Socks - Port 1080
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
Penetration testing SOCKS proxies is a vital aspect of assessing the security of networked environments where anonymity and traffic relaying are employed. SOCKS proxies (SOCKSv4, SOCKSv5) are often used in environments that aim to obscure source IPs or facilitate internal network access through tunneling. In this guide, we explore every practical angle of pentesting SOCKS proxies, from enumeration and fingerprinting to authentication bypasses and pivoting techniques.
SOCKS Proxy Fundamentals and Protocol Behavior
SOCKS is a transport layer proxy protocol that relays traffic between a client and server through a proxy server. Two main versions are commonly in use:
SOCKS4: Supports TCP only and lacks authentication.
SOCKS5: Supports TCP/UDP, domain name resolution, and various authentication methods (e.g., username/password, GSSAPI).
The typical ports used include 1080
, but custom configurations may use non-standard ports.
Enumeration of SOCKS Proxies
Identifying Open SOCKS Proxies
Initial discovery can be performed using mass scanning techniques or through Shodan and Censys. To verify a suspected SOCKS proxy:
nmap -sS -p 1080 --script socks-open-proxy <target_ip>
For more aggressive testing:
proxychains nmap -Pn -sT -p- --script socks-auth <target_ip>
Detecting SOCKS Protocol Versions
Use tools such as nmap
, proxycheck
, or custom Python scripts to identify whether the proxy supports SOCKSv4 or SOCKSv5.
proxycheck -v <target_ip>:1080
Authentication Testing and Bypass
SOCKSv5 may implement various authentication schemes. Testing includes:
No Authentication
If the server accepts no-auth (00):
ncat --proxy <ip>:1080 --proxy-type socks5 <target_host> <port>
Username/Password Brute-Forcing
Use hydra
or medusa
for brute-force attacks:
hydra -s 1080 -V -L users.txt -P passwords.txt socks5://<ip>
Exploiting Weak Authentication Configurations
In some configurations, proxies accept arbitrary credentials. This can be detected by repeatedly submitting invalid data and analyzing responses.
Tools for SOCKS Proxy Pentesting
proxychains
Route traffic through SOCKS proxies
nmap
Enumeration, script-based testing
msfconsole
Proxy-aware exploits and modules
socat
Port forwarding, chaining proxies
hydra
Credential brute-forcing on SOCKSv5
proxycheck
Identify open SOCKS proxies
Using SOCKS Proxies for Network Pivoting
When internal access is possible via SOCKS:
Proxy-Aware Pivoting
Use Metasploit with route add
and SOCKS proxy
modules.
use auxiliary/server/socks_proxy
set SRVHOST <local_ip>
set SRVPORT 1080
run
Then chain internal scans via:
proxychains nmap -Pn -sT -p- <internal_ip>
SSH + Dynamic Port Forwarding
ssh -D 1080 user@pivot-host
Then test access via proxychains:
proxychains firefox http://internal-web.local
Testing Real-World Exploitation Scenarios
Internal Web Service Access via SOCKS
Test internal HTTP apps, DNS services, and SMB shares:
proxychains smbclient -L //internal-host -U guest
Exploiting Services Behind SOCKS with Metasploit
Configure proxy in Metasploit:
set Proxies socks5:127.0.0.1:1080
Then launch modules like exploit/windows/smb/ms17_010_eternalblue
.
Proxy Chaining for Deep Pivoting
In complex environments, multiple proxies may be chained:
proxychains ncat --proxy-type socks5 --proxy 127.0.0.1:1080 <target_host> <port>
Or using socat
:
socat TCP-LISTEN:1081,fork SOCKS4A:127.0.0.1:internal.host:80,socksport=1080
Learn & practice For the Bug Bounty
Last updated
Was this helpful?