Select a result to preview

8. Jump_Server_Quickstart

#redteam #pivoting #proxychains #ssh #jump-server

§1 — Overview

The SSH -D SOCKS proxy pattern is a fundamental technique for internal network pivoting. An attacker establishes an SSH tunnel with the -D 1080 flag to a compromised jump server, which creates a local SOCKS proxy. The jump server then forwards traffic to internal targets on its behalf. Tools like proxychains are used to route traffic through 127.0.0.1:1080, allowing the attacker to interact with the internal network as if they were local to the jump server. For detailed SSH flags and proxychains configuration options, see 3. Authenticated_Pivot.md.

§2 — Topology

flowchart LR
    A["Attacker\n172.30.0.10"] -->|"SSH -D 1080\n(SOCKS5 tunnel)"| B["Jump Server / Pivot\n172.30.0.50"]
    B -->|"TCP forwarded"| C["Internal Target\n172.30.0.100"]
    B -.->|"Optional\n(if routed)"| D["Other Internals\n172.30.1.x"]
    style A fill:#d4edda
    style B fill:#fff3cd
    style C fill:#f8d7da
    style D fill:#e2e3e5

§3 — SSH -D Quickstart

  1. Verify SSH access to jump server: ssh root@172.30.0.50
  2. Kill any existing tunnel on port 1080: pkill -f 'ssh.*-D 1080' 2>/dev/null || true
  3. Establish SSH -D tunnel (background, no shell): sshpass -p PASSWORD ssh -o StrictHostKeyChecking=no -D 1080 -fN root@172.30.0.50
  4. Wait 2 seconds for SOCKS to bind: sleep 2
  5. Verify tunnel: proxychains4 -q curl -sI http://172.30.0.100 --connect-timeout 5
  6. Run tools through proxychains (see §4)
  7. Teardown: pkill -f 'ssh.*-D 1080'
Note

proxychains uses default config /etc/proxychains4.conf which should already point to socks5 127.0.0.1 1080. Verify with cat /etc/proxychains4.conf | grep -A3 '\[ProxyList\]'

§4 — Naabu -proxy Quickstart

Naabu's native -proxy flag bypasses proxychains entirely, which is often more reliable than wrapping the tool with proxychains.

# Top 100 ports via SOCKS4 (nmap 7.80 compatible)
naabu -host 172.30.0.100 -p top-100 -proxy socks4://127.0.0.1:1080 -silent

# Single port check
naabu -host 172.30.0.100 -p 80,443,8080 -proxy socks4://127.0.0.1:1080 -silent

§5 — proxychains Mandatory Flags

Flag Purpose Example
-q Quiet mode — suppress proxychains banner (critical for clean output) proxychains4 -q nmap ...
-f FILE Use custom config file instead of /etc/proxychains4.conf proxychains4 -f /tmp/myproxy.conf ...
socks4 IP PORT Use SOCKS4 proxy (required for nmap 7.80 inside containers) socks4 127.0.0.1 1080 in conf file
strict_chain All proxies used in order — fails if any is down In conf: strict_chain
proxy_dns Route DNS through proxy (prevents DNS leaks) In conf: proxy_dns

For full flag reference, see 4. C2_SOCKS.md.

§6 — Tool Selection Decision Table

Use Case Recommended Tool Notes
Quick port check (1-3 ports) nc or curl Lowest noise; no scanner overhead
Top-20 port scan through jump proxychains4 nmap -sT -T2 Reliable, slow
Top-100 port scan through jump naabu -proxy socks4://... Faster than nmap via proxychains
Service version detection proxychains4 nmap -sT -sV -T2 Noisy but complete
HTTP/S service check proxychains4 curl -sI Single request, very quiet
Bulk multi-host scan Not recommended via tunnel High detection risk

§7 — OPSEC Risk Table

Technique Claimed Risk Actual Packets Verdict Notes
proxychains + nmap top-20 (-sT -T3) MEDIUM 74 QUIETER_THAN_CLAIMED Packets observed on target NIC — SSH overhead invisible to sniffer
proxychains + nmap -sV top-20 MEDIUM-HIGH 227 QUIETER_THAN_CLAIMED Packets observed on target NIC — SSH overhead invisible to sniffer
naabu -proxy top-100 MEDIUM 0 QUIETER_THAN_CLAIMED Packets observed on target NIC — SSH overhead invisible to sniffer
proxychains + curl HTTP LOW 24 LOUDER_THAN_CLAIMED More packets than expected — tunnel overhead visible
nmap single port (-p 80) via tunnel LOW 2 QUIETER_THAN_CLAIMED Packets observed on target NIC — SSH overhead invisible to sniffer
nmap -T1 stealth via tunnel LOW-MEDIUM 137 LOUDER_THAN_CLAIMED More packets than expected — tunnel overhead visible
Direct nmap top-20 (no tunnel) MEDIUM 52 QUIETER_THAN_CLAIMED Packets observed on target NIC — SSH overhead invisible to sniffer

§8 — Common Pitfalls

  1. socks5:// in nmap fails silently — nmap 7.80 (default in Ubuntu containers) does not support SOCKS5 proxychains. Use socks4 in /etc/proxychains4.conf or socks4:// with naabu's -proxy flag.
  2. Tunnel not ready — After ssh -D -fN, wait sleep 2 before running tools. The SOCKS port takes ~1s to bind.
  3. Port 1080 already in use — If another process has 1080, SSH will silently fail. Check with ss -tlnp | grep 1080 and kill before re-establishing.
  4. proxychains banner noise — Always use -q flag (proxychains4 -q) to suppress banners that pollute output parsing.
  5. DNS leaks without proxy_dns — Without proxy_dns in proxychains config, DNS queries go direct (leak). Verify config includes proxy_dns.
  6. Pivot not on target subnet — Verify your jump server has a route to the target. ssh pivot "ip route" first.
  7. -fN flag order matters — Use ssh -D 1080 -fN (not -Nf). The -f sends to background AFTER authentication.

§9 — Quick Reference Card

# === WORKFLOW 1: SSH -D + proxychains nmap ===
# 1. Establish tunnel
sshpass -p PASSWORD ssh -o StrictHostKeyChecking=no -D 1080 -fN root@172.30.0.50
sleep 2
# 2. Verify
proxychains4 -q curl -sI http://172.30.0.100 --connect-timeout 5
# 3. Scan
proxychains4 -q nmap -sT -Pn -n --top-ports 20 -T2 172.30.0.100
# 4. Teardown
pkill -f 'ssh.*-D 1080'

# === WORKFLOW 2: naabu via SOCKS proxy ===
sshpass -p PASSWORD ssh -o StrictHostKeyChecking=no -D 1080 -fN root@172.30.0.50
sleep 2
naabu -host 172.30.0.100 -p top-100 -proxy socks4://127.0.0.1:1080 -silent
pkill -f 'ssh.*-D 1080'

# === WORKFLOW 3: quiet HTTP recon ===
sshpass -p PASSWORD ssh -o StrictHostKeyChecking=no -D 1080 -fN root@172.30.0.50
sleep 2
proxychains4 -q curl -sI http://172.30.0.100 --connect-timeout 5
proxychains4 -q curl -sI https://172.30.0.100 --connect-timeout 5 -k
pkill -f 'ssh.*-D 1080'