proxychains

proxychains is a program that can be used to force any TCP connection made by any

given TCP client to go through the proxy (or proxy chain).

As of Version 3.1, it supports SOCKS4, SOCKS5, and HTTP CONNECT

proxy servers.

The following are several usages of proxychains according to its documentation:

• proxychains is used when you need to use a proxy server to go outside

your LAN

• It is used to access the Internet behind a restrictive firewall that filters

outgoing ports (egress filtering)

• It can be used when you need to use two (or more) proxies in a chain

• It can be used when you want to run programs without built-in proxy

support (such as Telnet, Wget, FTP,VNC, and Nmap)

• It is used when you want to access the internal servers from outside through

a reverse proxy

To run proxychains, use the console to execute the following command:

# proxychains

This will display a simple usage instruction on your screen.

In Kali Linux, the proxychains configuration is stored in /etc/proxychains.conf,

and by default, it is set to use tor. If you want to use another proxy, just add the

proxy to the last part of the configuration file.

The following is the proxy part in my proxychains configuration file:

[ProxyList]

# add proxy here ...

# meanwile

# defaults set to "tor"

socks4 127.0.0.1 9050

The proxy format is:

proxy_type host port [user pass]

The proxy types are http, socks4, and socks5.

For our exercise, we want to use Telnet in proxychains; the command to do that

task is:

# proxychains telnet example.com

The telnet command will be proxied through the proxy server defined in the

proxychains configuration file before going to example.com.

ptunnel

ptunnel is a tool that can be used to tunnel TCP connections over ICMP echo

requests (ping requests) and reply (ping reply) packets. This tool will be useful if

you are allowed to ping any computer on the Internet, but you can't send TCP and

UDP packets to the Internet. With ptunnel, you can overcome that limitation so as to

access your e-mail, browse the Internet, and perform other activities that require TCP

or UDP connections.

To start ptunnel, use the console to execute the following command:

# ptunnel -h

This will display a simple usage instruction and example on your screen.

Maintaining Access

To use ptunnel, you need to set up a proxy server with ptunnel installed, and this

server should be available to the client. If you want to use ptunnel from the Internet,

you need to configure the ptunnel server using the IP address, which can be accessed

from the Internet.

After that, you can start the ptunnel server by issuing the following command:

# ptunnel

It will then listen to all TCP packets, shown as follows:

[inf]: Starting ptunnel v 0.71.

[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>

[inf]: Forwarding incoming ping packets over TCP.

[inf]: Ping proxy is listening in privileged mode.

From the client that wants to use ptunnel, enter the following command:

# ptunnel -p ptunnel.example.com -lp 2222 -da ssh.example.org -dp 22

It will display the following information:

[inf]: Starting ptunnel v 0.71.

[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>

[inf]: Relaying packets from incoming TCP streams.

Then, start your SSH program to connect to ssh.example.org using ptunnel:

# ssh localhost -p 2222

Next, you can log in to the SSH server on the remote machine after you supply the

correct username and password.

To protect ptunnel from being used by unauthorized people, you may want to

protect ptunnel access using a password with the –x command-line option. You need

to use the same password on the server and client.

socat

socat is a tool that establishes two bidirectional streams and transfers data between

them. The stream can be a combination of the following address types:

• A file

• A program

• A file descriptor (STDERR, STDIN, STDIO, and STDOUT)

• A socket (IPv4, IPv6, SSL, TCP, UDP, and UNIX)

• A device (network card, serial line, and TUN/TAP)

• A pipe

For each stream, parameters can be added (locking mode, user, group, permissions,

address, port, speed, permissions, owners, cipher, key, and so on).

According to the socat manual, the socat instance life cycle typically consists of the

following four phases:

• Init: In the first phase, the command-line options are parsed and logging is

initialized.

• Open: In the second phase, socat opens the first and second addresses.

• Transfer: In the third phase, socat watches both streams' read and write

file descriptors via select(). When the data is available on one side and

can be written to the other side, socat reads it, performs newline character

conversions if required, writes the data to the write file descriptor of the

other stream, and then continues to wait for more data in both directions.

• Close: When one of the streams effectively reaches EOF, the fourth phase

begins. socat transfers the EOF condition to the other stream. It continues to

transfer data in the other direction for a particular time but then closes all

remaining channels and terminates.

To start socat, use the console to execute the following command:

# socat -h

This will display command-line options and available address types on your screen.

The following are several common address types, along with their keywords

and parameters:

Address type Description

CREATE:<filename> This opens <filename> with creat() and uses the file

EXEC:<command-line> This forks a subprocess that establishes communication

descriptor for writing. Since a file opened with creat()

cannot be read from, this address type requires write-only

context.

with its parent process and invokes the specified program

with execvp(). The <command-line> command is a

simple command with arguments separated by a

single space.

Maintaining Access

Address type Description

FD:<fdnum> This uses the file descriptor <fdnum>.

INTERFACE:<interface> This communicates with a network connected on an

IP4-

SENDTO:<host>:<protocol>

IP4-RECV:<protocol> This opens a raw IP socket of <protocol>. It receives

interface using raw packets, including link level data.

<interface> is the name of the network interface; it is

only available in Linux.

This opens a raw IP socket. It uses <protocol> to send

packets to <host>; it receives packets from host and

ignores packets from other hosts. Protocol 255 uses the

raw socket, with the IP header being part of the data.

packets from multiple unspecified peers and merges the

data. No replies are possible. Protocol 255 uses the raw

socket, with the IP header being part of the data.

This operation fails on the UNIX domain socket.

<host> using TCP/IP Version 4 or 6 depending on

address specification, name resolution, or option pf.

specified with pf. When a connection is accepted, this

address behaves as the SSL server.

exist, a named pipe is created and opened.

OPEN:<filename> This opens <filename> using the open() system call.

OPENSSL:<host>:<port> This tries to establish an SSL connection to <port> on

OPENSSL-LISTEN:<port> This listens on TCP <port>. The IP version is 4 or the one

PIPE:<filename> If <filename> already exists, it is opened. If it does not

TCP4:<host>:<port> This connects to <port> on <host>.

TCP4-LISTEN:<port> This listens on <port> and accepts a TCP/IP connection.

UDP4:<host>:<port> This connects to <port> on <host> using UDP.

UDP4-LISTEN:<port> This waits for a UDP/IP packet arriving on <port> and

UDP4-

SENDTO:<host>:<port>

UDP4-RECV:<port> This creates a UDP socket on <port> using UDP Version

UNIX-CONNECT:<filename> This connects to <filename> assuming it is a UNIX

connects back to the sender.

This communicates with the specified peer socket, defined

by <port> on <host> using UDP Version 4. It sends

packets to and receives packets from that peer socket only.

4. It receives packets from multiple unspecified peers and

merges the data. No replies are possible.

domain socket. If <filename> does not exist, this is an

error; if <filename> is not a UNIX domain socket, this is

an error; and if <filename> is a UNIX domain socket but

no process is listening, this is an error.

Address type Description

UNIX-LISTEN:<filename> This listens on <filename> using a UNIX domain stream

UNIX-SENDTO:<filename> This communicates with the specified peer socket defined

UNIX-RECV:<filename> This creates a UNIX domain datagram socket <filename>.

socket and accepts a connection. If <filename> exists

and is not a socket, this is an error.

by <filename>, assuming it is a UNIX domain datagram

socket. It sends packets to and receives packets from that

peer socket only.

It receives packets from multiple unspecified peers and

merges the data. No replies are possible.

In the following section, we will see several socat usage scenarios.

Getting HTTP header information

To get HTTP header information, we can use the following socat command:

socat – TCP4:192.168.2.23:80

HEAD / HTTP/1.0

The HTTP server will then respond with the following information:

HTTP/1.1 200 OK

Date: Wed, 25 Dec 2013 15:27:19 GMT

Server: Apache/2.2.8 (Ubuntu) DAV/2

X-Powered-By: PHP/5.2.4-2ubuntu5.10

Connection: close

Content-Type: text/html

Transferring files

To transfer a file from host 192.168.2.22 to host 192.168.2.23, perform the

following steps:

1. In host 192.168.2.23 (recipient), give the following command:

socat TCP4-LISTEN:12345 OPEN:php-meter.php,creat,append

This will make socat listen on port 12345; socat will create a file named

thepass if it doesn't exist already, or it will just append the file if it already

exists.

Maintaining Access

2. While in 192.168.2.22 (sender), we can use the following command:

cat php-meter.php | socat – TCP4:192.168.2.23:12345

3. On the recipient, we can check whether the file is already created using the

ls command:

-rw-r--r-- 1 msfadmin msfadmin 1315 2013-12-25 10:34 php-meter.

php

We can see that the file has been transferred and created on the recipient machine

successfully.

sslh

sslh is an SSL/SSH multiplexer. It accepts connections on specified ports and

forwards them further based on tests performed on the first data packet sent by the

remote client.

Currently, sslh accepts connections in HTTP, HTTPS, SSH, OpenVPN, tinc, and

XMPP protocols.

Usually, you connect to your remote server using HTTP, HTTPS, SSH, OpenVPN,

and some other protocols. But, you may find that the service provider or your

victim firewall is blocking your access to the remote servers using these ports,

except for some specific ports such as 80 (HTTP) or 443 (HTTPS). So, how do you

overcome this?

Type sslh in the terminal.

This allows you to connect to the remote servers via SSH on port 443 while the web

server is still able to serve HTTPS on that port.

To start sslh, use the console to execute the following command:

# sslh

This will display the command syntax on your screen.

Before you can use sslh, you need to configure your web server. Edit your web

server configuration file and make sure that the web server only listens to localhost

port 443. Then, restart your web server. In Kali, you need to edit the ports.conf file

located at /etc/apache2/ and modify the line in the mod_ssl section.

The original code snippet is as follows:

Listen 443

</IfModule>

The modified code snippet is as follows:

Listen 127.0.0.1:443

</IfModule>

Next, you need to configure sslh. Open the sslh file under /etc/default/ and

change the following line:

Run=no

The modified code snippet is as follows:

Run=yes

The following are the configuration file contents in my system:

Save the change and start sslh:

# /etc/init.d/sslh start

[ ok ] Starting ssl/ssh multiplexer: sslh.

To verify that sslh is running, you can type the following command:

ps -ef | grep sslh

Maintaining Access

The following is the result:

Based on the preceding ps command output, we know that sslh is running.

Now, let's try to connect to this server via SSH using port 443 from a

remote machine:

ssh –p 443 root@192.168.2.22

The following is the result:

From the previous screenshot, we know that we are able to connect to the Kali

machine via SSH on port 443.

stunnel4

stunnel4 is a tool used to encrypt TCP protocols inside the SSL packets between

local and remote servers. It allows you to add SSL functionality to non-SSL aware

protocols, such as MySQL, Samba, POP3, IMAP, SMTP, and HTTP. This process can

be done without changing the source code of these protocols.

To start stunnel4, use the console to execute the following command:

# stunnel4 -h

This will display the command syntax on your screen.

If you want to display the help configuration file, you can use the -help option:

# stunnel4 -help

This will display the help configuration file on your screen.

For example, let's use stunnel4 to encrypt the MySQL connection between two hosts

(server and client). You can also use other network services to be encapsulated with

SSL via stunnel.

The server has an IP address of 192.168.2.21, while the client has an IP address of

192.168.2.22.

In the server machine, perform the following steps:

1. Create an SSL certificate and key:

# openssl req -new –days 365 -nodes -x509 -out /etc/stunnel/

stunnel.pem -keyout /etc/stunnel/stunnel.pem

2. Follow the onscreen guidance. You will be asked to enter some fields, such

as country name, province name, common name, e-mail address,

and so on.

3. OpenSSL will then generate the SSL certificate. The SSL key and certificate

will be stored in /etc/stunnel/stunnel.pem.

4. Configure stunnel4 to listen for secure connections on port 3307 and forward

the network traffic to the original MySQL port (3306) on localhost. We save

the stunnel configuration in /etc/stunnel/stunnel.conf:

cert = /etc/stunnel/stunnel.pem

setuid = stunnel4

setgid = stunnel4

pid = /var/run/stunnel4/stunnel4.pid

[mysqls]

accept = 0.0.0.0:3307

connect = localhost:3306

5. Enable stunnel4 automatic startup in /etc/default/stunnel4:

ENABLED=1

6. Start the stunnel4 service :

#/etc/init.d/stunnel4 start

Starting SSL tunnels: [Started: /etc/stunnel/stunnel.conf]

stunnel.

Maintaining Access

7. Verify that stunnel4 is listening on port 3307:

# netstat -nap | grep 3307

8. The following is the result:

tcp 0 0 0.0.0.0:3307 0.0.0.0:*

LISTEN 8038/stunnel4

9. Based on the preceding result, we know that stunnel4 is working.

Next, carry out the following steps in the client machine:

1. Configure stunnel4 to listen for secure connections on port 3307 and

forward the network traffic to the MySQL port (3306) on the server. Put the

following directives in /etc/stunnel/stunnel.conf:

client = yes

[mysqls]

accept = 3306

connect = 192.168.2.21:3307

2. Enable stunnel4 to start automatically after booting up by setting the

following directive in /etc/default/stunnel4:

ENABLED=1

3. Start the stunnel4 service:

#/etc/init.d/stunnel4 start

You can check whether the stunnel4 service is running by issuing the

following command:

netstat -napt | grep stunnel4

The following is the output of that command in my system:

tcp 0 0 0.0.0.0:3306 0.0.0.0:*

LISTEN 2860/stunnel4

4. Now, connect to the MySQL server using the following command:

#mysql -u root -h 127.0.0.1