OpenSkillIndex← back to search

Hacktricks-skills socks-pentesting

Pentest SOCKS proxy services (port 1080). Use this skill whenever you need to enumerate, brute force, or validate SOCKS proxies. Trigger when the user mentions SOCKS, port 1080, proxy enumeration, socks5, proxychains, or any scenario involving SOCKS proxy testing, authentication checks, or egress validation through proxies.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/1080-pentesting-socks/SKILL.MD
source content

SOCKS Pentesting Skill

A skill for enumerating, attacking, and validating SOCKS proxy services on port 1080.

What this skill does

This skill helps you:

  • Enumerate SOCKS services and check authentication requirements
  • Brute force SOCKS credentials using nmap or hydra
  • Validate egress through SOCKS proxies
  • Discover SOCKS services across networks
  • Use SOCKS proxies for internal network access

When to use this skill

Use this skill when:

  • You find port 1080 open during enumeration
  • You need to test SOCKS proxy authentication
  • You want to validate proxy egress capabilities
  • You're looking for open SOCKS proxies
  • You need to route traffic through a SOCKS proxy

Quick Start

1. Check if SOCKS is running

nmap -p 1080 <target> --script socks-auth-info

This tells you if the service requires authentication and what methods it supports.

2. Test authentication methods

nmap -sV --script socks-methods,socks-open-proxy -p 1080 <target>

  • socks-methods
    : Lists supported authentication types
  • socks-open-proxy
    : Checks if the proxy can be abused as a relay

3. Quick raw handshake check

printf '\x05\x01\x00' | nc -nv <target> 1080
  • Response 
    \x05 01 00
    = SOCKS5 with no authentication required
  • Response with 
    \x02
    = username/password authentication required

Brute Force Attacks

Using nmap

# Basic brute force
nmap --script socks-brute -p 1080 <target>

# Advanced with wordlists and time limit
nmap --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 <target>

Using hydra

hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V <target> socks5

Egress Validation

Test proxy connectivity

# Check external IP through proxy
curl --socks5-hostname <proxy-ip>:1080 https://ifconfig.me

# With authentication
curl --socks5-hostname user:pass@<proxy-ip>:1080 https://ifconfig.me

Test internal network access

# Use proxychains to scan internal targets
proxychains4 -q nmap -sT -Pn --top-ports 200 <internal-host>

Important: Use socks5h for DNS privacy

Always use 

--socks5-hostname
or 
socks5h://
URLs to force DNS resolution through the proxy. This prevents local DNS leaks and makes it harder to fingerprint your origin.

Internet-wide Discovery

# Scan entire internet for SOCKS services
masscan 0.0.0.0/0 -p1080 --banners --rate 100000 -oX socks.xml

# Parse results and prioritize interesting banners
# Look for: 3proxy, Dante, MikroTik

Using SOCKS with Common Tools

curl

curl --socks5-hostname <proxy>:1080 https://example.com
curl --socks5-hostname user:pass@<proxy>:1080 https://example.com

nmap

proxychains4 nmap -sT -Pn <target>

Browser (Firefox/Chrome)

Configure proxy settings to use SOCKS5 at 

<proxy-ip>:1080
with optional authentication.

Common SOCKS Implementations

ImplementationBanner StringNotes
3proxy
3proxy
Lightweight, often misconfigured
Dante
Dante
Enterprise-grade, common in corporate environments
MikroTik
MikroTik
Router-based, often exposed by mistake
ShadowsocksVariesEncrypted SOCKS variant

Security Considerations

  1. Authentication: Always check if authentication is required before attempting brute force
  2. Rate limiting: Use 
    unpwdb.timelimit
    in nmap to avoid triggering defenses
  3. Legal: Only test systems you have authorization to assess
  4. DNS leaks: Always use 
    socks5h
    or 
    --socks5-hostname
    to prevent DNS leaks
  5. Open proxies: Open SOCKS proxies can be abused for attacks - report responsibly

Troubleshooting

Proxy not working

  1. Verify the service is actually SOCKS (not just port 1080)
  2. Check if authentication is required
  3. Try raw handshake to confirm protocol version
  4. Verify network connectivity to the proxy

DNS still leaking

Make sure you're using 

socks5h://
or 
--socks5-hostname
instead of 
socks5://
or 
--socks5
.

Brute force too slow

  • Increase hydra threads: 
    -t 32
    or higher
  • Use smaller wordlists for initial testing
  • Check if rate limiting is in place

References