SOCKS Proxy
Overview
A SOCKS proxy routes arbitrary TCP (and sometimes UDP) traffic through a pivot host. Unlike port forwarding which maps one port to one destination, a SOCKS proxy handles connections to any host and port — making it ideal for full internal network enumeration. SOCKS proxies are typically used with proxychains to route standard tools through the tunnel.
ATT&CK Mapping
- Tactic: TA0011 - Command and Control
- Technique: T1090.001 - Proxy: Internal Proxy
Prerequisites
- A tunnel tool providing SOCKS (SSH, Chisel, Ligolo-ng, Metasploit)
- proxychains4 configured on the attacker machine
Techniques
Proxychains Configuration
# Edit proxychains configuration
# /etc/proxychains4.conf
# Key settings:
# strict_chain — use proxies in order (fail if one is down)
# dynamic_chain — skip unavailable proxies
# quiet_mode — suppress DNS resolution messages
# Add SOCKS proxy at the bottom:
# socks5 127.0.0.1 1080
Common proxychains configurations:
# Single SOCKS5 proxy (most common)
dynamic_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 1080
# Double pivot (chain two proxies)
strict_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 1080
socks5 127.0.0.1 1081
Using Proxychains with Tools
# Nmap through SOCKS (must use -sT for TCP connect, -Pn to skip ping)
proxychains nmap -sT -Pn -p 80,443,445,3389 <internal_target>
# NetExec through SOCKS
proxychains nxc smb <internal_target> -u <user> -p <password>
# curl through SOCKS
proxychains curl http://<internal_target>
# Or use curl's built-in SOCKS support (faster)
curl --socks5 127.0.0.1:1080 http://<internal_target>
# Impacket tools through SOCKS
proxychains impacket-psexec '<domain>/<user>:<password>@<internal_target>'
# Web browser (Firefox)
# Settings > Network Settings > Manual Proxy > SOCKS Host: 127.0.0.1, Port: 1080
Proxychains limitations:
- Only TCP is proxied — UDP and ICMP do not work
- Nmap SYN scan (-sS) does not work — use TCP connect scan (-sT)
- Nmap ping (-sn) does not work — use -Pn
- Performance is slower than direct connections
Metasploit SOCKS Proxy
# Metasploit Framework
# https://github.com/rapid7/metasploit-framework
# Add route through Meterpreter session
route add <internal_subnet>/<mask> <session_id>
# Start SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
run -j
# Now use proxychains with the Metasploit SOCKS proxy
Nmap Through SOCKS
# TCP connect scan (required through SOCKS)
proxychains nmap -sT -Pn -p 21,22,80,443,445,3389,5985 <internal_target>
# Avoid DNS resolution through proxychains (faster)
proxychains nmap -sT -Pn -n -p 80,443,445 <internal_target>
# Scan specific ports only (full port scans through SOCKS are very slow)
proxychains nmap -sT -Pn -p 22,80,135,139,443,445,3306,3389,5985 <internal_target>
Detection Methods
Network-Based Detection
- SOCKS protocol traffic patterns (connection negotiation)
- A single compromised host making connections to many internal hosts on various ports
Host-Based Detection
- SOCKS proxy processes listening on the compromised host
- Unusual network patterns from a single process connecting to many destinations
Mitigation Strategies
- Network segmentation — limit lateral communication between network segments
- Monitor anomalous connections — alert on hosts connecting to many diverse internal destinations
- Egress filtering — restrict outbound connections from internal hosts