--- title: "1080 - Socks" weight: 1080 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **1080 - SOCKS** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 1080 - 渗透测试 Socks ### 基本信息 **SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the `UDP ASSOCIATE` command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the `socks5h` scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host. **默认 端口:** 1080 ### 信息收集 #### 认证 Check ```bash nmap -p 1080 --script socks-auth-info ``` #### 暴力破解 #### Basic usage ```bash nmap --script socks-brute -p 1080 ``` #### Advanced usage ```bash nmap --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 ``` #### Output ``` PORT STATE SERVICE 1080/tcp open socks | socks-brute: | Accounts | patrik:12345 - Valid credentials | Statistics |_ Performed 1921 guesses in 6 seconds, average tps: 320 ``` #### Hydra module ```bash hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V socks5 ``` #### Method & open-proxy enumeration ```bash nmap -sV --script socks-methods,socks-open-proxy -p 1080 ``` `socks-methods` forces the server to list supported authentication types, while `socks-open-proxy` attempts an outbound CONNECT to confirm whether the service can be abused as a relay. #### Raw handshake check ```bash printf '\x05\x01\x00' | nc -nv 1080 ``` A `\x05 01 00` response indicates SOCKS5 offering "no authentication". Any `\x00` followed by `\x02` means username/password is required, which is useful for quickly fingerprinting exposed devices in scripts. #### Quick egress validation ```bash curl --socks5-hostname :1080 https://ifconfig.me curl --socks5-hostname user:pass@:1080 http://internal.target ``` Use `--socks5-hostname` (or `socks5h://` URLs) so DNS resolution happens remotely. Pair it with `proxychains4 -q nmap -sT -Pn --top-ports 200 ` to verify whether the proxy truly provides internal reach. #### Internet-wide discovery / fingerprinting ```bash ``` Feed results back into NSE, `zgrab2`, or custom python scripts to prioritize promising hosts (e.g., banner strings like `3proxy`, `Dante`, `MikroTik`). ### Tunneling and 端口 Forwarding For info about tunneling and post forwarding check the page: [Tunneling and 端口 Forwarding](../generic-hacking/tunneling-and-port-forwarding.md) --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="1080" ``` #### Shodan ```bash # Shodan 搜索语法 port:1080 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:1080 ``` --- ## 📖 参考资料 - [HackTricks - 1080-socks](https://book.hacktricks.wiki/en/network-services-pentesting/1080-socks.html)