Meta Description: Step-by-step SOCKS proxy lab setup with SSH dynamic port forwarding, ProxyChains integration, and real pentesting scenarios with screenshots.
LAB SETUP for achieving SOCKS PROXY
Networking setup
I have 3 VMs with multiple virtual network adaptors in each. I have explained them briefly here:
a. Kali (Attacker)
├─ eth0: 192.168.56.x → Host-only network that can talk to Ubuntu
└─ eth1: 10.0.2.x → NAT ( For Internet)
b. Ubuntu (Jump Host)
├─ enp0s3: 192.168.56.x → Host-only network with Kali
└─ enp0s8: 10.10.20.1 → Internal network that can talk to Windows machine
c. Windows Server 2019 (Target)
└─ NIC: 10.10.20.x → Internal network with Ubuntu
Prerequisites
-SSH is installed & enabled in both Ubuntu & Kali.
Setting up the SOCKS proxy from my attacker machine (KALI)
What ssh -D does
- The -D [port] option sets up dynamic port forwarding.
- SSH listens on a local port (e.g., 127.0.0.1:1080).
- That port speaks SOCKS protocol (SOCKS4 or SOCKS5 depending on your client request).
- Any program that supports SOCKS can send traffic to this port.
SSH then forwards that traffic over the encrypted SSH connection to the remote host, which then connects to the destination server on your behalf.
Using nmap scans to scan the windows machine from my Kali. Remember, Kali cannot ping/reach the windows machine directly.
SOCKS in comparison to SSH Local port forwarding.
a. When local port forwarding is used you cannot use any other port other than the one for which port forwarding is setup.
b. Whereas using socks “D” dynamic port forwarding makes every port accessible from the Kali.
Combining proxychains with SOCKS
Here I have used proxychains to do a nmap scan of the otherwise unreachable host. Also, I have shown that ICMP pings are not proxied because ProxyChains only supports TCP connections. This is why the ping test fails even when other tools work.
Top comments (0)