Socks - Port 1080

Basic info

Penetration testing SOCKS proxies is a vital aspect of assessing the security of networked environments where anonymity and traffic relaying are employed. SOCKS proxies (SOCKSv4, SOCKSv5) are often used in environments that aim to obscure source IPs or facilitate internal network access through tunneling. In this guide, we explore every practical angle of pentesting SOCKS proxies, from enumeration and fingerprinting to authentication bypasses and pivoting techniques.

SOCKS Proxy Fundamentals and Protocol Behavior

SOCKS is a transport layer proxy protocol that relays traffic between a client and server through a proxy server. Two main versions are commonly in use:

• SOCKS4: Supports TCP only and lacks authentication.

• SOCKS5: Supports TCP/UDP, domain name resolution, and various authentication methods (e.g., username/password, GSSAPI).

The typical ports used include 1080, but custom configurations may use non-standard ports.

Enumeration of SOCKS Proxies

Identifying Open SOCKS Proxies

Initial discovery can be performed using mass scanning techniques or through Shodan and Censys. To verify a suspected SOCKS proxy:

nmap -sS -p 1080 --script socks-open-proxy <target_ip>

For more aggressive testing:

proxychains nmap -Pn -sT -p- --script socks-auth <target_ip>

Detecting SOCKS Protocol Versions

Use tools such as nmap, proxycheck, or custom Python scripts to identify whether the proxy supports SOCKSv4 or SOCKSv5.

proxycheck -v <target_ip>:1080

Authentication Testing and Bypass

SOCKSv5 may implement various authentication schemes. Testing includes:

No Authentication

If the server accepts no-auth (00):

ncat --proxy <ip>:1080 --proxy-type socks5 <target_host> <port>

Username/Password Brute-Forcing

Use hydra or medusa for brute-force attacks:

hydra -s 1080 -V -L users.txt -P passwords.txt socks5://<ip>

Exploiting Weak Authentication Configurations

In some configurations, proxies accept arbitrary credentials. This can be detected by repeatedly submitting invalid data and analyzing responses.

Tools for SOCKS Proxy Pentesting

Using SOCKS Proxies for Network Pivoting

When internal access is possible via SOCKS:

Proxy-Aware Pivoting

Use Metasploit with route add and SOCKS proxy modules.

use auxiliary/server/socks_proxy
set SRVHOST <local_ip>
set SRVPORT 1080
run

Then chain internal scans via:

proxychains nmap -Pn -sT -p- <internal_ip>

SSH + Dynamic Port Forwarding

ssh -D 1080 user@pivot-host

Then test access via proxychains:

proxychains firefox http://internal-web.local

Testing Real-World Exploitation Scenarios

Internal Web Service Access via SOCKS

Test internal HTTP apps, DNS services, and SMB shares:

proxychains smbclient -L //internal-host -U guest

Exploiting Services Behind SOCKS with Metasploit

Configure proxy in Metasploit:

set Proxies socks5:127.0.0.1:1080

Then launch modules like exploit/windows/smb/ms17_010_eternalblue.

Proxy Chaining for Deep Pivoting

In complex environments, multiple proxies may be chained:

proxychains ncat --proxy-type socks5 --proxy 127.0.0.1:1080 <target_host> <port>

Or using socat:

socat TCP-LISTEN:1081,fork SOCKS4A:127.0.0.1:internal.host:80,socksport=1080