What is a Proxy?

To be able to understand ProxyChains and how they operate, we first need to understand what a proxy is. A proxy or a proxy server is a system that acts as a “middleman” between a client and a server. It is typically used to reroute traffic or to prevent threat actors from entering a private network.

A good example of a proxy is Burp Suite, commonly known as Burp. Burp acts as an HTTP proxy between a client web browser and the target web application. The browser sends a request to Burp which then allows burp to intercept, inspect, and modify the web traffic to and from the web application.

What is ProxyChains?

ProxyChains is a tool that redirects TCP connections made by applications, through various proxies like SOCKS4, SOCKS5, or HTTP. It is an open-source project for GNU/Linux systems. ProxyChains can string multiple proxies together to make it harder to identify the original IP address. These chains are often used in red team engagements to make it difficult for blue teamers to trace the original IP address. While using ProxyChains, you are able to use various tools such as SSH, telnet, wget, and Nmap to evade detection.

Configuration Types

You have three configuration options while using ProxyChains: Dynamic, Strict, and Random.

Dynamic chain: This allows us to run our traffic through every proxy on the list. If one proxy is not responding it will be skipped and automatically move to the next proxy. At least one proxy must be available for the chain to work.

Strict chain: All proxies in the list will be used and chained in the assigned order. Unlike a dynamic chain, all proxies must be responsive in a strict chain for it to work.

Random chain: All proxies will be selected at random. We could optionally specify the number of proxies to use.

Using Nmap with ProxyChains

Merging Nmap and ProxyChains is a very common technique used to route traffic to an internal network when doing penetration tests. This combination of tools effectively allows us to funnel all of Nmap’s traffic through a SSH SOCKS5 proxy through a pivot laptop in a client’s environment.

To launch Nmap and ProxyChains run this command

proxychains nmap -sS <Target’s IP Address>

ProxyChains Nmap

We are using ProxyChains and Nmap to scan for vulnerabilities on an internal network.

Tunneling with Metasploit

Metasploit is an open-source framework that Is used to probe vulnerabilities on networks and servers. It is a powerful platform that’s used by cybercriminals and penetration testers alike.

After getting a foothold into a network or server with Metasploit, you can leverage the SOCKS5 proxy module and then specify what port you want the proxy to bind to. Use the following commands to start up the SOCKS5 proxy server to relay connections:

use auxiliary/server/socks_proxy

set SRVPORT <port number>

exploit

ProxyChains Metasploit

This shows the proxy server that you have created which will allow us to proxy Nmap, crackmapexec, and other tools through the meterpreter session.

Connecting to a target using Remmina and ProxyChains

Remmina is a type of remote desktop client that allows screen and file sharing to your desktop. Remmina can be used in conjunction with ProxyChains connect to a target host through a remote desktop. In this example, we will SSH to a laptop on the same VPN as my laptop. We’ll use Remmina and ProxyChains to RDP into a computer on the same network as the computer that we’re SSH’d into. The visual below illustrates the setup:

ProxyChains Remmina

After connecting to the VPN that our remote laptop is also connected to, we can SSH into our laptop and setup our SOCKS5 proxy.

Once we’re connected to the VPN, we need to make sure that the ProxyChains config file is configured correctly.

To configure the file, we’ll use this command:

nano /etc/proxychains.conf

The location of your ProxyChains config file may be different depending on your Linux or BSD distro.

ProxyChains Config

In the ProxyChains config, make sure the SOCKS5 proxy is configured to listen locally on port 9050.

After configuring the file and specifying the port number we want to use, we’ll then SSH into the other laptop connected to our VPN.

Use the command below:

SSH -D 127.0.0.1:9050 kali@<targets’s ip>

The -D is specified for dynamic port forwarding. This works by allocating a socket to listen to a port on a local side. When a connection is made the port, the connection is forwarded over the secure channel. The application protocol is then used to determine where to connect to from the remote machine.

SSH Creating SOCKS5 Proxy

Using the “-D” argument, we can spawn a SOCKS5 proxy with SSH.

We’re now connected to the other laptop on our VPN network.

To RDP to the target laptop, we’ll use this command:

proxychains remmina

Launching Remmina

Remmina’s traffic will be routed through our SOCKS5 proxy to our target host.

After running this command, the Remmina Remote Desktop Client will appear on the screen and prompt for username and password. Once we’ve entered the credentials, we’ll then be connected to the target host.

To confirm that we’re connected to the target host, we could run the command below:

whoami

 

Remmina Connected

The RDP connection is established to our remote host via ProxyChains.

This command shows that we have successfully used ProxyChains and Remmina to RDP into the target host.