DEV Community

Saravana Gautham
Saravana Gautham

Posted on

Lab Setup: Using SOCKS Proxies, ProxyChains, and SSH Dynamic Port Forwarding

Meta Description: Step-by-step SOCKS proxy lab setup with SSH dynamic port forwarding, ProxyChains integration, and real pentesting scenarios with screenshots.

LAB SETUP for achieving SOCKS PROXY

Networking setup

I have 3 VMs with multiple virtual network adaptors in each. I have explained them briefly here:

a.      Kali (Attacker)

 ├─ eth0: 192.168.56.x  → Host-only network that can talk to Ubuntu

 └─ eth1: 10.0.2.x      → NAT ( For Internet)

Network setup in the attacker machine

b.     Ubuntu (Jump Host)

  ├─ enp0s3: 192.168.56.x  → Host-only network with Kali

  └─ enp0s8: 10.10.20.1    → Internal network that can talk to Windows machine

Network setup in the pivot machine

c.      Windows Server 2019 (Target)

  └─ NIC: 10.10.20.x  → Internal network with Ubuntu

Prerequisites

-SSH is installed & enabled in both Ubuntu & Kali.

Setting up the SOCKS proxy from my attacker machine (KALI)

What ssh -D does

  • The -D [port] option sets up dynamic port forwarding.
  • SSH listens on a local port (e.g., 127.0.0.1:1080).
  • That port speaks SOCKS protocol (SOCKS4 or SOCKS5 depending on your client request).
  • Any program that supports SOCKS can send traffic to this port.

SSH then forwards that traffic over the encrypted SSH connection to the remote host, which then connects to the destination server on your behalf.

Initiating SSH 'D' dynamic port

Using nmap scans to scan the windows machine from my Kali. Remember, Kali cannot ping/reach the windows machine directly.

Using nmap with proxychains

SOCKS in comparison to SSH Local port forwarding.

a. When local port forwarding is used you cannot use any other port other than the one for which port forwarding is setup.

Setting up LPF using SSH

LPF is able to access only that port through which it was setup

b. Whereas using socks “D” dynamic port forwarding makes every port accessible from the Kali.

SOCKS proxy accessing more than one port

Combining proxychains with SOCKS

Here I have used proxychains to do a nmap scan of the otherwise unreachable host. Also, I have shown that ICMP pings are not proxied because ProxyChains only supports TCP connections. This is why the ping test fails even when other tools work.

Using nmap with proxychains

Top comments (0)