2025-02-09
In red teaming, tunneling traffic through a proxy is essential for moving within internal networks. The problem? Many open-source tools like Chisel, Ligolo, etc., are often detected by security solutions, even with obfuscation. Advanced EDRs can still block them. To solve this, I decided to create my own custom SOCKS proxy. I started with a simple reverse proxy in Python since it’s easy to prototype and test ideas. Once I had a working version, I used the same logic to build a more advanced version in C# over HTTPS, successfully bypassing Kaspersky, Kaspersky endpoints, and other common security solutions.
Below is the Python code for a basic SOCKS proxy:
import socket
import select
import sys
def start_proxy(host='0.0.0.0', port=1080):
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_socket.bind((host, port))
server_socket.listen(5)
print(f"SOCKS proxy started on {host}:{port}")
while True:
client_socket, addr = server_socket.accept()
print(f"Connection from {addr}")
data = client_socket.recv(4096)
if data:
print(f"Received data: {data}")
<h1>Forward data to the destination (example: localhost:8080)</h1>
destination_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
destination_socket.connect(('127.0.0.1', 8080))
destination_socket.send(data)
response = destination_socket.recv(4096)
client_socket.send(response)
client_socket.close()
if <strong>name</strong> == "<strong>main</strong>":
start_proxy()
For a more advanced implementation in C#, you can use the following logic:
using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
class SocksProxy
{
private static void StartProxy(string host = "0.0.0.0", int port = 1080)
{
TcpListener server = new TcpListener(IPAddress.Parse(host), port);
server.Start();
Console.WriteLine($"SOCKS proxy started on {host}:{port}");
while (true)
{
TcpClient client = server.AcceptTcpClient();
Console.WriteLine("Client connected.");
NetworkStream stream = client.GetStream();
byte[] buffer = new byte[4096];
int bytesRead = stream.Read(buffer, 0, buffer.Length);
string data = Encoding.UTF8.GetString(buffer, 0, bytesRead);
Console.WriteLine($"Received data: {data}");
// Forward data to the destination (example: localhost:8080)
TcpClient destination = new TcpClient("127.0.0.1", 8080);
NetworkStream destinationStream = destination.GetStream();
destinationStream.Write(buffer, 0, bytesRead);
byte[] responseBuffer = new byte[4096];
int responseBytesRead = destinationStream.Read(responseBuffer, 0, responseBuffer.Length);
stream.Write(responseBuffer, 0, responseBytesRead);
client.Close();
}
}
static void Main(string[] args)
{
StartProxy();
}
}
What Undercode Say
Building a custom SOCKS proxy is a powerful technique for bypassing advanced security solutions, especially in red teaming scenarios. By understanding the underlying logic and implementing your own tools, you can evade detection mechanisms employed by EDRs and other security solutions. Here are some additional Linux commands and techniques to enhance your cybersecurity toolkit:
- SSH Tunneling: Use SSH to create a secure tunnel for your traffic.
ssh -D 1080 user@remote_host
Netcat for Port Forwarding: Netcat can be used to forward ports and create simple proxies.
nc -lvp 1080 -c "nc 127.0.0.1 8080"
Iptables for Traffic Redirection: Redirect traffic using iptables.
iptables -t nat -A PREROUTING -p tcp --dport 1080 -j REDIRECT --to-port 8080
Socat for Advanced Proxying: Socat is a versatile tool for creating complex network connections.
socat TCP-LISTEN:1080,fork TCP:127.0.0.1:8080
Curl with Proxy: Test your proxy using curl.
curl -x socks5://127.0.0.1:1080 http://example.com
Tshark for Traffic Analysis: Analyze your proxy traffic using Tshark.
tshark -i eth0 -f "port 1080"
Nmap for Network Scanning: Use Nmap to scan your network and identify open ports.
nmap -sT -p 1080 127.0.0.1
Wireshark for Deep Packet Inspection: Inspect packets in detail using Wireshark.
wireshark -k -i eth0 -f "port 1080"
OpenSSL for Encrypted Tunnels: Create an encrypted tunnel using OpenSSL.
openssl s_client -connect 127.0.0.1:8080 -tls1_2
Stunnel for SSL Wrapping: Wrap your proxy traffic in SSL using Stunnel.
stunnel -d 1080 -r 127.0.0.1:8080
By mastering these commands and techniques, you can enhance your ability to bypass security solutions and conduct effective red teaming operations. For more detailed guides and advanced techniques, visit Badr Eddine Jamai’s blog.
References:
Hackers Feeds, Undercode AI
