Proxying traffic from Windows for offensive purposes has also been addressed previously and this post will build on these resources by focusing on the protocols being proxied and address issues that may arise regarding configuration of SOCKS. The idea is not to replace the resources and tools that already exist, but to extend usability of tools (largely Windows-based) that otherwise would have required some kind of on-host execution. This post will instead cover proxying Windows tooling through a compromised host via SOCKS, such as several of the C# and Powershell projects we’ve come to know and love, along with some of the nuances that come along with leveraging this technique. Pushing traffic associated with tools such as Impacket, through utilities like Proxychains, is a well-documented topic. Proxying offensive tools into a network is not a new concept, from *nix-based or Windows operating systems. Skip to the Proxying Offensive Windows Tooling section for practical examples.
TLDR Enable remote name resolution, as well as the proxying of Windows service / SYSTEM processes within Proxifier to resolve DNS issues and also coerce traffic from SYSTEM processes / Kernel-initiated TCP through your SOCKS proxy. Operational tips while proxying using this technique.Address nuances with common protocols an attacker would want to proxy, as well as Proxifier client specifics to maximize value for the offensive use case.The process of proxying Windows tools and utilities that rely on protocols such as DNS, RPC (DCOM/ WMI, MS-DRSR / DRSUAPI), Kerberos, LDAP, and SMB.Identification of a tool’s traffic to focus what is routed through SOCKS.Network topology levelset and diagram for examples.Value proposition of executing Windows tooling remotely vs.To that end, this post aims to step through: However, there is significant value in the ability to proxy existing Windows tools and native utilities into a network from an offensive perspective. This nuance stems from protocol requirements of common network traffic being proxied into a target network, as well as the tools (or lack thereof) available for Windows to facilitate proxying network traffic via SOCKS.
Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion.