Anonymity with ProxyChains
Secret Chain
If you want to stay anonymous on the web, you don't need the Tor browser or a Tor-based distro like Tails. ProxyChains obscures your presence through proxies – with or without Tor on the back end.
A number of scenarios lead to a need for online anonymity. You might wish to remain anonymous while working as a journalist in a war-torn country, for example, or when acting as a whistleblower. Perhaps you are working as a security researcher? Or maybe you just want some privacy from commercial Internet businesses. This article shows how to disguise Internet traffic using a tool called ProxyChains [1]. I came across ProxyChains while taking part in some challenges at the TryHackMe site [2].
If there are multiple links in a chain of proxies, it is very hard to perform digital forensics on a visiting IP address. Using a number of proxies to route traffic through before the traffic makes it back to your computer is a highly effective way of remaining anonymous online. If you think about it for a moment, though, not all protocols work in this scenario. For instance, traffic routed in this way typically requires the TCP transfer protocol. DNS also poses some challenges. DNS lookups use UDP instead of TCP. A common weakness with VPNs is that they leak DNS lookups to systems outside of the VPN. The trail of DNS lookups makes it possible for external systems to harvest traffic and determine what sites a user has been visiting.
ProxyChains manages to cleverly resolve DNS through proxies. You can use ProxyChains with many popular TCP-based client applications – including network scanners, mail clients, and web browsers. The versatile ProxyChains is capable of supporting SOCKS4, SOCKS5, and HTTP proxy servers and can even mix different proxy types in the same chain.
You might be surprised that such a potentially controversial piece of software is readily available in the Ubuntu Linux package repositories. The current version available on GitHub is Proxychains-4.3.0, with the last pull request merged when a patch was added around a year ago. And, according to the README page in the repository, if you can't find it using your favorite Linux distribution's package manager, all is not lost. ProxyChains is widely supported on other platforms too and is "…available with pkgsrc to everyone using it on Linux, NetBSD, FreeBSD, OpenBSD, DragonFlyBSD or Mac OS X."
The Ubuntu package repositories that are visible for ProxyChains appear in Figure 1. I used the following command to display the package repositories list:
$ apt search proxychains
Although the GitHub version was Proxychains-4.3.0, Ubuntu is currently offering proxychains4/jammy 4.16-1
for Ubuntu 22.04.2 LTS. The Ubuntu version is a respectable release that is supported for easy installation, but if you want to push for the very latest features, use the GitHub version and refer to the README for the common make install
build instructions.
It should go without saying that the tools and information described in this article are purely for educational purposes and legal activities. If you work in the security field and defend systems against attacks, it can only help you in your defensive efforts to learn more about techniques used by attackers.
Routing with a Proxy List
The default behavior of ProxyChains is to route traffic through the Tor anonymity network. However, many users prefer to route directly through a predefined set of proxies on the conventional Internet. Defining the proxies directly has some benefits. For instance, you won't have to install the Tor service on your computer. Also, Tor can be problem as many online services detect and then actively deny traffic from the Tor network, as they are suspicious of a user's intent to route traffic through it.
The first step is to install the ProxyChains software and configure the .conf
file to use a list of proxies. I have a couple of lists of free proxies to refer to and will make use of those. To install the package as the root user, use the following command, only a minuscule 145KB of disk space will be used up as a result:
$ apt install proxychains4 -y
This command will install the libproxychains4 and proxychains4 packages. You'll need 42.1KB for the archives and an additional 145KB of additional disk space.
The location of the configuration file is /etc/proxychains4.conf
. In this case, I will use the dynamic chain mode, which is described in the config file comments as follows:
- Each connection will be done via chained proxies
- All proxies are chained in the order as they appear in the list
- At least one proxy must be online to play in the chain
- Dead proxies are skipped
I will uncomment the dynamic_chain
line by removing the first character and then add a hash or pound sign to the line starting strict_chain
in order to disable it. The comments explain that strict mode means that all proxies will be chained in exactly the order that they're listed and that all proxies must be online if you want to use the chain. You can also use the settings of the config file to affect the length of the chain, turn on quiet mode, enable a random chain, and change how ProxyChains handles DNS lookups.
ProxyChains offers some alternative approaches for how to perform anonymous DNS lookups. The proxy_dns
setting is described as the fastest and easiest method to use: A thread is spawned that serves DNS requests and hands down an IP address assigned from an internal list (via remote_dns_subnet
).
Look online for a really nice explanation of how DNS and ProxyChains work [3]. The post is about three years old, and the exact process might have evolved a little over time, but as you'll see in a moment, ProxyChains is able to cleverly use IP address ranges (such as the 224.x.x.x and 225.x.x.x ranges) in order to keep things private.
The proxy list section of the config file is shown in Listing 1. As you can see in Listing 1, the end of the file is where to add your list of proxies.
Listing 1
ProxyList Format
# ProxyList format # type ip port [user pass] # (values separated by 'tab' or 'blank') # # only numeric ipv4 addresses are valid # # # Examples: # # socks5 192.168.67.78 1080 lamer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5, raw # * raw: The traffic is simply forwarded to the proxy without modification. # ( auth types supported: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ...
To create a list of proxies that I can test with, I'll visit the ProxyScrape website [4]. You can also find several GitHub repositories that update frequently to automate your proxy list [5]. Another source for proxies is the Free Proxy List site [6].
Websites like ProxyScrape offer free proxies to get you started. If you scroll down a little on their website, you'll find different types of proxies, including HTTP, SOCKS4, and SOCKS5. There's also a table of the countries, IP addresses, network ports, and latency. SOCKS5 supports authentication and other protocols. (See the Security Intelligence website for more on SOCKS5 [7].)
If you click one of the links above the list of proxies, you'll see a choice of options (Figure 2). I'll choose Socks5 Proxies. You can see the proxy lists were updated a few seconds ago, which is reassuring.
Clicking on Socks5 Proxies reveals a long list of IP addresses and port numbers. I counted 271 proxies, which is both generous and impressive for a free service, even with the assumption that some of them will be offline when I try to use them.
As you can see in Listing 1, I can choose which type of proxies I will use: HTTP, SOCKS4, SOCKS5, and raw. I'll reduce it to the first three entries and add SOCKS5
to the front of line, so the format changes from: XXX.XXX.XXX.XXX:PORT
(where the Xs are the octets in the IP address) to the following format:
SOCKS5 XXX.XXX.XXX.XXX PORT
Many of the proxies in the list have odd-looking port numbers, but their presence in the list assures that they are SOCKS5 proxies. Before editing the (now very long) configuration file, I make a backup copy to save any future headaches. Then I reduce the massive proxy list to just three proxies for testing. To match the format for a SOCK5 proxy, I add SOCKS5
to the start of each line in the proxy list and then replace the colon before the port number with a space.
Next I will comment out the following lines (by adding a hash symbol at the start of the line), which would have caused the traffic to route through the Tor network directly and not the list of proxies:
# defaults set to "tor" # socks4 127.0.0.1 9050
I will run a cursory port scan test against the hostname scanme.nmap.org
, a site that allows port scans if you stick with their acceptable usage [8].
Figure 3 shows what happens when you use the Telnet program via three proxies in a chain using the ProxyChains configuration. I've redacted the IP addresses. The command I used in Figure 3 was:
$ proxychains telnet scanme.nmap.org 80
In Figure 3, you can see three redacted IP addresses before the target hostname scanme.nmap.org
. I have used the time-honored Telnet command GET /
to request a web page. As you can see, the top of the abbreviated web page is then dutifully delivered to the command line.
This test shows that I can route traffic through multiple, chained proxies and receive traffic back successfully. ProxyChains is working beautifully.
Peeling Back The Onion
Tor is a remarkable, collaborative effort by the Internet community. The Tor network [9] routes traffic via user-supplied broadband connections, of which there are thousands globally, offering high levels of anonymity. I won't do it justice skimming over its features here, but you can read more about it online if you're new to Tor.
It's worth saying that you don't need ProxyChains to use the Tor network, but they play very nicely together. ProxyChains does not use the Tor browser – it simply uses the Tor service on the back end for establishing the chain of anonymous proxies. You'll find Tor in the Ubuntu repositories. Install it with:
$ apt-get install tor
In my case, the package manager installed version 0.4.6.10-1, and it comes in a little under 3MB. Start the tor.service
unit file with:
$ systemctl start tor
If you plan to use Tor, you'll need to uncomment the lines commented out previously in the /etc/proxychains.conf
file:
defaults set to "tor" socks4 127.0.0.1 9050
In the previous test, I used Telnet on the command line. What about using an application with a user interface? Consider the venerable Firefox browser from Mozilla as an example. Before you try to use Firefox with ProxyChains and the Tor network, be sure your Firefox version is up to date:
$ snap refresh firefox firefox 113.0.1-1 from Mozilla? refreshed
Next, I need to ensure that Firefox uses the specified ProxyChains proxy (which is the Tor network in this case). I'll use a popular extension for Firefox called FoxyProxy [10]. You might have used FoxyProxy to redirect traffic through Burp Suite [11] during Capture The Flag (CTF) exercises or while practicing ethical hacking.
To install FoxyProxy, start Firefox and select Add-ons and themes in the application menu. Figure 4 shows the blue Add to Firefox button on the add-ons page.
You are then confronted with a permissions pop-up dialog box (Figure 5). Click the Add button in order to continue.
Once FoxyProxy is installed, look for the icon in the top-right corner of the browser to access the FoxyProxy settings. If you don't see the icon, you might have to rummage through the Firefox menus (Settings | Extensions & Themes) in order to open up the FoxyProxy settings. For future reference, if the icon is green, traffic is being routed via one of your preconfigured proxies. Figure 6 shows what happens when you click the little FoxyProxy icon.
If you haven't already set up Tor, click Options and you'll be presented with a screen listing choices for your settings on the right and then a number of menu options on the left. Click the Add link at the top-left. Figure 7 shows what to fill in.
The options are a name for the proxy, the IP address (127.0.0.1), and the port (TCP port 9050 in this instance). I also selected SOCKS5 in the pull-down menu. Note the Send DNS through SOCKS5 proxy setting is also enabled in Figure 7.
Once you have saved the settings, you should be able to tick the Tor line, shown in the Figure 6.
Interestingly, it looks like the Tor network configuration is accepting both SOCKS4 and SOCKS5 as the proxy type. To prove that all is well, I need to close all instances of Firefox and then open the application up again. In Figure 8, I can see what the website Whats My IP [12] shows when I visit.
In Figure 8, note the Netherlands IP Address (redacted to protect the innocent); that's not where I live! This test shows that network traffic is successfully routing via the Tor network.
ProxyChains with Nmap
Your Tor/ProxyChains network isn't limited to just forwarding browser traffic. ProxyChains works with many other popular applications. For instance, you can use ProxyChains with the mighty network mapper Nmap [13]. Install Nmap on Debian derivatives with:
$ apt install -y nmap
Try the following command with your ProxyChains and Tor configuration:
$ proxychains nmap -v -Pn -sT -p22,80,443 scanme.nmap.org
Loosely speaking, the -sT
switch means run a TCP scan. See the Nmap website for more on the TCP Connect Scan option [14]. Abbreviated output of the command appears in Listing 2.
Listing 2
Routing Nmap with Tor/ProxyChains
Initiating Parallel DNS resolution of 1 host. at 14:07 Completed Parallel DNS resolution of 1 host. at 14:07, 0.04s elapsed Initiating Connect Scan at 14:07 Scanning scanme.nmap.org (224.0.0.1) [3 ports] [proxychains] Dynamic chain ... 127.0.0.1:9050 ... scanme.nmap.org:80 ... OK Discovered open port 80/tcp on 224.0.0.1 [proxychains] Dynamic chain ... 127.0.0.1:9050 ... scanme.nmap.org:443 <--denied [proxychains] Dynamic chain ... 127.0.0.1:9050 ... scanme.nmap.org:22 ... OK Discovered open port 22/tcp on 224.0.0.1 Completed Connect Scan at 14:07, 1.19s elapsed (3 total ports) Nmap scan report for scanme.nmap.org (224.0.0.1) Host is up (0.36s latency). rDNS record for 224.0.0.1: all-systems.mcast.net PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp closed https Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
The output in Listing 2 demonstrates that I have asked Nmap to scan three network ports on the target system. The denied
response for TCP port 443 is not actually because Tor is rejecting the routing or failing to route the traffic but is because the destination port is closed to traffic and there's nothing to report back. The other two ports are open, and you can see an OK entry for each.
In addition to Nmap, you could run the Telnet command through ProxyChains to query ports and not just the web page, as shown in Listing 3.
Listing 3
Telnet Via ProxyChains
$ proxychains telnet scanme.nmap.org 22 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 Trying 224.0.0.1... [proxychains] Dynamic chain ... 127.0.0.1:9050 ... scanme.nmap.org:22 ... OK Connected to scanme.nmap.org. Escape character is '^]'. SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
Or if you just want to SSH to another host via the Tor network or a chain of proxies, you can use the command in Listing 4.
Listing 4
SSH Through Proxies
$ ssh -v -D 127.0.0.1:9050 scanme.nmap.org -p22 [...snip?] debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to scanme.nmap.org [45.33.32.156] port 22. debug1: Connection established. [...snip?] root@scanme.nmap.org's password:
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.