Skip to content

Commit b87911b

Browse files
committed
Land rapid7#7340, auxiliary/server/socks4a docs
2 parents edbe1c3 + d1bf7d9 commit b87911b

File tree

1 file changed

+60
-0
lines changed

1 file changed

+60
-0
lines changed
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
## Verification Steps
2+
3+
1. Start `msfconsole`
4+
2. Do: `use auxiliary/server/socks4a`
5+
3. Do: `run`
6+
4. Do: `curl --proxy socks4a://localhost:1080 https://github.com`
7+
5. You should see the source for the Github homepage
8+
9+
## Options
10+
11+
**SRVHOST**
12+
13+
The local IP address to bind the proxy to. The default value of `0.0.0.0` will expose the proxy to everything on the attacker's network.
14+
15+
**SRVPORT**
16+
17+
The local port to bind the proxy to. The default value is `1080`, the standard port for a socks4a proxy.
18+
19+
## Scenarios
20+
21+
This module is great when pivoting across a network. Suppose we have two machines:
22+
23+
1. Attacker's machine, on the `192.168.1.0/24` subnet.
24+
2. Victim machine with two network interfaces, one attached to the `192.168.1.0/24` subnet and the other attached to the non-routable `10.0.0.0/24` subnet.
25+
26+
We'll begin by starting the socks4a proxy:
27+
```
28+
msf > use auxiliary/server/socks4a
29+
msf auxiliary(socks4a) > run
30+
[*] Auxiliary module execution completed
31+
[*] Starting the socks4a proxy server
32+
msf auxiliary(socks4a) >
33+
```
34+
35+
Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From there, we can use the `autoroute` script to enable access to the non-routable subnet:
36+
37+
```
38+
meterpreter > run autoroute -s 10.0.0.0/24
39+
```
40+
41+
The `autoroute` module will enable our local socks4a proxy to direct all traffic to the `10.0.0.0/24` subnet through our Meterpreter session, causing it to emerge from the victim's machine and thus giving us access to the non-routable subnet. We can now use `curl` to connect to a machine on the non-routable subnet via the socks4a proxy:
42+
```
43+
curl --proxy socks4a://localhost:1080 http://10.0.0.15:8080/robots.txt
44+
```
45+
46+
We can take this a step further and use proxychains to enable other tools that don't have built-in support for proxies to access the non-routable subnet. The short-and-sweet guide to installing and configuring proxychains looks something like this:
47+
48+
```
49+
# apt-get install proxychains
50+
# cp /etc/proxychains.conf /etc/proxychains.conf.backup
51+
# echo "socks4 127.0.0.1 8080" > /etc/proxychains.conf
52+
```
53+
54+
From there, we can use our other tools by simply prefixing them with `proxychains`:
55+
56+
```
57+
# proxychains curl http://10.0.0.15:8080/robots.txt
58+
# proxychains nmap -sT -Pn -n -p 22 10.0.0.15
59+
# proxychains firefox
60+
```

0 commit comments

Comments
 (0)