Skip to content

detect socks5 proxy capabilities #971

@mike-hunhoff

Description

@mike-hunhoff

I've analyzed a few, small programs that function as SOCKS5 proxies and I've been able to identify the protocol based on the same offset and constant parsing completed in the code. Specifically, the client connection request when the parsing the DSTADDR field. This requires checking the address type (0x1, 0x3, 0x4) and command code (0x1, 0x2, 0x3).

I'm not sure if it's possible to check for comparisons to these constant values without introducing false positives but I wanted to note the idea here because I think it'd be helpful to quickly identify this common functionality.

Client connection request
                        VER	 CMD RSV DSTADDR DSTPORT
Byte Count	1	1	1	Variable	2
VER
    SOCKS version (0x05)
CMD
    command code:
        0x01: establish a TCP/IP stream connection
        0x02: establish a TCP/IP port binding
       0x03: associate a UDP port
RSV
    reserved, must be 0x00
DSTADDR
    destination address, see the address structure above.
DSTPORT
    port number in a [network byte order](https://en.wikipedia.org/wiki/Network_byte_order)
    
SOCKS5 address
                       TYPE	ADDR
Byte Count	1	variable
TYPE
    type of the address. One of:
        0x01: IPv4 address
        0x03: Domain name
        0x04: IPv6 address
ADDR
    the address data that follows. Depending on type:
         4 bytes for IPv4 address
         1 byte of name length followed by 1–255 bytes for the domain name
         16 bytes for IPv6 address

Source: https://en.wikipedia.org/wiki/SOCKS

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions