Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎06-25-2024 11:56 PM

Article Id 322509

Technical Tip: A basic working sample for Telnet over SOCKS 5 Proxy

Description This article describes the packet flows and debug log for Telnet over SOCKS 5 Proxy.
Scope FortiProxy.
Solution
  • Configurations:

 

config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "port2"
        set socks enable
        set http-incoming-port 8080
        set https-incoming-port 8080
        set socks-incoming-port 15900
        set incoming-ip 0.0.0.0 (Can be Interface IP address)
    next
end

 

config firewall policy
    edit 1
        set type explicit-web
        set name "InternetAccess"
        set dstintf "port1" "port3" "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set utm-status enable
        set logtraffic all
        set log-http-transaction all
        set ssl-ssh-profile "certificate-inspection"
    next
end

 

  • Traffic flows:

Client 10.176.2.144 -> SOCKS Proxy 10.176.2.91:15900 -> Telnet Server 10.176.2.173.

 

  • Packet flows:

SOCKSProxy.jpg
No. Time Source Src Port Destination Dst Port Protocol Length TCP Segment Len Info
1 0.000000 10.176.2.144 24221 10.176.2.91 15900 TCP 66 0 24221 → 15900 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.000269 10.176.2.91 15900 10.176.2.144 24221 TCP 66 0 15900 → 24221 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM WS=1024
3 0.000643 10.176.2.144 24221 10.176.2.91 15900 TCP 60 0 24221 → 15900 [ACK] Seq=1 Ack=1 Win=262656 Len=0
4 0.048166 10.176.2.144 24221 10.176.2.91 15900 Socks 60 3 Version: 5 Connect to server request
> Socks Protocol
Version: 5
Client Authentication Methods
5 0.000087 10.176.2.91 15900 10.176.2.144 24221 TCP 54 0 15900 → 24221 [ACK] Seq=1 Ack=4 Win=65536 Len=0
6 0.000225 10.176.2.91 15900 10.176.2.144 24221 Socks 56 2 Version: 5 Connect to server response
> Socks Protocol
Version: 5
Accepted Auth Method: 0x0 (No authentication)
7 0.019957 10.176.2.144 24221 10.176.2.91 15900 Socks 73 19 Version: 5 Command Request - Connect
> Socks Protocol
Version: 5
Command: Connect (1)
Reserved: 0
Address Type: Domain Name (3)
Remote name: 10.176.2.173
Port: 23
8 0.000000 10.176.2.91 51890 10.176.2.173 23 TCP 74 0 51890 → 23 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM TSval=3655116814 TSecr=0 WS=1024
9 0.000989 10.176.2.173 23 10.176.2.91 51890 TCP 74 0 23 → 51890 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM TSval=2060425598 TSecr=3655116814 WS=8192
10 0.000040 10.176.2.91 51890 10.176.2.173 23 TCP 66 0 51890 → 23 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=3655116815 TSecr=2060425598

11 0.001677 10.176.2.91 15900 10.176.2.144 24221 Socks 64 10 Version: 5 Command Response - Connect
> Socks Protocol
Version: 5
Results(V5): Succeeded (0)
Reserved: 0
Address Type: IPv4 (1)
Remote Address: 10.176.2.91
Port: 51890

12 0.005487 10.176.2.144 1080 10.176.2.91 15900 TELNET 75 21 Telnet Data ...
13 0.005644 10.176.2.91 51890 10.176.2.173 23 TELNET 87 21 Telnet Data ...
14 0.000211 10.176.2.173 23 10.176.2.91 51890 TCP 66 0 23 → 51890 [ACK] Seq=1 Ack=22 Win=32768 Len=0 TSval=2060425604 TSecr=3655116821

 

Note: Packets 1 to 6 are TCP 3-Way Handshake and client greeting. Packets 7 to 11 are Server choices.

 

  • Wad debug log:


diag wad filter clear
diag wad filter src <x.x.x.x>
diagnose wad debug enable category socks
diagnose wad debug enable level info
diag debug en

 

[I][p:1053][s:1735046410] wad_socks_client_read_sync :3268 ss=0x7fb11beaa548 port=0x7fb11ba4c048
[I][p:1053][s:1735046410] wad_socks_detect_version :3194 ss=0x7fb11beaa548
[I][p:1053][s:1735046410] __wad_socks_auth_result_proc :1423 auth notify: ss=0x7fb11beaa548 auth-state=user pid=1053.
[I][p:1053][s:1735046410] wad_socks_skip_auth_method_ver :3149 ss=0x7fb11beaa548
[I][p:1053][s:1735046410] wad_socks_skip_auth_methods :3172 ss=0x7fb11beaa548
[I][p:1053][s:1735046410] wad_socks_auth_method_response :3072 ss=0x7fb11beaa548 scheme=Unknown socks_method=0x00
[I][p:1053][s:1735046410] wad_socks_client_read_buff :3244 ss=0x7fb11beaa548 port=0x7fb11ba4c048
[I][p:1053][s:1735046410] wad_socks_client_read_sync :3268 ss=0x7fb11beaa548 port=0x7fb11ba4c048
[I][p:1053][s:1735046410] wad_socks_proc_v5_req_hdr :2988 ss=0x7fb11beaa548
[I][p:1053][s:1735046410] wad_socks_proc_v5_connect :2313 ss=0x7fb11beaa548
[I][p:1053][s:1735046410] wad_socks_policy_set :1932 match policy-id=1(pol_ctx:mx|A|7?h|=d) vd=0:0(ses_ctx:x|Phx|Mde|Hf|C|A7|O) pid=1053 out_if=4 user= (anony:1) 10.176.2.144:25213 -> 10.176.2.173:23 av_idx=0
[V][p:1053][s:1735046410] wad_socks_connect :1610 0.0.0.0:0(type=use-gateway set=0) => 10.176.2.173:23(type=0)
[V][p:1053][s:1735046410] __wad_socks_tcp_connect :1980 session=0x7fb11c1b9b28 client=0x7fb11ba4c048 tcp_port=0x7fb11ba4c2f8 ctx=0x7fb11dc53e38
[I][p:1053][s:1735046410] wad_socks_send_v5_resp :1183 ss=0x7fb11beaa548 resp_code=0
[I][p:1053][s:1735046410] wad_socks_port_close :3291 ss=0x7fb11beaa548 state=3
[I][p:1053][s:1735046410] wad_socks_session_free :1246 session=0x7fb11beaa548
421
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.