diff --git a/src/SUMMARY.md b/src/SUMMARY.md index fdf253b1bef..9ac5c0d0b19 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -375,6 +375,7 @@ - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md) + - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md) - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md index 878d498c40e..8251e907770 100644 --- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md @@ -81,3 +81,4 @@ adb shell ime help - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices. - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI). +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/1080-pentesting-socks.md b/src/network-services-pentesting/1080-pentesting-socks.md index d7ec28ee51e..2d75caa1398 100644 --- a/src/network-services-pentesting/1080-pentesting-socks.md +++ b/src/network-services-pentesting/1080-pentesting-socks.md @@ -4,7 +4,7 @@ ## Basic Information -**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets, operating at the session layer (Layer 5) of the OSI model. +**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the `UDP ASSOCIATE` command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the `socks5h` scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host. **Default Port:** 1080 @@ -42,31 +42,52 @@ PORT STATE SERVICE |_ Performed 1921 guesses in 6 seconds, average tps: 320 ``` -## Tunneling and Port Forwarding +#### Hydra module -### Basic proxychains usage +```bash +hydra -L users.txt -P passwords.txt -s 1080 -t 16 -V socks5 +``` -Setup proxy chains to use socks proxy +### Method & open-proxy enumeration -``` -nano /etc/proxychains4.conf +```bash +nmap -sV --script socks-methods,socks-open-proxy -p 1080 ``` -Edit the bottom and add your proxy +`socks-methods` forces the server to list supported authentication types, while `socks-open-proxy` attempts an outbound CONNECT to confirm whether the service can be abused as a relay. -``` -socks5 10.10.10.10 1080 +#### Raw handshake check + +```bash +printf '\x05\x01\x00' | nc -nv 1080 ``` -With auth +A `\x05 01 00` response indicates SOCKS5 offering "no authentication". Any `\x00` followed by `\x02` means username/password is required, which is useful for quickly fingerprinting exposed devices in scripts. +### Quick egress validation + +```bash +curl --socks5-hostname :1080 https://ifconfig.me +curl --socks5-hostname user:pass@:1080 http://internal.target ``` -socks5 10.10.10.10 1080 username password + +Use `--socks5-hostname` (or `socks5h://` URLs) so DNS resolution happens remotely. Pair it with `proxychains4 -q nmap -sT -Pn --top-ports 200 ` to verify whether the proxy truly provides internal reach. + +### Internet-wide discovery / fingerprinting + +```bash +masscan 0.0.0.0/0 -p1080 --banners --rate 100000 -oX socks.xml ``` -#### More info: [Tunneling and Port Forwarding](../generic-hacking/tunneling-and-port-forwarding.md) +Feed results back into NSE, `zgrab2`, or custom python scripts to prioritize promising hosts (e.g., banner strings like `3proxy`, `Dante`, `MikroTik`). -{{#include ../banners/hacktricks-training.md}} +## Tunneling and Port Forwarding + +For info about tunneling and post forwarding check the page: [Tunneling and Port Forwarding](../generic-hacking/tunneling-and-port-forwarding.md) +## References +- [Use a SOCKS5 Proxy to Access the Kubernetes API (Kubernetes Docs, 2024)](https://kubernetes.io/docs/tasks/extend-kubernetes/socks5-proxy-access-api) + +{{#include ../banners/hacktricks-training.md}}