The most important thing about doing penetration testing is anonymity, undetectable, or at least hard to be detected. The worst thing that can happen to any pentester is being detected by a security admin, the security technologies such as IDS, firewall, etc., or a forensic investigator.
We need more additional tools in order to hide our identity being exposed, VPN (Virtual Private Network) and Proxyservers are the most famous tools nowdays, but several considering RDP (Remote Desktop Protocol) as their main guard of their identity.
Whenever we send a packet to any hostnames or targets, that packet contains our IP address in the IP header. If we make a TCP connection, the target or hostname system will log our IP address as it logs all connections. These events increase the possibility of detection. In order to penetrate anonymously with the least chance of detection, we need to use an intermediary machine whose IP address will be left on the target system. This can be done by using proxies.
These systems are designed to accept our traffic and then forward it on to the hostname or target. Of course, the proxy will likely log our traffic, but an investigator would have to get a subpoena or search warrant to obtain the logs.
If we string multiple proxies in a chain, we make it harder and harder to detect our original IP address. If one of those proxies is outside the jurisdiction of the victim, it makes it very unlikely that any traffic can be attributed to our IP address. It is not as hard as you imagr to setup proxies chaining. Kali Linux, backbox and others penetration testing OS’s certaintly have an excellent built in tool for proxifying our traffic called proxychains.
- The latest version of Proxychains support SOCKS5, SOCKS4, and HTTP CONNECT proxy servers.
- Proxychains can be mixed up with a different proxy types in a list
- Proxychains also supports Any kinds of chaining option methods, like: random, which is it takes random proxy in the list stored in configuration file. or chaining proxies in the exact order list, different proxies are separated by new line in a file. or dynamic option, that let Proxychains to go through the live only proxies, it will exclude the dead or unreachable proxies, the dynamic option often called smart option.
- Proxychains could run or handle any TCP client application, ie., nmap.
Instead of scanning or do multiple requests to any target directly using our IP, we can let Proxychains to cover up our identities. By adding command “proxychains” for every jobs, thats mean we enable Proxychains service. For example; we want to scan any webservers in a range of our local network by using Proxychains,or scan specific target by its URL hostname or IP. so type in:
<span style="color: #00ff00">proxychains nmap -sT -P0 -p 80 -iR 192.168.1.0/24</span>
Step 1: Look at Proxychains files
Let’s start by finding proxychains. Type:
root@kali:~# locate proxychains
As we can see in the screenshot above, above the highlighted output, proxychains is in the /usr/bin directory. Since/usr/bin is in our PATH variable, we can use it from any directory. This is just as we would want since we use proxychains with other commands, which may NOT likely be in the PATH variable.
Step 2: Proxychains Syntax
The syntax for the proxycahins command is simple and straightforward.
root@kali:~# proxychains [the command you want proxied] [any arguments]
So, if I wanted to use proxychains to scan a site with nmap anonymously, I could type:
root@kali:~# proxychains nmap -sS [IP address or URL]
Step 3: Setup the Configuration File
Like nearly every application in Linux/Unix, configuration is managed by a simple text file called the config file. In the case of proxychains, this file is /etc/proxychains.conf. We can open it in leafpad or any other text editor (vi, emacs, gedit, kwrite, etc.), by typing:
root@kali:~# leafpad /etc/proxychains.conf
When we do so, we will see a file like that displayed below. If we scroll down this file a bit, we will see a section that I have highlighted labeled “add proxy list here…”.
You can get IP proxy lists for free in HideMyAss. Visit the link, and scroll down the webpage until you see the proxy list detail.
To get proxychains to use intermediary proxies, we simply need to add the IP addresses of the proxies we want to use here. It’s important to note that proxychains defaults to use Tor. Notice the last line in the screenshot above. It directs proxychains to send the traffic first through our host at 127.0.0.1 on port 9050 (the default Tor configuration). If you are using Tor, leaves this as it is. If you are not using Tor, you will need to comment out this line.
As much as I like Tor, it is very slow and we now know that the NSA has broken Tor, so I am much less likely to depend upon it for anonymity.
Step 4: Let’s Test Proxychains
Now that we have put a proxy between us and any traffic we send, let’s test it out. In this case, I am simply going to do an nmap scan to site.com anonymously by sending the scan through a proxy. The command would be as follows:
root@kali:~# proxychains nmap -sS -T4 -v www.site.com
As you can see in the screenshot above, I have successfully scanned site.com through my chosen proxy and returned the results back to me. In this way, it appears that my proxy scanned site.com and not my IP address.
Now that we have proxychains working, let’s look at some options that we can configure through the proxychains.conf. As we now have it set up, we are simply using a single proxy. We can put in numerous proxies and use all of them, we can use a limited number from the list, or we can have proxychains change the order randomly. Let’s try all of those options.
Step 5: Add More Proxies
First, let’s add some more proxies to our list. Open /etc/proxychains.conf and add more proxy IPs like I’ve done below
Dynamic Chaining (Smart Chaining)
Now that we have multiple IPs in our proxychain.conf we can set up dynamic chaining. Dynamic chaining will enable us to run our traffic through every proxy on our list, and if one of the proxies is down or not responding, it will automatically go to the next proxy in the list without throwing an error.
To do so, let’s first open the proxychains configuration file again.
With this file open, uncomment out the “dynamic_chains” line. This will enable dynamic chaining of our proxies allowing for greater anonymity and trouble-free hacking.
Finally, we can also use “random chaining”. With this option, proxychains will randomly choose IP addresses from our list and use them for creating our proxychain. This means that each time we use proxychains, the chain of proxy will look different to the target, making it harder to track our traffic from its source.
To do so, open the /etc/proxychains.conf file and comment out “dynamic chains” and uncomment “random chain”. Since we can only use one of these options at a time, make certain that you comment out the other options in this section before using proxychains.
In addition; you may want to uncomment the line with “chain_len”. This will determine how many of the IP addresses in your chain will be used in creating your “random proxy chain”. And also if you get error cause of proxy DNS requests, you might want to comment out “proxy_dns” option.
Now that you know how to use proxychains, you can do your penetration testing with relative anonymity.