2,306
edits
Changes
Jump to navigation
Jump to search
= Launching terminal processes with proxy =
WARNING: Port scan results and udp trafic will be faked by the proxy that will accept connections. Trafic inyection to host will work
== CNTLM ==
View options
cntlm -v
Configuration File:
nano /etc/cntlm.conf
=== Generate NTLMv2 key ===
If the user and domain are already in the configuration file run:
cntlm -H
To generate a key specifying user and domain
cntlm -H -u USER -d DOMAIN
To start the proxy with our generated configuration run:
cntlm -c /etc/cntlm.conf
To check if CNTLM is running run:
ps -aux | grep cn
==== cntlm.conf ====
root@kali:/home/mrvv# cat /etc/cntlm.conf
<nowiki>
#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#
Username Vuestro usuario
Domain BBVA
PassNTLMv2 F29CA659BBC5D2AC2A9E2EB9AE1D9B8A
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM 1AD35398BE6565DDB5C4EF70C0593492
# PassNT 77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB
# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation netbios_hostname
# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy cacheedi1.igrupobbva:8080
#Proxy 10.0.0.42:8080
# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen 127.0.0.1:3128
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy 8010
#SOCKS5User dave:password
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#Auth LM
#Flags 0x06820000
# Enable to allow access from other computers
#
#Gateway yes
# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#
#Allow 127.0.0.1
#Deny 0/0
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize 1024
#ISAScannerAgent Wget/
#ISAScannerAgent APT-HTTP/
#ISAScannerAgent Yum/
# Headers which should be replaced if present in the request
#
#Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
#
#Tunnel 11443:remote.com:443
</nowiki>
== proxychains ==
=== Configuration file ===
root@kali:/home/mrvv# cat /etc/proxychains.conf
<nowiki>
# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)
# Make sense only if random_chain
#chain_len = 2
# Quiet mode (no output from library)
#quiet_mode
# Proxy DNS requests - no leak for DNS data
proxy_dns
# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000
# ProxyList format
# type host port [user pass]
# (values separated by 'tab' or 'blank')
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
#cntlm
http 127.0.0.1 3128
</nowiki>
== Ussage examples ==
=== Resolve DNS. (forcing a dns over tcp will be required) ===
proxychains dig www.google.es @8.8.8.8 +tcp
== Obtain IP address ==
proxychains dig www.google.es @8.8.8.8 +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
== nmap with default nse ==
Forcing operation mode oriented to connection required
proxychains nmap -Pn -sT -A -p80,443 8.8.8.8
== SSL/TLS Layer study ==
* Download [https://github.com/iSECPartners/sslyze sslyze]
* Download [https://testssl.sh/ testssl.sh]
proxychains ./testssl.sh 74.172.181.196
proxychains sslyze --regular 74.172.181.196
Created page with " = Launching terminal processes with proxy = WARNING: Port scan results and udp trafic will be faked by the proxy that will accept connections. Trafic inyection to host will w..."
= Launching terminal processes with proxy =
WARNING: Port scan results and udp trafic will be faked by the proxy that will accept connections. Trafic inyection to host will work
== CNTLM ==
View options
cntlm -v
Configuration File:
nano /etc/cntlm.conf
=== Generate NTLMv2 key ===
If the user and domain are already in the configuration file run:
cntlm -H
To generate a key specifying user and domain
cntlm -H -u USER -d DOMAIN
To start the proxy with our generated configuration run:
cntlm -c /etc/cntlm.conf
To check if CNTLM is running run:
ps -aux | grep cn
==== cntlm.conf ====
root@kali:/home/mrvv# cat /etc/cntlm.conf
<nowiki>
#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#
Username Vuestro usuario
Domain BBVA
PassNTLMv2 F29CA659BBC5D2AC2A9E2EB9AE1D9B8A
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM 1AD35398BE6565DDB5C4EF70C0593492
# PassNT 77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB
# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation netbios_hostname
# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy cacheedi1.igrupobbva:8080
#Proxy 10.0.0.42:8080
# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen 127.0.0.1:3128
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy 8010
#SOCKS5User dave:password
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#Auth LM
#Flags 0x06820000
# Enable to allow access from other computers
#
#Gateway yes
# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#
#Allow 127.0.0.1
#Deny 0/0
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize 1024
#ISAScannerAgent Wget/
#ISAScannerAgent APT-HTTP/
#ISAScannerAgent Yum/
# Headers which should be replaced if present in the request
#
#Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
#
#Tunnel 11443:remote.com:443
</nowiki>
== proxychains ==
=== Configuration file ===
root@kali:/home/mrvv# cat /etc/proxychains.conf
<nowiki>
# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)
# Make sense only if random_chain
#chain_len = 2
# Quiet mode (no output from library)
#quiet_mode
# Proxy DNS requests - no leak for DNS data
proxy_dns
# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000
# ProxyList format
# type host port [user pass]
# (values separated by 'tab' or 'blank')
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
#cntlm
http 127.0.0.1 3128
</nowiki>
== Ussage examples ==
=== Resolve DNS. (forcing a dns over tcp will be required) ===
proxychains dig www.google.es @8.8.8.8 +tcp
== Obtain IP address ==
proxychains dig www.google.es @8.8.8.8 +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
== nmap with default nse ==
Forcing operation mode oriented to connection required
proxychains nmap -Pn -sT -A -p80,443 8.8.8.8
== SSL/TLS Layer study ==
* Download [https://github.com/iSECPartners/sslyze sslyze]
* Download [https://testssl.sh/ testssl.sh]
proxychains ./testssl.sh 74.172.181.196
proxychains sslyze --regular 74.172.181.196