|
| 1 | +## Verification Steps |
| 2 | + |
| 3 | + 1. Start `msfconsole` |
| 4 | + 2. Do: `use auxiliary/server/socks4a` |
| 5 | + 3. Do: `run` |
| 6 | + 4. Do: `curl --proxy socks4a://localhost:1080 https://github.com` |
| 7 | + 5. You should see the source for the Github homepage |
| 8 | + |
| 9 | +## Options |
| 10 | + |
| 11 | + **SRVHOST** |
| 12 | + |
| 13 | + The local IP address to bind the proxy to. The default value of `0.0.0.0` will expose the proxy to everything on the attacker's network. |
| 14 | + |
| 15 | + **SRVPORT** |
| 16 | + |
| 17 | + The local port to bind the proxy to. The default value is `1080`, the standard port for a socks4a proxy. |
| 18 | + |
| 19 | +## Scenarios |
| 20 | + |
| 21 | + This module is great when pivoting across a network. Suppose we have two machines: |
| 22 | + |
| 23 | + 1. Attacker's machine, on the `192.168.1.0/24` subnet. |
| 24 | + 2. Victim machine with two network interfaces, one attached to the `192.168.1.0/24` subnet and the other attached to the non-routable `10.0.0.0/24` subnet. |
| 25 | + |
| 26 | + We'll begin by starting the socks4a proxy: |
| 27 | + ``` |
| 28 | + msf > use auxiliary/server/socks4a |
| 29 | + msf auxiliary(socks4a) > run |
| 30 | + [*] Auxiliary module execution completed |
| 31 | + [*] Starting the socks4a proxy server |
| 32 | + msf auxiliary(socks4a) > |
| 33 | + ``` |
| 34 | + |
| 35 | + Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From there, we can use the `autoroute` script to enable access to the non-routable subnet: |
| 36 | + |
| 37 | + ``` |
| 38 | + meterpreter > run autoroute -s 10.0.0.0/24 |
| 39 | + ``` |
| 40 | + |
| 41 | + The `autoroute` module will enable our local socks4a proxy to direct all traffic to the `10.0.0.0/24` subnet through our Meterpreter session, causing it to emerge from the victim's machine and thus giving us access to the non-routable subnet. We can now use `curl` to connect to a machine on the non-routable subnet via the socks4a proxy: |
| 42 | + ``` |
| 43 | + curl --proxy socks4a://localhost:1080 http://10.0.0.15:8080/robots.txt |
| 44 | + ``` |
| 45 | + |
| 46 | + We can take this a step further and use proxychains to enable other tools that don't have built-in support for proxies to access the non-routable subnet. The short-and-sweet guide to installing and configuring proxychains looks something like this: |
| 47 | + |
| 48 | + ``` |
| 49 | + # apt-get install proxychains |
| 50 | + # cp /etc/proxychains.conf /etc/proxychains.conf.backup |
| 51 | + # echo "socks4 127.0.0.1 8080" > /etc/proxychains.conf |
| 52 | + ``` |
| 53 | + |
| 54 | + From there, we can use our other tools by simply prefixing them with `proxychains`: |
| 55 | + |
| 56 | + ``` |
| 57 | + # proxychains curl http://10.0.0.15:8080/robots.txt |
| 58 | + # proxychains nmap -sT -Pn -n -p 22 10.0.0.15 |
| 59 | + # proxychains firefox |
| 60 | + ``` |
0 commit comments