|
| 1 | + |
| 2 | +## Verification Steps |
| 3 | + |
| 4 | + 1. Start msfconsole |
| 5 | + 2. Do: ```use auxiliary/server/socks4a``` |
| 6 | + 3. Do: ```run``` |
| 7 | + 4. Do: ```curl --proxy socks4a://localhost:1080 https://github.com``` |
| 8 | + 5. You should see the source for the github homepage |
| 9 | + |
| 10 | +## Options |
| 11 | + |
| 12 | + **SRVHOST** |
| 13 | + |
| 14 | + The local IP address to bind the proxy to. The default value of `0.0.0.0` will expose the proxy to everything on the attackers network. |
| 15 | + |
| 16 | + **SRVPORT** |
| 17 | + |
| 18 | + The local port to bind the proxy to. The default value is `1080`, the standard port for a SOCKS4a proxy. |
| 19 | + |
| 20 | +## Scenarios |
| 21 | + |
| 22 | + This module is great when pivoting across a network. Suppose we have two machines: |
| 23 | + |
| 24 | + 1. Attackers machine, on the `192.168.1.0/24` subnet. |
| 25 | + 2. Victim machine with two network interfaces, one attached to the `192.168.1.0/24` subnet and the other attached to the non-routable `10.0.0.0/24` subnet. |
| 26 | + |
| 27 | + We'll begin by starting the socks4a proxy: |
| 28 | + ``` |
| 29 | + msf > use auxiliary/server/socks4a |
| 30 | + msf auxiliary(socks4a) > run |
| 31 | + [*] Auxiliary module execution completed |
| 32 | + [*] Starting the socks4a proxy server |
| 33 | + msf auxiliary(socks4a) > |
| 34 | + ``` |
| 35 | + |
| 36 | + Preparing to pivot across a network requires us to first establish a meterpreter session on the victim machine. From there, we can use the `autoroute` module to enable access to the non-routable subnet: |
| 37 | + |
| 38 | + ``` |
| 39 | + meterpreter > run autoroute -s 10.0.0.0/24; |
| 40 | + ``` |
| 41 | + |
| 42 | + The `autoroute` module will enable our local socks4a proxy to direct all traffic to the `10.0.0.0/24` subnet through our meterpreter session causing it to emerge from the victim's machine and thus giving us access to the non-routable subnet. We can now use curl to connect to a machine on the non-routable subnet via the socks4a proxy: |
| 43 | + ``` |
| 44 | + curl --proxy socks4a://localhost:1080 http://10.0.0.15:8080/robots.txt |
| 45 | + ``` |
| 46 | + |
| 47 | + We can take this a step further and use `proxychains` to enable other tools to access the non-routable subnet that don't have built-in support for proxies. The short-and-sweet guide to installing and configuring proxychains looks something like this: |
| 48 | + |
| 49 | + ``` |
| 50 | + # apt-get install proxychains |
| 51 | + # echo "socks4 127.0.0.1 8080" > /etc/proxychains.conf |
| 52 | + ``` |
| 53 | + |
| 54 | + From there, we can use our other tools by simply prefixing them with proxychains: |
| 55 | + |
| 56 | + ``` |
| 57 | + # proxychains curl http://10.0.0.15:8080/robots.txt |
| 58 | + # proxychains nmap -sSV -p 22 10.0.0.15 |
| 59 | + # proxychains firefox |
| 60 | + ``` |
0 commit comments