hacktricks/network-services-pentesting/1080-pentesting-socks.md
2024-02-10 17:52:19 +00:00

15 KiB

1080 - Pentesting Socks

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

SOCKS is a protocol used for transferring data between a client and server through a proxy. The fifth version, SOCKS5, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets, operating at the session layer (Layer 5) of the OSI model.

Default Port: 1080

Enumeration

Authentication Check

nmap -p 1080 <ip> --script socks-auth-info

To perform a brute force attack, you can use tools like Hydra or Medusa. These tools allow you to automate the process of trying different combinations of usernames and passwords until you find the correct ones.

Here is an example of how to use Hydra to perform a brute force attack on an SSH server:

hydra -l <username> -P <passwords_file> <target_ip> ssh
  • <username>: The username you want to use for the attack.
  • <passwords_file>: A file containing a list of passwords to try.
  • <target_ip>: The IP address of the target SSH server.

You can also specify other options, such as the number of parallel connections to use (-t), the timeout for each connection (-w), and the output file to save the results (-o).

Tips and considerations

When performing a brute force attack, there are a few things to keep in mind:

  • Use a strong password list: The success of a brute force attack depends on the quality of the password list. Make sure to use a comprehensive list that includes common passwords, dictionary words, and variations of them.
  • Use a good username list: Similar to the password list, the username list should be well-curated. Include common usernames, default usernames for the target service, and any other relevant usernames.
  • Be mindful of account lockouts: Some services have mechanisms in place to prevent brute force attacks by locking out accounts after a certain number of failed login attempts. Take this into consideration and adjust your attack accordingly.
  • Use rate limiting: To avoid detection and potential IP blocking, you can use rate limiting options in the brute force tool to limit the number of login attempts per second.
  • Monitor logs: Keep an eye on the target system's logs to detect any suspicious activity or failed login attempts. This can help you identify if your attack is being detected or if you are making progress.

Remember, brute force attacks can be time-consuming and resource-intensive. It's important to have a clear objective and prioritize your targets to make the most efficient use of your time and resources.

nmap --script socks-brute -p 1080 <ip>

Qapla' lo'wI'

Advanced usage

Qapla' lo'wI'

Advanced usage

nmap  --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 <ip>

Output

1080 - Pentesting Socks

Introduction

Socks is a protocol that allows clients to communicate with servers through a proxy server. It provides a way to bypass network restrictions and anonymize internet traffic. In this section, we will explore the different aspects of Socks and how to perform penetration testing on Socks servers.

Socks Versions

There are several versions of the Socks protocol, including Socks4, Socks4a, and Socks5. Each version has its own features and capabilities. It is important to understand the differences between these versions in order to effectively test and exploit Socks servers.

Socks4

Socks4 is the oldest version of the Socks protocol. It supports only IPv4 addresses and does not provide any authentication mechanism. This makes it vulnerable to abuse and exploitation. Pentesters can leverage this vulnerability to gain unauthorized access to Socks servers and perform various attacks.

Socks4a

Socks4a is an extension of the Socks4 protocol that adds support for domain name resolution. This allows clients to resolve domain names through the Socks server, even if the server does not support DNS resolution. Pentesters can use this feature to bypass network restrictions and access resources that are blocked by domain name.

Socks5

Socks5 is the most recent version of the Socks protocol. It introduces several improvements over previous versions, including support for both IPv4 and IPv6 addresses, authentication mechanisms, and advanced features such as UDP and IPv6 traffic forwarding. Pentesters can take advantage of these features to perform more sophisticated attacks on Socks servers.

Pentesting Socks Servers

When pentesting Socks servers, there are several areas that should be tested, including:

  • Authentication: Test the authentication mechanisms supported by the Socks server and look for vulnerabilities that could allow unauthorized access.
  • Proxy functionality: Test the proxy functionality of the Socks server, including its ability to forward traffic and handle different types of requests.
  • Traffic analysis: Analyze the network traffic between the client, Socks server, and target server to identify potential vulnerabilities or information leaks.
  • Exploitation: Exploit any vulnerabilities found in the Socks server to gain unauthorized access or perform other malicious activities.

Tools for Pentesting Socks Servers

There are several tools available for pentesting Socks servers, including:

  • SocksCap: A Windows application that allows applications to use Socks proxies.
  • Proxychains: A tool that allows applications to use proxy servers, including Socks proxies.
  • Burp Suite: A popular web application testing tool that can be used to test the proxy functionality of Socks servers.
  • Wireshark: A network protocol analyzer that can be used to analyze the network traffic between the client, Socks server, and target server.

Conclusion

Pentesting Socks servers is an important aspect of network security testing. By understanding the different versions of the Socks protocol and the vulnerabilities associated with them, pentesters can effectively test and exploit Socks servers to identify potential security weaknesses and protect against unauthorized access.

PORT     STATE SERVICE
1080/tcp open  socks
| socks-brute:
|   Accounts
|     patrik:12345 - Valid credentials
|   Statistics
|_    Performed 1921 guesses in 6 seconds, average tps: 320

Tunneling and Port Forwarding

Basic proxychains usage

Setup proxy chains to use socks proxy


qIb 'ej Port Forwarding

Basic proxychains lo'laHbe'

Setup proxy chains to use socks proxy

nano /etc/proxychains4.conf

Edit the bottom and add your proxy


Proxy

A proxy is an intermediary server that acts as a gateway between a client and the internet. It allows clients to make indirect network connections to other servers, providing various benefits such as anonymity, caching, and filtering.

When conducting a penetration test, using a proxy can be beneficial for several reasons:

  • Anonymity: By routing your traffic through a proxy, you can hide your IP address and location, making it harder for your activities to be traced back to you.
  • Traffic interception: Proxies can intercept and analyze network traffic, allowing you to inspect and modify requests and responses. This can be useful for identifying vulnerabilities and testing security controls.
  • Circumventing restrictions: Proxies can help bypass network restrictions and access blocked websites or services.
  • Caching: Proxies can cache frequently accessed content, reducing bandwidth usage and improving performance.
  • Load balancing: Proxies can distribute incoming traffic across multiple servers, ensuring optimal resource utilization and high availability.

There are different types of proxies, including HTTP proxies, SOCKS proxies, and reverse proxies. Each type has its own characteristics and use cases.

SOCKS Proxy

A SOCKS (Socket Secure) proxy is a protocol that allows for the exchange of network packets between a client and a server through a proxy server. SOCKS proxies can handle various types of traffic, including TCP and UDP, making them versatile for different applications.

To use a SOCKS proxy, you need to configure your client or application to connect to the proxy server. This can usually be done by specifying the proxy server's IP address and port number.

Here is an example of how to configure a SOCKS proxy in different applications:

  • Web browser: In the browser's network settings, specify the SOCKS proxy server's IP address and port number.
  • Command-line tools: Use the --proxy or --socks-proxy option followed by the proxy server's IP address and port number.
  • Curl: Use the --proxy socks5://<proxy_ip>:<proxy_port> option.
  • Nmap: Use the --proxy socks5 <proxy_ip>:<proxy_port> option.

When using a SOCKS proxy, all traffic from the client is sent through the proxy server, which then forwards the traffic to the destination server. This allows for greater flexibility and control over the network connections.

Setting Up Your Own SOCKS Proxy

To set up your own SOCKS proxy, you can use tools like ssh or proxychains. These tools allow you to create an encrypted tunnel to a remote server and forward your traffic through it.

Here is an example of how to set up a SOCKS proxy using ssh:

  1. Open a terminal and run the following command:

    ssh -D <local_port> <username>@<remote_server>
    

    Replace <local_port> with the port number you want to use for the SOCKS proxy, <username> with your username on the remote server, and <remote_server> with the IP address or hostname of the remote server.

  2. Configure your client or application to use the SOCKS proxy. Set the proxy server's IP address to 127.0.0.1 and the port number to <local_port>.

    For example, if you set <local_port> to 1080, you would configure your client to connect to 127.0.0.1:1080.

  3. All traffic from your client will now be routed through the SOCKS proxy and forwarded to the internet.

Using a SOCKS proxy can provide an additional layer of security and privacy when conducting penetration tests or browsing the internet. It allows you to control and manipulate network traffic, making it a valuable tool for various hacking techniques.

socks5 10.10.10.10 1080

1080 - Pentesting SOCKS

Introduction

SOCKS (Socket Secure) is a protocol that allows a client to establish a connection through a proxy server. It is commonly used for bypassing network restrictions and anonymizing internet traffic. In this section, we will explore various techniques for pentesting SOCKS servers.

Pentesting SOCKS Servers

1. Enumerating SOCKS Servers

To begin the pentest, we need to identify the SOCKS servers present on the target network. We can use tools like Nmap or Masscan to scan for open SOCKS ports (usually port 1080). Once we have a list of potential targets, we can proceed with further analysis.

2. Testing SOCKS Proxy Functionality

Once we have identified a SOCKS server, we can test its proxy functionality by configuring our browser or other applications to use the SOCKS server as a proxy. We can then browse the internet or perform other network activities to ensure that the traffic is being routed through the SOCKS server.

3. Exploiting SOCKS Server Misconfigurations

Misconfigurations in SOCKS servers can lead to various security vulnerabilities. Some common misconfigurations include allowing unauthorized access, not enforcing authentication, or allowing connections to restricted networks. By exploiting these misconfigurations, an attacker can gain unauthorized access or perform other malicious activities.

4. Brute-Forcing SOCKS Credentials

If the SOCKS server enforces authentication, we can attempt to brute-force the credentials to gain unauthorized access. Tools like Hydra or Medusa can be used to automate the brute-forcing process. It is important to use a strong wordlist and implement rate limiting to avoid detection.

5. Exploiting SOCKS Server Vulnerabilities

SOCKS servers may have vulnerabilities that can be exploited to gain unauthorized access or perform other malicious activities. It is important to keep an eye on security advisories and research for any known vulnerabilities in the specific SOCKS server software being used. Exploits can be developed or modified to target these vulnerabilities.

6. Analyzing SOCKS Server Logs

Analyzing the logs of a SOCKS server can provide valuable information about the server's configuration, user activity, and potential security issues. By analyzing the logs, we can identify any suspicious or unauthorized activities and take appropriate actions to mitigate them.

Conclusion

Pentesting SOCKS servers is an important aspect of network security testing. By identifying and exploiting vulnerabilities in SOCKS servers, we can assess the security posture of the target network and recommend appropriate remediation measures. It is important to follow ethical guidelines and obtain proper authorization before conducting any pentesting activities.

socks5 10.10.10.10 1080 username password

More info: Tunneling and Port Forwarding

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: