Skip to content

Add SOCKS5H Proxy Support #20147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add SOCKS5H Proxy Support #20147

wants to merge 5 commits into from

Conversation

zeroSteiner
Copy link
Contributor

This adds support for the SOCKS5H proxy convention which is an unofficial standard whereby the proxy client (Metasploit) does not resolve hostnames to IP address itself but rather sends the hostname to the proxy server for resolution. Metasploit has floundered on it's approach for handling DNS resolution and proxies in the past. Currently when a module is run, the hostname is passed to Msf::RhostsWalker which will resolve it itself to ensure that if a hostname maps to multiple IP address, the module is run for each. This PR retains this functionality but allows it to be bypassed when a SOCKS5H or HTTP proxy is in use. Both of these proxy server types can resolve hostnames themselves. This does mean that if a user is targeting a hostname that resolves to multiple IP addresses (e.g. google.com) that it the module will only run against one target if a DNS-resolving proxy is in use. If no proxy is in use, the module will run against all targets.

Requires changes from rapid7/rex-socket#76

Fixes #19641

Verification

  • Start a SOCKS5 proxy server for testing: podman run --rm --name socks5 -p 1080:1080 serjs/go-socks5-proxy
  • Start wireshark to verify resolution is happening for Metasploit or from the proxy server (use the filter: socks.command == 1 to see connection requests, then see if there's an IP address or hostname)
  • Start msfconsole
  • Test the connect command
    • Banner grab from GitHub's SSH service: connect -p 'socks5://localhost' github.com 22
    • Repeat the process but use SOCKS5H so the proxy server handles hostname resolution: connect -p 'socks5h://localhost' github.com 22
  • Test a module, a simple example is auxiliary/scanner/http/http_version
    • Run the module with a SOCKS5 proxy: run RHOSTS=github.com Proxies=socks5://localhost
    • Repeat the process using SOCKS5H to see the change: run RHOSTS=github.com Proxies=socks5h://localhost:1080

@zeroSteiner zeroSteiner mentioned this pull request May 7, 2025
Open
@zeroSteiner zeroSteiner force-pushed the fix/issue/19641 branch 2 times, most recently from e5fe66b to 5f3b870 Compare May 7, 2025 20:02
@zeroSteiner
Copy link
Contributor Author

I'm working through the test failures right now.

bwatters-r7
bwatters-r7 reviewed May 8, 2025
View reviewed changes
Gemfile
@@ -53,3 +53,6 @@ group :test do
gem 'timecop'
end

gem 'rex-socket', git: 'https://github.com/zeroSteiner/rex-socket', branch: 'feat/proxy/socks5h'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't forget to remove this before landing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
enhancement library rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SOCKS Proxy is not used for rhost's set to hostnames
4 participants
@zeroSteiner @bwatters-r7 @smcintyre-r7 @adfoster-r7