# Socks - Port 1080 {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Basic info Penetration testing SOCKS proxies is a vital aspect of assessing the security of networked environments where anonymity and traffic relaying are employed. SOCKS proxies (SOCKSv4, SOCKSv5) are often used in environments that aim to obscure source IPs or facilitate internal network access through tunneling. In this guide, we explore every practical angle of pentesting SOCKS proxies, from enumeration and fingerprinting to authentication bypasses and pivoting techniques. ### SOCKS Proxy Fundamentals and Protocol Behavior SOCKS is a transport layer proxy protocol that relays traffic between a client and server through a proxy server. Two main versions are commonly in use: * **SOCKS4**: Supports TCP only and lacks authentication. * **SOCKS5**: Supports TCP/UDP, domain name resolution, and various authentication methods (e.g., username/password, GSSAPI). The typical ports used include `1080`, but custom configurations may use non-standard ports. *** ## Enumeration of SOCKS Proxies ### Identifying Open SOCKS Proxies Initial discovery can be performed using mass scanning techniques or through Shodan and Censys. To verify a suspected SOCKS proxy: ```bash nmap -sS -p 1080 --script socks-open-proxy ``` For more aggressive testing: ```bash proxychains nmap -Pn -sT -p- --script socks-auth ``` ### Detecting SOCKS Protocol Versions Use tools such as `nmap`, `proxycheck`, or custom Python scripts to identify whether the proxy supports SOCKSv4 or SOCKSv5. ```bash proxycheck -v :1080 ``` *** ## Authentication Testing and Bypass SOCKSv5 may implement various authentication schemes. Testing includes: ### No Authentication If the server accepts no-auth (00): ```bash ncat --proxy :1080 --proxy-type socks5 ``` ### Username/Password Brute-Forcing Use `hydra` or `medusa` for brute-force attacks: ```bash hydra -s 1080 -V -L users.txt -P passwords.txt socks5:// ``` ### Exploiting Weak Authentication Configurations In some configurations, proxies accept arbitrary credentials. This can be detected by repeatedly submitting invalid data and analyzing responses. *** ### Tools for SOCKS Proxy Pentesting | Tool | Purpose | | ------------- | ----------------------------------- | | `proxychains` | Route traffic through SOCKS proxies | | `nmap` | Enumeration, script-based testing | | `msfconsole` | Proxy-aware exploits and modules | | `socat` | Port forwarding, chaining proxies | | `hydra` | Credential brute-forcing on SOCKSv5 | | `proxycheck` | Identify open SOCKS proxies | *** ## Using SOCKS Proxies for Network Pivoting When internal access is possible via SOCKS: ### Proxy-Aware Pivoting Use Metasploit with `route add` and `SOCKS proxy` modules. ```bash use auxiliary/server/socks_proxy set SRVHOST set SRVPORT 1080 run ``` Then chain internal scans via: ```bash proxychains nmap -Pn -sT -p- ``` ### SSH + Dynamic Port Forwarding ```bash ssh -D 1080 user@pivot-host ``` Then test access via proxychains: ```bash proxychains firefox http://internal-web.local ``` *** ## Testing Real-World Exploitation Scenarios ### Internal Web Service Access via SOCKS Test internal HTTP apps, DNS services, and SMB shares: ```bash proxychains smbclient -L //internal-host -U guest ``` ### Exploiting Services Behind SOCKS with Metasploit Configure proxy in Metasploit: ```bash set Proxies socks5:127.0.0.1:1080 ``` Then launch modules like `exploit/windows/smb/ms17_010_eternalblue`. ### Proxy Chaining for Deep Pivoting In complex environments, multiple proxies may be chained: ```bash proxychains ncat --proxy-type socks5 --proxy 127.0.0.1:1080 ``` Or using `socat`: ```bash socat TCP-LISTEN:1081,fork SOCKS4A:127.0.0.1:internal.host:80,socksport=1080 ``` *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/network-pentesting/socks-port-1080.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.