


To catch a hacker, digital forensic investigators must obtain a subpoena or search warrant to retrieve the logs.

Remember that a professional blackhat hacker will always know that it is safer to hack from an IP address that can’t be traced back to him or her.

We understand that each proxy has the previous IP address recorded. Hence, if an adversary were attempting to track you down, they could move from one proxy to another proxy which can reveal you through close examination of the log files.

Therefore, a clever blackhat hacker will likely use multiple proxies in different jurisdictions to increase their chances of remaining anonymous. Note that the jurisdiction may or may not relinquish its logs.

If an individual combines proxies in one chain, they will render it increasingly difficult for investigators to find the original IP address involved.

A cybersecurity professional understands the significance of increasing Tor anonymity and security.

If one or more of such proxies are located outside the victim’s jurisdiction, it renders it extremely improbable that any traffic can be ascribed to the attacker’s IP address.

Evidently, Kali Linux has the Proxychains tool for proxying your traffic.

Kali Linux users who want to find an alternative tool for proxying their traffic can also route all of their traffic through Tor using Whonix.

In this tutorial, you’ll learn how to use Nmap with Proxychains (Tor) in Kali Linux to hide your real IP address while scanning a target IP address. Proxies may also be obtained easily online if you find Tor to be slow.

Setting Up And Using Proxychains Before Scanning With Nmap

Before using Tor proxies to scan with Nmap, it is vital to ensure Proxychains is setup correctly in Kali Linux and that Tor is started.

Note that the default settings of the Proxychains configuration file (Proxychains.conf) are configured to use the Tor network.

Kali Linux: Nmap Scan With Proxychains

Before Starting A Nmap Scan (Avoid Host Discovery)

When using Nmap and Proxychains, you will have various options to choose from in Nmap.

Nmap in its default state carries out host discovery, and a port scan against every host it discovers is online.

We don’t recommend going through the default host discovery stage. The reason is that you may risk leaking your IP address during that stage.

For instance, your host could be probing the target directly without the proxy. This would be terrible operational security (OPSEC).

Hence, it is better to skip the TCP SYNC ping scan (-PS) when Proxychains is up and running.

To decrease the chances that Proxychains fails to tunnel your ping scan, just figure out an alternative way to determine whether the target host is up and running.

Our recommendation is to use another technique for figuring out if the target host is up. After that, proceed with the scanning stage.

Starting A Nmap Scan Using Proxychains

Once you have confirmed that Proxychains is ready to use, we can start a Nmap scan with Proxychains in Kali Linux.

Type the following command into the terminal:

proxychains nmap -Pn -n -sT <target IP>

As you can see, Nmap has various options for you to choose from such as:

  • -Pn
  • -n
  • -sT
  • -sS


The -Pn parameter skips the host discovery stage entirely. This option induces Nmap to try the desired scanning operations against all target IPs particularized.

Thus, this parameter will disable ping and port scan every target host.


When we are scanning through a proxy, we should always tell Nmap to refrain from rendering a reverse DNS resolution on the IPs it discovers. The reason is that your IP address can still be leaked indirectly through DNS requests.

You don’t want to render a reverse DNS resolution without a tunnel. Hence, skipping the name resolution is essential. Use the -n parameter with a proxy when you are Nmap scanning.

This option will reduce scanning times as DNS may be slow despite the stub resolver found within Nmap.


The -sT option is a TCP connect scan which the penetration tester deploys a connect system call to set up a network connection.

Nmap utilizes the call to draw information regarding every connection attempt.

This parameter serves as the default for penetration testers that lack raw packet privileges.

We have to use the -sT parameter. If not, Nmap will stick to using the SYN technique which would negate Proxychains.


-sS is the default and most well-known Nmap scan that is ran as root.

This parameter permits us to scan thousands of ports per second on a network that isn’t shielded by firewalls.

The method transmits a SYNC packet and proceeds to wait for a response.

Despite that this option never completes TCP connections, leaks are still possible as well.

Adding New Free Proxychains Proxy Lists

By default, Proxychains uses Tor which has its own unique free anonymous proxies.

If you need more proxies for Proxychains, you can enter the words “open proxies” into your preferred search engine to get free proxy lists for Proxychains easily.

From there, you may find websites that give you multiple proxies that work.


Nmap scans and perimeter scans, in general, can frequently be detected by intrusion detection (IDS) and intrusion prevention (IPS) systems.

Experienced hackers know how to bypass intrusion detection (IDS) and intrusion prevention (IPS) systems.

You can see that Tor, Proxychains, and Nmap can work together well. Nonetheless, you may look for fresh new proxies using the search engine of your choice.

Moreover, Nmap has the ability to utilize a script to brute force username and passwords over SMB which is beneficial for an ethical hacker.

The capabilities of Nmap also extend to being able to scan a target for vulnerabilities quickly which further illustrate the distinct features that Nmap provides to IT security professionals.

Hackers may also choose to use VPN and Tor at the same time which raises the common question on which is better: Tor over VPN or VPN over Tor? (Proxychains vs VPN)

IT Security professionals understand that VPNs are not perfect, but that alone doesn’t halt the usage of VPNs at all.

Clearly, anonymity is an exceedingly complex issue with differing perspectives that cannot be resolved quickly.

Related Posts