Socks Bridge

Socks Bridge is a reflective DLL which can be injected to any process. It is a connecter which connects to Boomerang’s HTTP/HTTPS Socks Server. The socks profile is full configurable and can be accessed by right clicking a badger and selecting Arsenal->Socks Bridge. Socksbridge can be used to proxy pivot any internal resource such as RDP, Web Servers or any other applications.

The socks configuration can be configured to access a HTTP or a HTTPS Socks server. I will be creating a HTTP server on port 80, but you can check the above link of Boomerang to see how to start an Socks server over SSL. The Socks SSL Server takes 2 more argumnts which are just the SSL Certificate and the key. Once you have created the server, you can connect to the server using a configuration like the figure below.

The badger’s console will return an output to display the exact configuration that was sent to the reflective DLL which would be injected to the newly created process which was set using set_child.

You can open the below image in a new tab to view it in detail. The top left block displays the arguments used to start a HTTP Socks Server using Boomerang which uses port 9050 as proxy server and port 80 as socks server for the badger. The top right part is the proxychains which is using remmina to socks proxy into localhost (since localhost is the same server as that of the socks server for me). The bottom right shows the proxychains.conf config which is localhost and port 9050 and the bottom left shows the successful RDP connection to localhost on 3389 (which is basically our socksbridge DLL trying to RDP to localhost and returning the output here).