Proxychains

Use Case:

Next, create a dynamic application-level port forwarding on port 8080 on our attacking machine
- any connection made to this port will be forwarded over the SSH channel and the application protocol will be used to determine where to connect to from the remote machine

Lastly, configure proxychains to use port 8080 on our attacking machine
- since the SSH process instance listening on that port will act as a SOCK server
Through proxychains, we can use nmap to scan the internal remote network for example

Proxychains Pivot

# When you have access to a machine, you can use it as pivot to target machines

# Getting known machines

arp -a

# Setup SSH Dynamic on the attacking box

ssh -D <local_port> <user>@<ip>

# Setup proxychains in /etc/proxychains.conf

[ProxyList]

socks4 127.0.0.1 <local_port>

# Reduce timeout in /etc/proxychains.conf to gain speed

tcp_read_time_out 800

tcp_connect_time-out 800

# Then

proxychains...

# Scanning (nmap) can be very long through proxychains

# You can speed it up by using xargs and multithreading

# The main goal is to spread ports between different threads (-P 50)

seq 1 65535 | xargs -P 50 -I port proxychains -q nmap -p port -sT -T4 10.42.42.2 -oG 10.42.42.2 --open --append-output 10.42.42.2 -Pn -n

# Take care of some options

# You can't just run -oA but need the --append-output option

# The same behavior can be used to scan multiple machines

# The base command

proxychains nmap -p- -sT -T4 --top-ports 20 10.42.42.0/24 -oG 10.42.42.0 --open

# Become

seq 1 254 | xargs -P 50 -I cpt proxychains -q nmap --top-ports 20 -sT -T4 10.42.42.cpt -oG 10.42.42.0 --open --append-output 10.42.42.cpt -Pn -n

Double Pivot Proxychains

# Pivot 1 using proxychains

ssh -D 1080 user@IP_Network1

# Configure /etc/proxychains to set port 1080

# Pivot 2 using proxychains

proxychains ssh -D 1081 user@IP_Network2

# Configure /etc/proxychains to set port 1081

proxychains nmap...

Last updated 1 year ago