Using Proxychains with Tor on Kali Linux 2016

The simplified and quick explanation would be that proxychains is a nifty little tool that allows you to pipe TCP connections through a proxy, or a chain of multiple proxies, effectively masquerading your public IP address. I’m not going to dig into the more technical details here, but if you’re interested you can find more information on the project homepage or Github page.

I assume, that since you’ve found and are reading this blog post, that you have at least some kind of hunch what Tor is. So, for those who are interested in the more detailed explanation, I’m again going to provide you a link for the project homepage. But in case you are not that familiar, let’s just say that Tor (if used correctly) is a project that aims to help people anonymize their TCP traffic. For our needs it’s going to provide us the relays which we can use with proxychains.

Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.

Let's install the packages but let's update the repositories

apt-get update && apt-get install tor tor-geoipdb privoxy proxychains -y

Now let's change the tor configuration

vim /etc/tor/torrc
[...]
SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
[...]
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
Log notice syslog
## To send all messages to stderr:
#Log debug stderr

Now we need to configure the proxychains to use tor and let's change the they proxy chains handle each connection.

vim /etc/proxychains.conf
[...]
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain
[...]
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
socks5 127.0.0.1 9050 .

Now we need to configure the privoxy to enable the binding on every ip address available on this host, you can use the default one that is localhost, but sometimes we need to use the tor in another host so let's configure it.

vim /etc/privoxy/config
[...]
#      Suppose you are running Privoxy on an IPv6-capable machine and
#      you want it to listen on the IPv6 address of the loopback
#      device:
#
#        listen-address [::1]:8118
#
listen-address  0.0.0.0:8118
#listen-address  127.0.0.1:8118
#listen-address  [::1]:8118
[...]
#      To chain Privoxy and Tor, both running on the same system, you
#      would use something like:
#
        forward-socks5t   /               127.0.0.1:9050 .
</code>

Now we need to enable tor and privoxy on the boot time
<sxh bash>
systemctl enable tor
systemctl enable privoxy

Now we need to restart the services

systemctl restart tor
systemctl restart privoxy

Now let's check if everything is working

netstat -natup | egrep "(tor|privo)"
tcp        0      0 0.0.0.0:8118            0.0.0.0:*               LISTEN      4625/privoxy
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      4616/tor

Now we can check if everything is working properly so configure the browser to use the proxy ip address as: 127.0.0.1 and the port as: 8118 we can check use this proxy server for all protocols and select ok.

Now we can access http://check.torproject.org and check if everything is working. Today 11/15/2015 if you check the configuration the message will be: Congratulations. This browser is configure to use Tor.

Now we can use the proxychains to access some services such as ssh as below.

proxychains ssh douglas@200.200.200.10 -p 2221
ProxyChains-3.1 (http://proxychains.sf.net)
|D-chain|-<>-127.0.0.1:9050-<><>-200.200.200.10:2221-<><>-OK
The authenticity of host '[200.200.200.10]:2221 ([200.200.200.10]:2221)' can't be established.
ECDSA key fingerprint is SHA256:7/lTNalX5BKbwFN1+lY7fdiZeNupWMKnqFyTfx7kGwc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[200.200.200.10]:2221' (ECDSA) to the list of known hosts.
douglas@servidor.com.br's password:

We can use the torify to do the same

torify ssh douglas@200.200.200.10 -p 2221
douglas@servidor.com.br's password:

Let's test proxychains with nmap

proxychains nmap -sS 200.236.31.3 -T4
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-15 11:16 BRST
Nmap scan report for debian.c3sl.ufpr.br (200.236.31.3)
Host is up (0.014s latency).
Not shown: 994 closed ports
PORT    STATE    SERVICE
21/tcp  open     ftp
22/tcp  open     ssh
25/tcp  filtered smtp
53/tcp  open     domain
80/tcp  open     http
873/tcp open     rsync

Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds

We can use the proxychains with the metasploit but we need to comment the proxy_dns line otherwise the metasploit will not be able to connect to the database.

sed -i 's/proxy_dns/#proxy_dns/g' /etc/proxychains.conf

Now we can start the metasploit with proxychains.

proxychains msfconsole
ProxyChains-3.1 (http://proxychains.sf.net)


         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


Save 45% of your time on large engagements with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.12.41-dev                         ]
+ -- --=[ 1597 exploits - 912 auxiliary - 274 post        ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

Be careful with these tools.

References