SOCKS Proxies

A SOCKS (Secure Socket) Proxy exchanges network packets between a client and a server. A common implementation of a proxy server is found in web proxies - where a browser will connect to the proxy, which relays requests to the destination website and back to the browser (performing filtering etc along the way). We can use this idea in an offensive application by turning our C2 server into a SOCKS proxy to tunnel external tooling into an internal network.

This is particularly helpful when we want to leverage toolsets such as Impacket. Windows doesn't have a native capability to execute Python, so being able to execute them on our own system and tunnel the traffic through Beacon can expand our arsenal of available tooling. It also carries additional OPSEC advantages - since we're not pushing offensive tooling onto the target or even executing any code on a compromised endpoint, it can shrink our footprint for detection.

Cobalt Strike has both a SOCKS4a and SOCKS5 proxy. The main difference between them is that only SOCKS5 supports authentication and has some additional logging capabilities.

Use the socks command on the Beacon that you want to act as the pivot point.

To start a SOCKS4a proxy simply run:

beacon> socks 1080

\

For SOCKS5:

beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging

The enableLogging option sends additional logs (such as authentication failures) to the VM console, which you unfortunately can't see easily when the team server running as a service. Instead, you can use journalctl: \

ubuntu teamserver[687]: [*] SOCKS5 (18): ********** Constructing Socks5Command **********
ubuntu teamserver[687]: [*] SOCKS5 (18): Greeting: NoAuth Authentication offered: 0
ubuntu teamserver[687]: [*] SOCKS5 (18): Greeting: UserPwd Authentication offered: 2
ubuntu teamserver[687]: [*] SOCKS5 (18): sendChosenAuthentication: Chosen Authentication Type: 2
ubuntu teamserver[687]: [*] SOCKS5 (18): verifyUserPwd: Verifying User/Password Authentication
ubuntu teamserver[687]: [*] SOCKS5 (18): verifyUserPwd: Verifying user:
ubuntu teamserver[687]: [-] SOCKS5 (18): Invalid login attempt from user:
ubuntu teamserver[687]: [-] SOCKS (18): Socks Error

\

You will then see port 1080 bound on the team server VM.

attacker@ubuntu ~> sudo ss -lpnt
State    Recv-Q   Send-Q     Local Address:Port        Peer Address:Port   Process
LISTEN   0        128                    *:1080                   *:*       users:(("TeamServerImage",pid=687,fd=13))

OPSEC Since this is bound on all interfaces, any device that has network access to the team server VM may, in theory, interact with the SOCKS traffic. Even though this should not be the case, the use of SOCKS5 gives an additional layer of protection.