The right way to proxy .NET tools through SOCKS proxies

1 minute read

Scenario: You’re on a red team engagement and want to execute .NET utilites in your Beacon but need to increase your chances at evasion and opsec. You obviously can’t touch execute-assembly or similar utilities. You tried BOF.NET but sometimes the Beacon gets killed, or maybe you’re hesitant to try BOF.NET at all (I’ve been there).

Instead, why not proxy your .NET tools through a SOCKS proxy using Proxifier on Windows? There are many required configurations for Proxifier and it doesn’t always work as expected in my experience, or its not always clear unless you dive into documentation. So I wanted to make a single point of reference on how to properly proxy .NET tools through Proxifier from a Windows host.

Here are the steps required to configure Proxifier on your Windows system:

  1. Open Proxifier. Go to Profile -> Advanced -> Services and Other users -> Check the button “Windows services and other system processes” and hit OK
    image

  2. Go to Profile -> Name resolution -> Check the button “Resolve hostnames through proxy” and enter in your domain names you want to resolve through Proxifier
    image

  3. Go to Profile -> Proxy servers -> Add... -> Add a new proxy server with your proxy host/port -> Click Advanced... -> Check “Use target hostname in proxy request if available
    image

  4. Next, go to Profile -> Proxification Rules... -> Add a new rule that captures ALL (Any) traffic sent to your target IPs/hostnames by adding them to the rule. I add a rule for both IP addresses and hostnames since DNS resolution doesn’t always work for me through Proxifier. For Action, be sure to select your configured SOCKS proxy server.

  • Adding a new rule to capture ALL traffic for your target IPs:
    image

  • Both IP and hostnames rules added and assigned to your SOCKS proxy:
    image

  1. Start cmd.exe or powershell.exe as your domain user: runas /netonly /user:domain.com\user powershell.exe (enter password)
    NOTE: You can also start a GUI application here (i.e. Explorer.exe or a database viewer EXE) to proxy that application which requires Windows authentication.

  2. Then use any .NET CSharp tools or any other command-ine tools in the new cmd/powershell window through your proxy! If it’s working properly you will see the tool’s executable name populate in the Proxifier window:
    image

And that’s it, you’re all set!

Updated: