CNTLM proxy proxychains
Launching terminal processes with proxy[edit]
WARNING: Port scan results and udp trafic will be faked by the proxy that will accept connections. Trafic inyection to host will work
CNTLM[edit]
View options
cntlm -v
Configuration File:
nano /etc/cntlm.conf
Generate NTLMv2 key[edit]
If the user and domain are already in the configuration file run:
cntlm -H
To generate a key specifying user and domain
cntlm -H -u USER -d DOMAIN
To start the proxy with our generated configuration run:
cntlm -c /etc/cntlm.conf
To check if CNTLM is running run:
ps -aux | grep cn
cntlm.conf[edit]
root@kali:/home/mrvv# cat /etc/cntlm.conf # # Cntlm Authentication Proxy Configuration # # NOTE: all values are parsed literally, do NOT escape spaces, # do not quote. Use 0600 perms if you use plaintext password. # Username Vuestro usuario Domain BBVA PassNTLMv2 F29CA659BBC5D2AC2A9E2EB9AE1D9B8A # NOTE: Use plaintext password only at your own risk # Use hashes instead. You can use a "cntlm -M" and "cntlm -H" # command sequence to get the right config for your environment. # See cntlm man page # Example secure config shown below. # PassLM 1AD35398BE6565DDB5C4EF70C0593492 # PassNT 77B9081511704EE852F94227CF48A793 ### Only for user 'testuser', domain 'corp-uk' # PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB # Specify the netbios hostname cntlm will send to the parent # proxies. Normally the value is auto-guessed. # # Workstation netbios_hostname # List of parent proxies to use. More proxies can be defined # one per line in format <proxy_ip>:<proxy_port> # Proxy cacheedi1.igrupobbva:8080 #Proxy 10.0.0.42:8080 # List addresses you do not want to pass to parent proxies # * and ? wildcards can be used # NoProxy localhost, 127.0.0.*, 10.*, 192.168.* # Specify the port cntlm will listen on # You can bind cntlm to specific interface by specifying # the appropriate IP address also in format <local_ip>:<local_port> # Cntlm listens on 127.0.0.1:3128 by default # Listen 127.0.0.1:3128 # If you wish to use the SOCKS5 proxy feature as well, uncomment # the following option. It can be used several times # to have SOCKS5 on more than one port or on different network # interfaces (specify explicit source address for that). # # WARNING: The service accepts all requests, unless you use # SOCKS5User and make authentication mandatory. SOCKS5User # can be used repeatedly for a whole bunch of individual accounts. # #SOCKS5Proxy 8010 #SOCKS5User dave:password # Use -M first to detect the best NTLM settings for your proxy. # Default is to use the only secure hash, NTLMv2, but it is not # as available as the older stuff. # # This example is the most universal setup known to man, but it # uses the weakest hash ever. I won't have it's usage on my # conscience. :) Really, try -M first. # #Auth LM #Flags 0x06820000 # Enable to allow access from other computers # #Gateway yes # Useful in Gateway mode to allow/restrict certain IPs # Specifiy individual IPs or subnets one rule per line. # #Allow 127.0.0.1 #Deny 0/0 # GFI WebMonitor-handling plugin parameters, disabled by default # #ISAScannerSize 1024 #ISAScannerAgent Wget/ #ISAScannerAgent APT-HTTP/ #ISAScannerAgent Yum/ # Headers which should be replaced if present in the request # #Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) # Tunnels mapping local port to a machine behind the proxy. # The format is <local_port>:<remote_host>:<remote_port> # #Tunnel 11443:remote.com:443
proxychains[edit]
Configuration file[edit]
root@kali:/home/mrvv# cat /etc/proxychains.conf
# proxychains.conf VER 3.1 # # HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS. # # The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # #dynamic_chain # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise EINTR is returned to the app # strict_chain # # Strict - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # all proxies must be online to play in chain # otherwise EINTR is returned to the app # #random_chain # # Random - Each connection will be done via random proxy # (or proxy chain, see chain_len) from the list. # this option is good to test your IDS :) # Make sense only if random_chain #chain_len = 2 # Quiet mode (no output from library) #quiet_mode # Proxy DNS requests - no leak for DNS data proxy_dns # Some timeouts in milliseconds tcp_read_time_out 15000 tcp_connect_time_out 8000 # ProxyList format # type host port [user pass] # (values separated by 'tab' or 'blank') # # # Examples: # # socks5 192.168.67.78 1080 lamer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5 # ( auth types supported: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" #socks4 127.0.0.1 9050 #cntlm http 127.0.0.1 3128
Ussage examples[edit]
Resolve DNS. (forcing a dns over tcp will be required)[edit]
export PROXYRESOLV_DNS=10.0.232.30
Dig forcing DNS with proxychains[edit]
proxychains dig www.google.es @8.8.8.8 +tcp
Obtain IP address[edit]
proxychains dig www.google.es @8.8.8.8 +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
nmap with default nse[edit]
Forcing operation mode oriented to connection required
proxychains nmap -Pn -sT -A -p80,443 8.8.8.8
SSL/TLS Layer study[edit]
- Download sslyze
- Download testssl.sh
proxychains ./testssl.sh 74.172.181.196
proxychains sslyze --regular 74.172.181.196