Using Proxychains with Tor on Kali Linux 2016
What is proxychains?
The simplified and quick explanation would be that proxychains is a nifty little tool that allows you to pipe TCP connections through a proxy, or a chain of multiple proxies, effectively masquerading your public IP address. I’m not going to dig into the more technical details here, but if you’re interested you can find more information on the project homepage or Github page.
What is Tor?
I assume, that since you’ve found and are reading this blog post, that you have at least some kind of hunch what Tor is. So, for those who are interested in the more detailed explanation, I’m again going to provide you a link for the project homepage. But in case you are not that familiar, let’s just say that Tor (if used correctly) is a project that aims to help people anonymize their TCP traffic. For our needs it’s going to provide us the relays which we can use with proxychains.
What is Privoxy
Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.
Setting things up
Let's install the packages but let's update the repositories
apt-get update && apt-get install tor tor-geoipdb privoxy proxychains -y
Now let's change the tor configuration
vim /etc/tor/torrc [...] SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections. [...] ## Logs go to stdout at level "notice" unless redirected by something ## else, like one of the below lines. You can have as many Log lines as ## you want. ## ## We advise using "notice" in most cases, since anything more verbose ## may provide sensitive information to an attacker who obtains the logs. ## ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log Log debug file /var/log/tor/debug.log ## Use the system log instead of Tor's logfiles Log notice syslog ## To send all messages to stderr: #Log debug stderr
Now we need to configure the proxychains to use tor and let's change the they proxy chains handle each connection.
vim /etc/proxychains.conf [...] # The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # dynamic_chain # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise EINTR is returned to the app # #strict_chain [...] [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" #socks4 127.0.0.1 9050 socks5 127.0.0.1 9050 .
Now we need to configure the privoxy to enable the binding on every ip address available on this host, you can use the default one that is localhost, but sometimes we need to use the tor in another host so let's configure it.
vim /etc/privoxy/config
[...]
# Suppose you are running Privoxy on an IPv6-capable machine and
# you want it to listen on the IPv6 address of the loopback
# device:
#
# listen-address [::1]:8118
#
listen-address 0.0.0.0:8118
#listen-address 127.0.0.1:8118
#listen-address [::1]:8118
[...]
# To chain Privoxy and Tor, both running on the same system, you
# would use something like:
#
forward-socks5t / 127.0.0.1:9050 .
Now we need to enable tor and privoxy on the boot time
systemctl enable tor systemctl enable privoxy
Now we need to restart the services
systemctl restart tor systemctl restart privoxy
Now let's check if everything is working
netstat -natup | egrep "(tor|privo)" tcp 0 0 0.0.0.0:8118 0.0.0.0:* LISTEN 4625/privoxy tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 4616/tor
Now we can check if everything is working properly so configure the browser to use the proxy ip address as: 127.0.0.1 and the port as: 8118 we can check use this proxy server for all protocols and select ok.
Now we can access http://check.torproject.org and check if everything is working. Today 11/15/2015 if you check the configuration the message will be: Congratulations. This browser is configure to use Tor.
Now we can use the proxychains to access some services such as ssh as below.
proxychains ssh douglas@200.200.200.10 -p 2221 ProxyChains-3.1 (http://proxychains.sf.net) |D-chain|-<>-127.0.0.1:9050-<><>-200.200.200.10:2221-<><>-OK The authenticity of host '[200.200.200.10]:2221 ([200.200.200.10]:2221)' can't be established. ECDSA key fingerprint is SHA256:7/lTNalX5BKbwFN1+lY7fdiZeNupWMKnqFyTfx7kGwc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[200.200.200.10]:2221' (ECDSA) to the list of known hosts. douglas@servidor.com.br's password:
We can use the torify to do the same
torify ssh douglas@200.200.200.10 -p 2221 douglas@servidor.com.br's password:
Let's test proxychains with nmap
proxychains nmap -sS 200.236.31.3 -T4 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-15 11:16 BRST Nmap scan report for debian.c3sl.ufpr.br (200.236.31.3) Host is up (0.014s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp filtered smtp 53/tcp open domain 80/tcp open http 873/tcp open rsync Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds
We can use the proxychains with the metasploit but we need to comment the proxy_dns line otherwise the metasploit will not be able to connect to the database.
sed -i 's/proxy_dns/#proxy_dns/g' /etc/proxychains.conf
Now we can start the metasploit with proxychains.
proxychains msfconsole
ProxyChains-3.1 (http://proxychains.sf.net)
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
Save 45% of your time on large engagements with Metasploit Pro
Learn more on http://rapid7.com/metasploit
=[ metasploit v4.12.41-dev ]
+ -- --=[ 1597 exploits - 912 auxiliary - 274 post ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
Be careful with these tools.