What is a Proxy?
To be able to understand ProxyChains and how they operate, we first need to understand what a proxy is. A proxy or a proxy server is a system that acts as a “middleman” between a client and a server. It is typically used to reroute traffic or to prevent threat actors from entering a private network.
A good example of a proxy is Burp Suite, commonly known as Burp. Burp acts as an HTTP proxy between a client web browser and the target web application. The browser sends a request to Burp which then allows burp to intercept, inspect, and modify the web traffic to and from the web application.
What is ProxyChains?
ProxyChains is a tool that redirects TCP connections made by applications, through various proxies like SOCKS4, SOCKS5, or HTTP. It is an open-source project for GNU/Linux systems. ProxyChains can string multiple proxies together to make it harder to identify the original IP address. These chains are often used in red team engagements to make it difficult for blue teamers to trace the original IP address. While using ProxyChains, you are able to use various tools such as SSH, telnet, wget, and Nmap to evade detection.
You have three configuration options while using ProxyChains: Dynamic, Strict, and Random.
Dynamic chain: This allows us to run our traffic through every proxy on the list. If one proxy is not responding it will be skipped and automatically move to the next proxy. At least one proxy must be available for the chain to work.
Strict chain: All proxies in the list will be used and chained in the assigned order. Unlike a dynamic chain, all proxies must be responsive in a strict chain for it to work.
Random chain: All proxies will be selected at random. We could optionally specify the number of proxies to use.
Using Nmap with ProxyChains
Merging Nmap and ProxyChains is a very common technique used to route traffic to an internal network when doing penetration tests. This combination of tools effectively allows us to funnel all of Nmap’s traffic through a SSH SOCKS5 proxy through a pivot laptop in a client’s environment.
To launch Nmap and ProxyChains run this command
proxychains nmap -sS <Target’s IP Address>
Tunneling with Metasploit
Metasploit is an open-source framework that Is used to probe vulnerabilities on networks and servers. It is a powerful platform that’s used by cybercriminals and penetration testers alike.
After getting a foothold into a network or server with Metasploit, you can leverage the SOCKS5 proxy module and then specify what port you want the proxy to bind to. Use the following commands to start up the SOCKS5 proxy server to relay connections:
set SRVPORT <port number>
Connecting to a target using Remmina and ProxyChains
Remmina is a type of remote desktop client that allows screen and file sharing to your desktop. Remmina can be used in conjunction with ProxyChains connect to a target host through a remote desktop. In this example, we will SSH to a laptop on the same VPN as my laptop. We’ll use Remmina and ProxyChains to RDP into a computer on the same network as the computer that we’re SSH’d into. The visual below illustrates the setup:
Once we’re connected to the VPN, we need to make sure that the ProxyChains config file is configured correctly.
To configure the file, we’ll use this command:
The location of your ProxyChains config file may be different depending on your Linux or BSD distro.
After configuring the file and specifying the port number we want to use, we’ll then SSH into the other laptop connected to our VPN.
Use the command below:
SSH -D 127.0.0.1:9050 kali@<targets’s ip>
The -D is specified for dynamic port forwarding. This works by allocating a socket to listen to a port on a local side. When a connection is made the port, the connection is forwarded over the secure channel. The application protocol is then used to determine where to connect to from the remote machine.
We’re now connected to the other laptop on our VPN network.
To RDP to the target laptop, we’ll use this command:
After running this command, the Remmina Remote Desktop Client will appear on the screen and prompt for username and password. Once we’ve entered the credentials, we’ll then be connected to the target host.
To confirm that we’re connected to the target host, we could run the command below:
This command shows that we have successfully used ProxyChains and Remmina to RDP into the target host.