SOCKS Proxy is not used for rhost's set to hostnames

[skylerknecht]

Steps to reproduce

How'd you do it?

1. Start metasploit
2. use ldap_query
3. set rhosts hostname.local
4. setg proxies socks5:127.0.0.1:1080
5. Run a socks proxy, an example has been uploaded here.
6. Run the module and see not request made to the proxy
7. set rhosts 8.8.8.8
8. Run the moudle and see a request made to the proxy

Were you following a specific guide/tutorial or reading documentation?

No

Expected behavior

We should see a request to the SOCKS5 proxy with the address type set to 3.

For example here's rhost set to 8.8.8.8

skyler@attacker:~$ python3 socks.py 127.0.0.1 1080
SOCKS Server running on 127.0.0.1:1080
New client connected.
Address Type: 1, 8.8.8.8:389

Current behavior

We see no request to the SOCKS5 proxy.

Metasploit version

msf6 auxiliary(gather/ldap_query) > version
Framework: 6.4.36-dev-88132657d2ba694635b604b369d4ad4d78ca2ced
Console  : 6.4.36-dev-88132657d2ba694635b604b369d4ad4d78ca2ced

[blurbdust]

I know this is a draft PR but I went ahead and tested it out as I'm hitting this condition this week. The DNS resolution does in fact get skipped during the validation of the options provided. I do not see the DNS query at the proxy level at all so it seems like its getting skipped entirely and not deferred to the proxy. I'm using a SSH tunnel(unknown if full SOCKS5 was implemented) so I checked with the socks server linked above and I don't see the DNS request with that either. I also tried wrapping proxychains around msfconsole since that worked prior to the DNS resolution system for getting module traffic through a SOCKS proxy but that failed as well. I looped over all the hosts I needed to connect to and then add static-entries for the hosts in the meantime.

[adfoster-r7]

@blurbdust What are the exact replication steps for the scenario(s) that you're running through? What is currently happening, and what would you expect to have happen 👀

[blurbdust]

Dependencies from fresh Kali

sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev libpq-dev zlib1g-dev libsqlite3-dev rbenv
git clone https://github.com/adfoster-r7/metasploit-framework.git -b update-dns-resolution-for-socks-proxies
cd metasploit-framework
cat .ruby-version # 3.2.5
rbenv init # copy output into shell rc, exit terminal, create new terminal
rbenv install 3.2.5
rbenv local 3.2.5 # exit terminal, create new terminal
ruby -v # == 3.2.5
gem install bundle
bundle install

Make SOCKS server on Windows host

ssh -R 4433 blurbdust@labkali -N

Running msf on Kali

./msfconsole
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS labdc19.testlab.local
run # expected can't resolve internal hostname
setg socks5:127.0.0.1:4433
run # unexpected still can't resolve internal hostname

Creating SOCKS5 server with linked script

git clone https://github.com/skylerknecht/socks
sudo python3 socks.py 192.168.40.248 1080

Testing with curl to make sure we see the connection in the socks server output and via SSH tunnel

Showing SSH tunnel gets the SOCKS request as well

Rerun in msfconsole but SSH tunnel never gets DNS request

Showing msfconsole again but to local SOCKS server and no request sent, confirmed server still listening with curl

Note: I did remove the DNS resolvers but that is only because this Kali machine can actually resolve that hostname locally. No requests is sent onto proxy server even with dns resolvers not flushed.

[adfoster-r7]

Thanks! I'm not at a computer to verify things at the minute - but does running the code from this branch #19683 work for you? If setting the global datastore setg proxies socks5:192.168.40.248:1080 doesn't work, could you try it again with setting the active module datastore with set proxies socks5:192.168.40.248:1080 as well to see if that changes the behavior 🤞

[blurbdust]

I was running the branch that includes the PR. Here's the commit hash out of the log matching the version.

Moving proxy to local module options still has the same issue

[adfoster-r7]

Thanks! I'm think we'd probably want to update Metasploit to support having support differentiating between socks5 and socks5h proxy types to handle this scenario more explicitly. I've got a rough prototype working - but will have to circle back on this issue

Test Setup

Run locally - create socks proxy:

ssh -D 1080 [email protected]

Run on remote host - set up remote dns entry and server:

sudo echo '127.0.0.1 remote.example.com' >> /etc/hosts
python3 -m http.server 8080

Examples

socks5

msf6 auxiliary(scanner/http/title) > run proxies=socks5:127.0.0.1:1080 http://remote.example.com:8080

[*] Error: remote.example.com: SocketError getaddrinfo: Name or service not known
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

socks5h

msf6 auxiliary(scanner/http/title) > run proxies=socks5h:127.0.0.1:1080 http://remote.example.com:8080
[+] [remote.example.com:8080] [C:200] [R:] [S:SimpleHTTP/0.6 Python/3.10.12] Directory listing for /
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) 

This would align with curl's behavior

$ curl --proxy socks5://127.0.0.1:1080 http://remote.example.com:8080 
curl: (97) Could not resolve host: remote.example.com

$ curl --proxy socks5h://127.0.0.1:1080 http://remote.example.com:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
... etc ...

[smcintyre-r7]

I just wanted to chime in regarding:

I also tried wrapping proxychains around msfconsole since that worked prior to the DNS resolution system for getting module traffic through a SOCKS proxy but that failed as well.

That's correct, there's two ways to use the DNS through proxychains like it used to work since Metasploit 6.4 was released.

1. Disable the DNS feature by running features set dns false, saving then restarting msfconsole
2. Use the "system" resolver and put it in the desired position, probably the first spot by running dns add -i 1 system

proxychains uses a hook on the libc function calls that handle the resolution. Metasploit 6.4 doesn't use those when the DNS feature is available since it handles it itself but using the "system" resolver will force it back to the libc function call, relying on the host OS's support which proxychains will have hooked.