HackTricks1080 - Pentesting Socks
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
SOCKS is a protocol used for transferring data between a client and server through a proxy. The fifth version, SOCKS5, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the UDP ASSOCIATE command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the socks5h scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host.
Default Port: 1080
Enumeration
Authentication Check
nmap -p 1080 <ip> --script socks-auth-info
Brute Force
Basic usage
nmap --script socks-brute -p 1080 <ip>
Advanced usage
nmap --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 <ip>
Output
PORT STATE SERVICE
1080/tcp open socks
| socks-brute:
| Accounts
| patrik:12345 - Valid credentials
| Statistics
|_ Performed 1921 guesses in 6 seconds, average tps: 320
Hydra module
hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V <ip> socks5
Method & open-proxy enumeration
nmap -sV --script socks-methods,socks-open-proxy -p 1080 <ip>
socks-methods forces the server to list supported authentication types, while socks-open-proxy attempts an outbound CONNECT to confirm whether the service can be abused as a relay.
Raw handshake check
printf '\x05\x01\x00' | nc -nv <ip> 1080
A \x05 01 00 response indicates SOCKS5 offering “no authentication”. Any \x00 followed by \x02 means username/password is required, which is useful for quickly fingerprinting exposed devices in scripts.
Quick egress validation
curl --socks5-hostname <ip>:1080 https://ifconfig.me
curl --socks5-hostname user:pass@<ip>:1080 http://internal.target
Use --socks5-hostname (or socks5h:// URLs) so DNS resolution happens remotely. Pair it with proxychains4 -q nmap -sT -Pn --top-ports 200 <internal-host> to verify whether the proxy truly provides internal reach.
Internet-wide discovery / fingerprinting
masscan 0.0.0.0/0 -p1080 --banners --rate 100000 -oX socks.xml
Feed results back into NSE, zgrab2, or custom python scripts to prioritize promising hosts (e.g., banner strings like 3proxy, Dante, MikroTik).
Tunneling and Port Forwarding
For info about tunneling and post forwarding check the page: Tunneling and Port Forwarding
References
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.