Hunting Open Proxy Servers with KALI Linux

Hunting Open Proxy Servers with KALI Linux

It’s a matter of trust – to use your regular internet connection or even a proxy provider. Who’s behind the proxy company? Can you really trust them? Well. For the paranoid among us: here’s a guide how to find your own proxies!


Scanning for Proxies

Basically, the scanning is done by Nmap. Of course we need to add a few extra parameters to make the scanning process fast and performant, since you are not going to scan all ports of a target machine. We focus on the well know ports for Socks5 proxies in this article!
The basic Nmap command is:

nmap -sS -p 1080 -n -PN

Randomization to find the Proxies

Since we cannot try millions of IP-Addresses by hand, let’s use the randomization feature -iR of Nmap. That one is powerful. Example: -iR 5000 means to check 5000 randomized IP-Addresses! You can already give it a try. We also add the option –open to Nmap, since we only interested in machines which have a (potentially) proxy server running on port 1080:

nmap -sS -p 1080 -n -PN --open -iR 5000

Proxy found? Automatic check inclusive!

To verify our potentials proxies, we are using a NSE Script with verifies the Socks5-Proxy on the fly. The right option is –script=socks-open-proxy. Here’s our new syntax:

nmap -sS -p 1080 -n -PN --open --script=socks-open-proxy -iR 5000


More speed required?

Let’s add a couple of speeding options. –min-parallelism, -T 4 (or -T 5) and –max-retries. Here we go:

nmap -sS -p 1080 -n -PN --open --min-parallelism 500 -T4 --max-retries 1 \
–script socks-open-proxy -iR 5000

Be warned. This might crash your DSL line, since we trigger 500 scans on 5000 random hosts per second! It’s fast though 😉

Commercial Proxy Provider

You are looking for a commercial proxy vendor? I found MyPrivateProxies (MPP) the very best. I am running a patch of 11 proxies there, which actually pays off completely for SEO and Search Engine affairs. Here’s the LINK 


About Me

In the past 16 years I offer my services as professional penetration tester to various customers all around the world. I offer simulated Advanced Persistent Treat (APT) attacks as well. Feel free to contact me for more details about my services.

Be the first to comment

Leave a Reply

Your email address will not be published.