Installation
Linux (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install proxychains-ng
Linux (RHEL/CentOS/Fedora)
sudo yum install proxychains-ng
# or
sudo dnf install proxychains-ng
macOS
# Homebrew
brew install proxychains-ng
# MacPorts
sudo port install proxychains-ng
From Source
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure --prefix=/usr/local
make
sudo make install
Verify Installation
proxychains4 -v
which proxychains4
Configuration File
Default Location
# System-wide config
/etc/proxychains.conf
/etc/proxychains4.conf
# User config (overrides system)
~/.proxychains/proxychains.conf
# Custom location
proxychains4 -f /path/to/config command
Basic Configuration Structure
# Sample proxychains.conf structure:
# Quiet mode (0=verbose, 1=quiet)
quiet_mode
# Chain type settings
strict_chain
# dynamic_chain
# random_chain
# TCP read/write timeout
tcp_read_time_out 15000
tcp_connect_time_out 8000
# Proxy list
[ProxyList]
socks5 127.0.0.1 1080
socks4 192.168.1.100 1080
http 10.0.0.5 8080
Minimal Working Config
# Create ~/.proxychains/proxychains.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 localhost 9050
Proxy Types & Configuration
SOCKS5
# Default Tor or SSH tunnel target
socks5 127.0.0.1 9050
socks5 10.0.0.100 1080
# With authentication (username:password)
socks5 127.0.0.1 1080 username password
SOCKS4 / SOCKS4A
# SOCKS4 (basic)
socks4 192.168.1.1 1080
# SOCKS4A (supports DNS through proxy)
socks4a 192.168.1.1 1080
socks4a 192.168.1.1 1080 user password
HTTP / HTTPS Proxies
# HTTP proxy
http 10.0.0.1 8080
# HTTP with auth
http 10.0.0.1 8080 username password
# HTTPS (treated same as HTTP)
http 10.0.0.2 3128 user pass
Mixed Proxy Configuration
[ProxyList]
# Tor SOCKS5
socks5 127.0.0.1 9050
# SSH tunnel SOCKS4
socks4 localhost 9999
# HTTP corporate proxy
http 10.0.0.5 8080 domain\\username password
Chain Types
strict_chain
# Enforce chain order - each proxy must work
# Format: Client -> Proxy1 -> Proxy2 -> Proxy3 -> Target
# Failure if any proxy is down
strict_chain
[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
dynamic_chain
# Skip dead proxies, use working ones in order
# Format: Client -> Working Proxies -> Target
dynamic_chain
[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# If proxy2 is down, proxy1 -> proxy3 is used
round_robin
# Distribute connections across proxies
# Useful for load balancing
round_robin_chain
[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# Connection 1 uses proxy1, 2 uses proxy2, 3 uses proxy3
random_chain
# Randomize proxy order for each connection
# Varies traffic patterns
random_chain
[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# Each connection randomly selects chain order
DNS Resolution
Proxy DNS Queries
# Enable proxy_dns to resolve through proxies (prevent DNS leaks)
proxy_dns
# Queries like: nslookup target.com
# Will resolve through proxy chain, not local DNS
Disable proxy_dns (Use Local)
# Comment out proxy_dns
# no_proxy_dns
# DNS queries use local resolver (may leak queries)
DNS Configuration Example
# In proxychains.conf
proxy_dns
# Optionally specify nameserver
# (Usually not needed with proxy_dns enabled)
# nameserver 8.8.8.8
Basic Usage
Syntax
proxychains4 [options] [command] [arguments]
Common Options
proxychains4 -h # Help
proxychains4 -v # Version
proxychains4 -f config.conf cmd # Use custom config
proxychains4 -q command # Quiet mode
Run Single Command
# Browse web through proxy
proxychains4 curl http://example.com
# SSH through proxy
proxychains4 ssh user@target.com
# Port scan with nmap
proxychains4 nmap -sV target.com
# Git operations
proxychains4 git clone https://github.com/user/repo.git
Port Forwarding
proxychains4 nc -l -p 8888 -c 'nc target.com 80'
REPL / Interactive
proxychains4 bash
# Now all commands in shell use proxy
curl http://ifconfig.me
wget http://example.com
ssh user@target.com
# etc
SSH Tunnel Pivoting
Create SSH Tunnel
# Local SOCKS5 tunnel through SSH
ssh -D 9050 -f -C -q -N user@pivot-host
# Breakdown:
# -D 9050 Bind SOCKS5 to local port 9050
# -f Background process
# -C Enable compression
# -q Quiet mode
# -N Don't execute commands
# In proxychains.conf
[ProxyList]
socks5 127.0.0.1 9050
# Use:
proxychains4 ssh user@internal-host
proxychains4 nmap internal-network
Multi-Hop SSH Tunnel
# Pivot through multiple servers
ssh -D 9050 -J user1@jump1:22 user2@jump2 -f -N
# Or with ProxyJump (SSH 7.3+)
ssh -D 9050 -J user1@jump1,user2@jump2 user3@target -f -N
# proxychains.conf
[ProxyList]
socks5 127.0.0.1 9050
Tor Integration
Install Tor
# Ubuntu/Debian
sudo apt-get install tor
# Start Tor
sudo systemctl start tor
sudo systemctl enable tor
# Or run locally
tor --socks-port 9050
# In proxychains.conf
[ProxyList]
socks5 127.0.0.1 9050
# Use Tor for anonymous browsing
proxychains4 curl https://check.torproject.org
proxychains4 wget https://example.com
Tor with Authentication
# If Tor requires auth (rare)
socks5 127.0.0.1 9050 username password
# Usually:
socks5 127.0.0.1 9050
Change Tor Identity
# Rotate Tor exit node
echo "SIGNAL NEWNYM" | nc localhost 9051
# Or with socat:
socat - TCP:localhost:9051 <<< "SIGNAL NEWNYM"
# Then make new requests:
proxychains4 curl https://ifconfig.me
Nmap Scanning
# Basic scan through proxy
proxychains4 nmap -sV target.com
# SYN scan (requires sudo, may not work through all proxies)
sudo proxychains4 nmap -sS target.com
# TCP connect scan (reliable through proxies)
proxychains4 nmap -sT target.com
# Scan internal network
proxychains4 nmap -sV 192.168.1.0/24
# curl
proxychains4 curl -I https://example.com
proxychains4 curl -X POST -d 'data' https://api.example.com
# wget
proxychains4 wget https://example.com/file.zip
# curl with custom headers
proxychains4 curl -H "Authorization: Bearer token" https://api.example.com
Git Operations
# Clone repository
proxychains4 git clone https://github.com/user/repo.git
# Fetch updates
cd repo && proxychains4 git fetch origin
# Push changes
proxychains4 git push origin main
SSH Operations
# SSH connection
proxychains4 ssh user@target.com
# SSH key-based auth
proxychains4 ssh -i ~/.ssh/id_rsa user@target.com
# SCP copy
proxychains4 scp file.txt user@target.com:/home/user/
# SFTP
proxychains4 sftp user@target.com
# nslookup
proxychains4 nslookup example.com
# dig
proxychains4 dig @8.8.8.8 example.com
# whois
proxychains4 whois example.com
# netcat
proxychains4 nc -v target.com 80
# telnet
proxychains4 telnet target.com 23
# tcpdump (may have issues through proxy)
# Can't directly proxy packet capture
Advanced Pivoting Techniques
Chain Configuration for Multi-Level Pivoting
# Three-level pivot: You -> Proxy1 -> Proxy2 -> Proxy3 -> Target
strict_chain
[ProxyList]
socks5 10.0.1.100 1080 # First compromised box
socks5 10.0.2.50 1080 # Through first box (or tunnel)
socks5 10.0.3.200 1080 # Through second box (or tunnel)
Combining SSH Tunnels
# Tunnel 1: Local -> Pivot1
ssh -D 9050 user@pivot1 -f -N
# From pivot1 to pivot2, create another tunnel (in remote shell)
# Then on local: forward port to that tunnel
# Finally in proxychains:
[ProxyList]
socks5 127.0.0.1 9050
Dynamic SSH Port Forwarding Chain
# Terminal 1: First hop
ssh -D 9050 user@host1 -f -N
# Terminal 2: SSH through first proxy to second host
proxychains4 ssh -D 9051 user@host2 -f -N
# Terminal 3: Configure proxychains for second proxy
# Edit config to use:
# [ProxyList]
# socks5 127.0.0.1 9051
# Use final chain:
proxychains4 nmap internal-network
Troubleshooting
Check Proxy Connectivity
# Test if SOCKS5 proxy works
proxychains4 curl -I https://google.com
# Test with verbose output
proxychains4 -v curl https://google.com
# Watch for "Connecting to..." messages
DNS Leaks
# Check if DNS queries leak
proxychains4 nslookup whoami.akamai.net
# Should return through proxy, not local DNS
# If leaking, verify proxy_dns is enabled in config
grep proxy_dns /etc/proxychains4.conf
Timeout Issues
# Increase read/write timeouts in config
tcp_read_time_out 15000 # milliseconds
tcp_connect_time_out 8000
# Increase for slow/distant proxies
tcp_read_time_out 30000
tcp_connect_time_out 15000
Authentication Failures
# For SOCKS5 with auth:
socks5 proxy.com 1080 username password
# Verify credentials in config
# Make sure username/password match proxy requirements
# Test connection:
proxychains4 curl https://example.com -v
Chain Type Issues
# If using strict_chain and proxy fails:
# Switch to dynamic_chain to skip dead proxies
# Before:
strict_chain
# After:
dynamic_chain
# Or use random_chain for variety
random_chain
Port Already in Use
# If SSH tunnel port is taken
lsof -i :9050
kill -9 <PID>
# Or use different port:
ssh -D 9051 user@host -f -N
# Update proxychains.conf: socks5 127.0.0.1 9051
Connection Pooling
# Use dynamic_chain to reuse working proxies
dynamic_chain
# Multiple connections may share proxy paths
Compression
# Enable SSH compression in tunnel
ssh -D 9050 -C user@host -f -N
# Reduces bandwidth through slow links
Parallel Requests
# For tools supporting parallel:
proxychains4 nmap -p- --min-parallelism 10 target.com
# Check tool documentation for parallel options
Caching DNS
# If using dynamic_chain with proxy_dns:
# proxychains4 will cache DNS results within session
# Reduces DNS query overhead
Security Considerations
Proxy Selection
# Use trusted proxies only
# Proxies can log traffic
# Best practice: Use own infrastructure
# Compromised boxes you control
# Commercial VPN (SOCKS5 endpoint)
# Tor network (distributed)
Traffic Encryption
# SOCKS5 doesn't encrypt by default
# Use HTTPS to encrypt traffic
proxychains4 curl https://example.com # Encrypted
# vs
proxychains4 curl http://example.com # Not encrypted through proxy
# For SSH: Use SOCKS5 over SSH tunnel for double encryption
Proxy Chain Anonymity
# Longer chains = harder to trace origin
strict_chain
[ProxyList]
socks5 proxy1.com 1080
socks5 proxy2.com 1080
socks5 proxy3.com 1080
# Exit node (proxy3) sees connection from proxy2, not you
Detecting Proxy Usage
# Simple tests to verify working:
proxychains4 curl https://ifconfig.me
# Should return proxy's IP, not your real IP
proxychains4 curl https://check.torproject.org
# Shows if using Tor
Configuration Examples
Tor + SSH Tunnel Fallback
# Hybrid setup: Try Tor first, fallback to SSH tunnel
dynamic_chain
tcp_read_time_out 15000
tcp_connect_time_out 8000
proxy_dns
[ProxyList]
socks5 127.0.0.1 9050 # Tor
socks5 127.0.0.1 9051 # SSH tunnel backup
Internal Network Pivoting
# For penetration testing internal systems
strict_chain
proxy_dns
tcp_read_time_out 20000
tcp_connect_time_out 10000
[ProxyList]
socks4a 10.0.1.50 1080 # Compromised internal box
Multi-Region Distribution
# Spread traffic across regions
random_chain
proxy_dns
[ProxyList]
socks5 proxy-us.example.com 1080
socks5 proxy-eu.example.com 1080
socks5 proxy-asia.example.com 1080
Corporate Network + Anonymization
# Corporate proxy first, then anonymization
strict_chain
proxy_dns
[ProxyList]
http corporate-proxy.corp 8080 domain\\user password
socks5 127.0.0.1 9050 # Tor through corporate proxy
Common Use Cases
Red Team Pivoting
# Tunnel through compromised box into internal network
ssh -D 9050 attacker@compromised-box -f -N
proxychains4 nmap -sT -sV 192.168.x.0/24
proxychains4 ssh internal-admin@database-server
Traffic Anonymization
# Multi-layer anonymization
# 1. Start Tor: tor --socks-port 9050
# 2. proxychains.conf with Tor
proxychains4 curl https://check.torproject.org
# 3. Verify anonymity
Endpoint Testing
# Test from specific network location
# 1. Create SOCKS tunnel from that location
# 2. Use proxychains locally to test from there
proxychains4 curl https://internal-app.corp
Database Access Through Bastion
# Access internal database through bastion host
ssh -D 9050 user@bastion -f -N
proxychains4 psql -h internal-db.corp -U dbuser -d database
proxychains4 mysql -h internal-db.corp -u root
