1080 - Socks

💡 学习提示: 本文档介绍 1080 - SOCKS 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

1080 - 渗透测试 Socks

基本信息

SOCKS is a protocol used for transferring data between a client and server through a proxy. The fifth version, SOCKS5, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the UDP ASSOCIATE command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the socks5h scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host.

默认 端口: 1080

信息收集

认证 Check

nmap -p 1080 <ip> --script socks-auth-info

暴力破解

Basic usage

nmap --script socks-brute -p 1080 <ip>

Advanced usage

nmap  --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 <ip>

Output

PORT     STATE SERVICE
1080/tcp open  socks
| socks-brute:
|   Accounts
|     patrik:12345 - Valid credentials
|   Statistics
|_    Performed 1921 guesses in 6 seconds, average tps: 320

Hydra module

hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V <ip> socks5

Method & open-proxy enumeration

nmap -sV --script socks-methods,socks-open-proxy -p 1080 <ip>

socks-methods forces the server to list supported authentication types, while socks-open-proxy attempts an outbound CONNECT to confirm whether the service can be abused as a relay.

Raw handshake check

printf '\x05\x01\x00' | nc -nv <ip> 1080

A \x05 01 00 response indicates SOCKS5 offering “no authentication”. Any \x00 followed by \x02 means username/password is required, which is useful for quickly fingerprinting exposed devices in scripts.

Quick egress validation

curl --socks5-hostname <ip>:1080 https://ifconfig.me
curl --socks5-hostname user:pass@<ip>:1080 http://internal.target

Use --socks5-hostname (or socks5h:// URLs) so DNS resolution happens remotely. Pair it with proxychains4 -q nmap -sT -Pn --top-ports 200 <internal-host> to verify whether the proxy truly provides internal reach.

Internet-wide discovery / fingerprinting

Feed results back into NSE, zgrab2, or custom python scripts to prioritize promising hosts (e.g., banner strings like 3proxy, Dante, MikroTik).

Tunneling and 端口 Forwarding

For info about tunneling and post forwarding check the page: Tunneling and 端口 Forwarding

搜索引擎语法

FOFA

# FOFA 搜索语法
port="1080"

Shodan

# Shodan 搜索语法
port:1080

ZoomEye

# ZoomEye 搜索语法
port:1080

📖 参考资料