A SOCKS proxy is a general-purpose proxy that forwards any TCP (and with SOCKS5, UDP) connection to a destination, commonly set up through a compromised pivot so the attacker’s tools can reach the internal network. proxychains is a utility that forces a program’s connections through that proxy, even tools with no built-in proxy support. Together they turn a single pivot (for example an ssh -D dynamic forward) into access to the whole internal subnet for any tool.
What they are
A SOCKS proxy is a flexible proxy that relays connections to any host and port, unlike a port forward that handles one destination. Pointing tools at a SOCKS proxy running through a pivot lets them reach the entire internal network the pivot can see.
proxychains solves the next problem: many tools have no proxy option. proxychains wraps a program and redirects its network calls through the configured proxy, so even tools like nmap or a database client travel through the pivot.
How they work and payload
The attacker opens a SOCKS proxy via the pivot, then runs tools through proxychains:
- Open a SOCKS proxy (dynamic SSH forward):
ssh -D 1080 user@PIVOT - Point proxychains at it (in
/etc/proxychains.conf):socks5 127.0.0.1 1080 - Run any tool through it:
proxychains nmap -sT -Pn 10.10.0.0/24orproxychains smbclient //10.10.0.20/share
Now the attacker’s whole toolkit reaches the internal network through one foothold. Documented techniques shown for defenders.
How to defend
- Segment the internal network so the pivot can reach little, which limits what any proxy exposes.
- Restrict egress so a compromised host cannot establish the outbound proxy connection.
- Monitor for SOCKS proxy patterns and for one internal host suddenly scanning or connecting to many others.
- Limit tooling and SSH on exposed servers.
- Detect the noisy scanning that often follows a new SOCKS pivot.
References
- [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
- [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
- [3]Linux man-pages: ssh(1)(man7.org)