proxychains-ng

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install proxychains-ng

Linux (RHEL/CentOS/Fedora)

sudo yum install proxychains-ng
# or
sudo dnf install proxychains-ng

macOS

# Homebrew
brew install proxychains-ng

# MacPorts
sudo port install proxychains-ng

From Source

git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure --prefix=/usr/local
make
sudo make install

Verify Installation

proxychains4 -v
which proxychains4

Configuration File

Default Location

# System-wide config
/etc/proxychains.conf
/etc/proxychains4.conf

# User config (overrides system)
~/.proxychains/proxychains.conf

# Custom location
proxychains4 -f /path/to/config command

Basic Configuration Structure

# Sample proxychains.conf structure:

# Quiet mode (0=verbose, 1=quiet)
quiet_mode

# Chain type settings
strict_chain
# dynamic_chain
# random_chain

# TCP read/write timeout
tcp_read_time_out 15000
tcp_connect_time_out 8000

# Proxy list
[ProxyList]
socks5 127.0.0.1 1080
socks4 192.168.1.100 1080
http 10.0.0.5 8080

Minimal Working Config

# Create ~/.proxychains/proxychains.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks5 localhost 9050

Proxy Types & Configuration

SOCKS5

# Default Tor or SSH tunnel target
socks5 127.0.0.1 9050
socks5 10.0.0.100 1080

# With authentication (username:password)
socks5 127.0.0.1 1080 username password

SOCKS4 / SOCKS4A

# SOCKS4 (basic)
socks4 192.168.1.1 1080

# SOCKS4A (supports DNS through proxy)
socks4a 192.168.1.1 1080
socks4a 192.168.1.1 1080 user password

HTTP / HTTPS Proxies

# HTTP proxy
http 10.0.0.1 8080

# HTTP with auth
http 10.0.0.1 8080 username password

# HTTPS (treated same as HTTP)
http 10.0.0.2 3128 user pass

Mixed Proxy Configuration

[ProxyList]
# Tor SOCKS5
socks5 127.0.0.1 9050

# SSH tunnel SOCKS4
socks4 localhost 9999

# HTTP corporate proxy
http 10.0.0.5 8080 domain\\username password

Chain Types

strict_chain

# Enforce chain order - each proxy must work
# Format: Client -> Proxy1 -> Proxy2 -> Proxy3 -> Target
# Failure if any proxy is down

strict_chain

[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080

dynamic_chain

# Skip dead proxies, use working ones in order
# Format: Client -> Working Proxies -> Target

dynamic_chain

[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# If proxy2 is down, proxy1 -> proxy3 is used

round_robin

# Distribute connections across proxies
# Useful for load balancing

round_robin_chain

[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# Connection 1 uses proxy1, 2 uses proxy2, 3 uses proxy3

random_chain

# Randomize proxy order for each connection
# Varies traffic patterns

random_chain

[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# Each connection randomly selects chain order

DNS Resolution

Proxy DNS Queries

# Enable proxy_dns to resolve through proxies (prevent DNS leaks)
proxy_dns

# Queries like: nslookup target.com
# Will resolve through proxy chain, not local DNS

Disable proxy_dns (Use Local)

# Comment out proxy_dns
# no_proxy_dns

# DNS queries use local resolver (may leak queries)

DNS Configuration Example

# In proxychains.conf
proxy_dns

# Optionally specify nameserver
# (Usually not needed with proxy_dns enabled)
# nameserver 8.8.8.8

Basic Usage

Syntax

proxychains4 [options] [command] [arguments]

Common Options

proxychains4 -h                    # Help
proxychains4 -v                    # Version
proxychains4 -f config.conf cmd    # Use custom config
proxychains4 -q command            # Quiet mode

Run Single Command

# Browse web through proxy
proxychains4 curl http://example.com

# SSH through proxy
proxychains4 ssh user@target.com

# Port scan with nmap
proxychains4 nmap -sV target.com

# Git operations
proxychains4 git clone https://github.com/user/repo.git

Port Forwarding

proxychains4 nc -l -p 8888 -c 'nc target.com 80'

REPL / Interactive

proxychains4 bash
# Now all commands in shell use proxy

curl http://ifconfig.me
wget http://example.com
ssh user@target.com
# etc

SSH Tunnel Pivoting

Create SSH Tunnel

# Local SOCKS5 tunnel through SSH
ssh -D 9050 -f -C -q -N user@pivot-host

# Breakdown:
# -D 9050        Bind SOCKS5 to local port 9050
# -f             Background process
# -C             Enable compression
# -q             Quiet mode
# -N             Don't execute commands

Configure proxychains for SSH Tunnel

# In proxychains.conf
[ProxyList]
socks5 127.0.0.1 9050

# Use:
proxychains4 ssh user@internal-host
proxychains4 nmap internal-network

Multi-Hop SSH Tunnel

# Pivot through multiple servers
ssh -D 9050 -J user1@jump1:22 user2@jump2 -f -N

# Or with ProxyJump (SSH 7.3+)
ssh -D 9050 -J user1@jump1,user2@jump2 user3@target -f -N

# proxychains.conf
[ProxyList]
socks5 127.0.0.1 9050

Tor Integration

Install Tor

# Ubuntu/Debian
sudo apt-get install tor

# Start Tor
sudo systemctl start tor
sudo systemctl enable tor

# Or run locally
tor --socks-port 9050

Configure for Tor

# In proxychains.conf
[ProxyList]
socks5 127.0.0.1 9050

# Use Tor for anonymous browsing
proxychains4 curl https://check.torproject.org
proxychains4 wget https://example.com

Tor with Authentication

# If Tor requires auth (rare)
socks5 127.0.0.1 9050 username password

# Usually:
socks5 127.0.0.1 9050

Change Tor Identity

# Rotate Tor exit node
echo "SIGNAL NEWNYM" | nc localhost 9051

# Or with socat:
socat - TCP:localhost:9051 <<< "SIGNAL NEWNYM"

# Then make new requests:
proxychains4 curl https://ifconfig.me

Wrapping Tools with proxychains

Nmap Scanning

# Basic scan through proxy
proxychains4 nmap -sV target.com

# SYN scan (requires sudo, may not work through all proxies)
sudo proxychains4 nmap -sS target.com

# TCP connect scan (reliable through proxies)
proxychains4 nmap -sT target.com

# Scan internal network
proxychains4 nmap -sV 192.168.1.0/24

Web Tools

# curl
proxychains4 curl -I https://example.com
proxychains4 curl -X POST -d 'data' https://api.example.com

# wget
proxychains4 wget https://example.com/file.zip

# curl with custom headers
proxychains4 curl -H "Authorization: Bearer token" https://api.example.com

Git Operations

# Clone repository
proxychains4 git clone https://github.com/user/repo.git

# Fetch updates
cd repo && proxychains4 git fetch origin

# Push changes
proxychains4 git push origin main

SSH Operations

# SSH connection
proxychains4 ssh user@target.com

# SSH key-based auth
proxychains4 ssh -i ~/.ssh/id_rsa user@target.com

# SCP copy
proxychains4 scp file.txt user@target.com:/home/user/

# SFTP
proxychains4 sftp user@target.com

DNS Tools

# nslookup
proxychains4 nslookup example.com

# dig
proxychains4 dig @8.8.8.8 example.com

# whois
proxychains4 whois example.com

Network Tools

# netcat
proxychains4 nc -v target.com 80

# telnet
proxychains4 telnet target.com 23

# tcpdump (may have issues through proxy)
# Can't directly proxy packet capture

Advanced Pivoting Techniques

Chain Configuration for Multi-Level Pivoting

# Three-level pivot: You -> Proxy1 -> Proxy2 -> Proxy3 -> Target
strict_chain

[ProxyList]
socks5 10.0.1.100 1080    # First compromised box
socks5 10.0.2.50 1080     # Through first box (or tunnel)
socks5 10.0.3.200 1080    # Through second box (or tunnel)

Combining SSH Tunnels

# Tunnel 1: Local -> Pivot1
ssh -D 9050 user@pivot1 -f -N

# From pivot1 to pivot2, create another tunnel (in remote shell)
# Then on local: forward port to that tunnel
# Finally in proxychains:
[ProxyList]
socks5 127.0.0.1 9050

Dynamic SSH Port Forwarding Chain

# Terminal 1: First hop
ssh -D 9050 user@host1 -f -N

# Terminal 2: SSH through first proxy to second host
proxychains4 ssh -D 9051 user@host2 -f -N

# Terminal 3: Configure proxychains for second proxy
# Edit config to use:
# [ProxyList]
# socks5 127.0.0.1 9051

# Use final chain:
proxychains4 nmap internal-network

Troubleshooting

Check Proxy Connectivity

# Test if SOCKS5 proxy works
proxychains4 curl -I https://google.com

# Test with verbose output
proxychains4 -v curl https://google.com
# Watch for "Connecting to..." messages

DNS Leaks

# Check if DNS queries leak
proxychains4 nslookup whoami.akamai.net
# Should return through proxy, not local DNS

# If leaking, verify proxy_dns is enabled in config
grep proxy_dns /etc/proxychains4.conf

Timeout Issues

# Increase read/write timeouts in config
tcp_read_time_out 15000   # milliseconds
tcp_connect_time_out 8000

# Increase for slow/distant proxies
tcp_read_time_out 30000
tcp_connect_time_out 15000

Authentication Failures

# For SOCKS5 with auth:
socks5 proxy.com 1080 username password

# Verify credentials in config
# Make sure username/password match proxy requirements

# Test connection:
proxychains4 curl https://example.com -v

Chain Type Issues

# If using strict_chain and proxy fails:
# Switch to dynamic_chain to skip dead proxies

# Before:
strict_chain

# After:
dynamic_chain

# Or use random_chain for variety
random_chain

Port Already in Use

# If SSH tunnel port is taken
lsof -i :9050
kill -9 <PID>

# Or use different port:
ssh -D 9051 user@host -f -N
# Update proxychains.conf: socks5 127.0.0.1 9051

Performance Optimization

Connection Pooling

# Use dynamic_chain to reuse working proxies
dynamic_chain

# Multiple connections may share proxy paths

Compression

# Enable SSH compression in tunnel
ssh -D 9050 -C user@host -f -N

# Reduces bandwidth through slow links

Parallel Requests

# For tools supporting parallel:
proxychains4 nmap -p- --min-parallelism 10 target.com

# Check tool documentation for parallel options

Caching DNS

# If using dynamic_chain with proxy_dns:
# proxychains4 will cache DNS results within session
# Reduces DNS query overhead

Security Considerations

Proxy Selection

# Use trusted proxies only
# Proxies can log traffic

# Best practice: Use own infrastructure
# Compromised boxes you control
# Commercial VPN (SOCKS5 endpoint)
# Tor network (distributed)

Traffic Encryption

# SOCKS5 doesn't encrypt by default
# Use HTTPS to encrypt traffic

proxychains4 curl https://example.com  # Encrypted
# vs
proxychains4 curl http://example.com   # Not encrypted through proxy

# For SSH: Use SOCKS5 over SSH tunnel for double encryption

Proxy Chain Anonymity

# Longer chains = harder to trace origin

strict_chain
[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# Exit node (proxy3) sees connection from proxy2, not you

Detecting Proxy Usage

# Simple tests to verify working:
proxychains4 curl https://ifconfig.me
# Should return proxy's IP, not your real IP

proxychains4 curl https://check.torproject.org
# Shows if using Tor

Configuration Examples

Tor + SSH Tunnel Fallback

# Hybrid setup: Try Tor first, fallback to SSH tunnel
dynamic_chain

tcp_read_time_out 15000
tcp_connect_time_out 8000
proxy_dns

[ProxyList]
socks5 127.0.0.1 9050    # Tor
socks5 127.0.0.1 9051    # SSH tunnel backup

Internal Network Pivoting

# For penetration testing internal systems
strict_chain
proxy_dns
tcp_read_time_out 20000
tcp_connect_time_out 10000

[ProxyList]
socks4a 10.0.1.50 1080   # Compromised internal box

Multi-Region Distribution

# Spread traffic across regions
random_chain
proxy_dns

[ProxyList]
socks5 proxy-us.example.com 1080
socks5 proxy-eu.example.com 1080
socks5 proxy-asia.example.com 1080

Corporate Network + Anonymization

# Corporate proxy first, then anonymization
strict_chain
proxy_dns

[ProxyList]
http corporate-proxy.corp 8080 domain\\user password
socks5 127.0.0.1 9050   # Tor through corporate proxy

Common Use Cases

Red Team Pivoting

# Tunnel through compromised box into internal network
ssh -D 9050 attacker@compromised-box -f -N
proxychains4 nmap -sT -sV 192.168.x.0/24
proxychains4 ssh internal-admin@database-server

Traffic Anonymization

# Multi-layer anonymization
# 1. Start Tor: tor --socks-port 9050
# 2. proxychains.conf with Tor
proxychains4 curl https://check.torproject.org
# 3. Verify anonymity

Endpoint Testing

# Test from specific network location
# 1. Create SOCKS tunnel from that location
# 2. Use proxychains locally to test from there
proxychains4 curl https://internal-app.corp

Database Access Through Bastion

# Access internal database through bastion host
ssh -D 9050 user@bastion -f -N
proxychains4 psql -h internal-db.corp -U dbuser -d database
proxychains4 mysql -h internal-db.corp -u root