After eons of pouring over stackoverflow and man pages (<1 hour) I finally have nmap scanning tor hidden services. To abbreviate this process for others, I decided to write it up in a blog post.
This walkthrough assumes that you are on a fresh install of Ubuntu. Start off with the following command to ensure nmap, tor, and proxychains-ng are installed on your machine.
sudo apt-get install tor nmap proxychains4
By default proxychains points to tor. If tor is installed but not running, you can enter the following command to start it back up.
Now that we are set up, time for the scan. Since scanning over tor is abysmally slow, I will only scan the top 1000 ports, which is default. We will be scanning a service that Alex created: scylla
proxychains4 nmap -Pn -sT -v scyllabyeatabumx.onion
Let's break down that scan. First thing first, any scan you use must include the -Pn flag since nmap will attempt to ping the target to check if the target is alive. Ping is an ICMP packet which means that Tor will not transmit it. Tor only transmits TCP packets which also means UDP scanning is off-limits. We use a connect scan (-sT) because the default SYN scan does not play well with proxychains. -v is just the verbose option to show more information during the scan. scyllabyeatabumx.onion is the onion address that we are scanning.
After a long wait, we finally have our scan results! Looks like port 8080 is open, time to pwn Alex.