So for a while now I’ve wanted a way to better use Nmap with proxychains and essentially I’ve resulted in a fairly simple one-liner that has worked for me for a while now on basic port scanning. It’s a trivial concept but really does speed up the process with no negative affect from what I can tell. Obviously you have to be careful on how many threads you permit with Xargs but other than that its pretty straight forward.

A couple of options that you may consider when pivoting with proxychains is possibly multiple hosts with a low number of ports or the alternative being a large amount of ports against one host. Depending on your usage may depend on how you use it because you always have to remember how stealthy you want to be before doing this type of attack. If you’re using this on an internal pentest then you may not worry so much about stealth, but if you’re running this on a Red Team engagement you will want to manipulate the Nmap flags accordingly.

Using the traditional way of running proxychains with Nmap it took 193.62 seconds to finish. An example of this usage has been shown below:

proxychains nmap -p 1-1000 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap_old --append-output <IP Address>

Bringing Xargs into the loop with a thread count of 50 dramatically improves the results and only took 9 seconds to complete. An example of this usage has been shown below:

seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output <IP Address>

If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:

seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}

Then grep the output for open ports: