Socks5 Proxy Doesnt Seem to Work

[sbani]

Nuclei version:

[INF] Using Nuclei Engine 2.5.5 (latest)
[INF] Using Nuclei Templates 8.7.8 (latest)

Current Behavior:

Nuclei tests the socks proxy but doesn't use it for the outgoing requests.

Expected Behavior:

Nuclei tests the socks proxy and uses it for the outgoing connections.

Steps To Reproduce:

1. Start a web server (e.g. php -S '127.0.0.1:8080')
2. Test nuclei: nuclei -u http://localhost:8080
3. You will see incoming requests from Nuclei -> works
4. Stop nuclei
5. Run nuclei with broken socks5: nuclei -proxy 'socks5://localhost:9999' -u http://127.0.0.1:8080 -> socks error makes sense
6. Rerun nuclei with working socks5 (e.g. Tor socks5): nuclei -proxy 'socks5://localhost:9150' -u http://127.0.0.1:8080
7. You will still see incoming requests to the localhost php server from Nuclei which shouldn't be possible

You can also try that with remote socks5 and remote web server. It will always skip the proxy and leak the real ip of the host.

[f4x-safe]

I have the same problem

[ehsandeep]

@sbani this should be fixed in the dev branch.

[sbani]

thank you @ehsandeep . unfortunitely I'm not able to test your fix because nuclei doesn't work on my system when I try to build it myself (since v2.5.3).

I basically do this:

git clone https://github.com/projectdiscovery/nuclei.git; \
cd nuclei/v2/cmd/nuclei; \
go build; \
mv nuclei /usr/local/bin/; \
nuclei -version;

Error:

❯ go run main.go
../../internal/runner/update.go:27:2: //go:build comment without // +build comment
main.go:12:2: //go:build comment without // +build comment

This probably has nothing to do with your change, however it holds me back from testing.

[ehsandeep]

@sbani this error is related to use of the old go version, make sure you are on go1.17

[sbani]

Thank you @ehsandeep, thank works.

However, your fix doesn't solve the problem for me.
I tried it with two different socks5 proxies, both had the same result. Only some request came through WITHOUT THE PROXY.

Proxy test:

❯ http --proxy=https:socks5://XXXX:[email protected]:3225 https://api.ipify.org
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 13
Content-Type: text/plain
Date: Thu, 06 Jan 2022 08:13:38 GMT
Server: Cowboy
Vary: Origin
Via: 1.1 vegur

116.203.XXX.XXX

Nuclei run (proxy 1 - no requests!):

❯ git checkout dev
❯ go run main.go -u https://netw0rk.io -proxy 'socks5://XXX:[email protected]:5080' -s critical

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.8-dev

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.8-dev (development)
[INF] Using Nuclei Templates 8.8.1 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 93
[INF] Templates loaded for scan: 334
[ERR] Could not initialize interactsh client: could not create client: could not make register request: POST http://interact.sh/register giving up after 6 attempts: Post "http://interact.sh/register": socks connect tcp 185.57.XXX.XXX:5080->interact.sh:80: username/password authentication failed
[INF] No results found. Better luck next time!

Nuclei run (proxy 1 - no requests!):

❯ git checkout dev
❯ go run main.go -u https://netw0rk.io -proxy 'socks5://XXX:[email protected]:3225' -s critical

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.8-dev

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.8-dev (development)
[INF] Using Nuclei Templates 8.8.1 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 93
[INF] Templates loaded for scan: 334
[ERR] Could not initialize interactsh client: could not create client: could not make register request: POST http://interact.sh/register giving up after 6 attempts: Post "http://interact.sh/register": socks connect tcp 116.203.XXX.XXX:3225->interact.sh:80: username/password authentication failed
[INF] No results found. Better luck next time!

Requests that came through without proxy (46.183.YYY.YYY is my real ip, not the socks5 ip as expected):

{"level":"info","ts":1641457086.7555993,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_addr":"46.183.YYY.YYY:59126","proto":"HTTP/1.1","method":"GET","host":"netw0rk.io","uri":"/?author=1","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","proto_mutual":true,"server_name":"netw0rk.io"}},"common_log":"46.183.YYY.YYY - - [06/Jan/2022:08:18:06 +0000] \"GET /?author=1 HTTP/1.1\" 200 3807","user_id":"","duration":0.00040549,"size":3807,"status":200,"resp_headers":{"Server":["Caddy"],"Strict-Transport-Security":["max-age=31536000;"],"X-Xss-Protection":["1; mode=block"],"Etag":["\"r2yv9b2xr\""],"Content-Length":["3807"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"],"Content-Type":["text/html; charset=utf-8"],"Last-Modified":["Mon, 22 Nov 2021 09:19:59 GMT"],"Accept-Ranges":["bytes"]}}

[Mzack9999]

@sbani it seems like this is an authentication error to the socks5 proxy:

socks connect tcp 185.57.XXX.XXX:5080->interact.sh:80: username/password authentication failed
socks connect tcp 116.203.XXX.XXX:3225->interact.sh:80: username/password authentication failed

Only RFC-compliant http requests will go through the proxy, whereas templates with unsafe http, network, and SSL requests will connect directly as they don't support it yet. I tried to setup a fresh instance of dantev with username authentication, and nuclei seem to work just fine:

$ echo http://192.168.1.9:8000 | go run . -t technologies/tech-detect.yaml -v -vv -debug -proxy 'socks5://m:[email protected]:8128'

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.8-dev

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.8-dev (development)
[INF] Using Nuclei Templates 8.8.2 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 2861
[INF] Templates loaded for scan: 1
[tech-detect] Wappalyzer Technology Detection (@hakluke) [info]
[INF] [tech-detect] Dumped HTTP request for http://192.168.1.9:8000

GET / HTTP/1.1
Host: 192.168.1.9:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [tech-detect] Dumped HTTP response for http://192.168.1.9:8000

HTTP/1.1 200 OK
Connection: close
Content-Length: 137
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Jan 2022 16:00:03 GMT
Last-Modified: Tue, 21 Dec 2021 15:34:21 GMT

<pre>
<a href=".DS_Store">.DS_Store</a>
</pre>
[INF] No results found. Better luck next time!

I correctly got the callback from the proxy ip:

I am unsure if it could be a bug with some specific proxy server software or configuration. Would it be possible to provide more info on the socks5 server setup/configuration?

[sbani]

Thank you @Mzack9999 for your feedback.
Let me test the fix again today afternoon.

One proxy is run with biosocks2 and the other one I don't know. It's from perfect-privacy a well known commercial VPN/Proxy provider.

Biosocks2: https://github.com/bioboy/biosocks2/

[Mzack9999]

Just tested with biosocks2 and I can confirm it works with default hardcoded credentials with the following command:

$ echo http://192.168.1.16:8000 | go run . -t technologies/tech-detect.yaml -v -vv -debug -proxy 'socks5://login:[email protected]:12345'

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.8-dev

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.8-dev (development)
[INF] Using Nuclei Templates 8.8.2 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 2861
[INF] Templates loaded for scan: 1
[tech-detect] Wappalyzer Technology Detection (@hakluke) [info]
[INF] [tech-detect] Dumped HTTP request for http://192.168.1.16:8000

GET / HTTP/1.1
Host: 192.168.1.16:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [tech-detect] Dumped HTTP response for http://192.168.1.16:8000

HTTP/1.1 200 OK
Connection: close
Content-Length: 137
Content-Type: text/html; charset=utf-8
Date: Thu, 13 Jan 2022 09:09:40 GMT
Last-Modified: Tue, 21 Dec 2021 15:34:21 GMT

<pre>
<a href=".DS_Store">.DS_Store</a>
</pre>
[INF] No results found. Better luck next time!

with

• http://192.168.1.16:8000 simplehttpserver instance
• 192.168.1.31 host running biosock2 proxy

[sbani]

I don't know what I do wrong, but this doesn't work for me. I'm really sorry because it seems weird to me too.
Maybe it's my current setup, I'm not sure, because I have networking issues from time to time since my upgrade to Fedora 34 - this might be related but who knows.

[yabeow]

Hi @sbani @ehsandeep @Mzack9999,

I've also experienced this issue on my end and found out that nuclei lower case the username & password when sending them to the socks5 proxy server 😵‍💫 . This behaviour only occurs on nuclei 2.5.8 and above.

[sbani]

HI @yabeow, that sounds like a good reason. Thank you for your deep dive. Where did you find it in code exactly? I'm curious and couldn't find it in a first search in dev branch

[yabeow]

@sbani it all began with this commit: 0e46d3e

For some reasons, the author used flagSet.NormalizedStringSliceVarP for the --proxy flag. Was it intentional? @ehsandeep @Mzack9999

[forgedhallpass]

@yabeow Good observation. This is clearly a bug.

Issue created: #1557

[sbani]

Nice catch! Thank you very much @yabeow

[forgedhallpass]

As @yabeow correctly pointed out, there is a small bug in the code, that transforms the input to lower-case characters (#1557). Until it gets fixed, as a workaround, you could probably put your proxy configuration in a file and pass that instead to nuclei. There isn't/shouldn't be any normalization there.