Total Pageviews

Thursday, 18 February 2016

在mac上,安装proxychains

yudeMacBook-Air:~ brite$ brew install proxychains-ng
==> Downloading https://homebrew.bintray.com/bottles/proxychains-ng-4.10.yosemit
######################################################################## 100.0%
==> Pouring proxychains-ng-4.10.yosemite.bottle.tar.gz
Error: The `brew link` step did not complete successfully
The formula built, but is not symlinked into /usr/local
Could not symlink etc/proxychains.conf
Target /usr/local/etc/proxychains.conf
is a symlink belonging to proxychains. You can unlink it:
  brew unlink proxychains

To force the link and overwrite all conflicting files:
  brew link --overwrite proxychains-ng

To list all files that would be deleted:
  brew link --overwrite --dry-run proxychains-ng

Possible conflicting files are:
/usr/local/etc/proxychains.conf -> /usr/local/Cellar/proxychains/HEAD/etc/proxychains.conf
/usr/local/bin/proxychains4 -> /usr/local/Cellar/proxychains/HEAD/bin/proxychains4
/usr/local/lib/libproxychains4.dylib -> /usr/local/Cellar/proxychains/HEAD/lib/libproxychains4.dylib
==> Summary
  /usr/local/Cellar/proxychains-ng/4.10: 8 files, 92K
yudeMacBook-Air:~ brite$ brew link --overwrite proxychains-ng
Linking /usr/local/Cellar/proxychains-ng/4.10... 3 symlinks created
yudeMacBook-Air:~ brite$ proxychains
-bash: proxychains: command not found
yudeMacBook-Air:~ brite$ proxychains4

Usage: proxychains4 -q -f config_file program_name [arguments]
-q makes proxychains quiet - this overrides the config setting
-f allows to manually specify a configfile to use
for example : proxychains telnet somehost.com
More help in README file

yudeMacBook-Air:~ brite$
----------------

proxychains ng (new generation) - a preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies. continuation of the unmaintained proxychains project. 

ProxyChains-NG ver 4.11 README
=============================

  ProxyChains is a UNIX program, that hooks network-related libc functions
  in DYNAMICALLY LINKED programs via a preloaded DLL (dlsym(), LD_PRELOAD)
  and redirects the connections through SOCKS4a/5 or HTTP proxies.
  It supports TCP only (no UDP/ICMP etc).

  The way it works is basically a HACK; so it is possible that it doesn't
  work with your program, especially when it's a script, or starts
  numerous processes like background daemons or uses dlopen() to load
  "modules" (bug in glibc dynlinker).
  It should work with simple compiled (C/C++) dynamically linked programs
  though.

  If your program doesn't work with proxychains, consider using an
  iptables based solution instead; this is much more robust.

  Supported Platforms: Linux, BSD, Mac.


*********** ATTENTION ***********

  this program can be used to circumvent censorship.
  doing so can be VERY DANGEROUS in certain countries.

  ALWAYS MAKE SURE THAT PROXYCHAINS WORKS AS EXPECTED
  BEFORE USING IT FOR ANYTHING SERIOUS.

  this involves both the program and the proxy that you're going to
  use.

  for example, you can connect to some "what is my ip" service
  like ifconfig.me to make sure that it's not using your real ip.

  ONLY USE PROXYCHAINS IF YOU KNOW WHAT YOU'RE DOING.

  THE AUTHORS AND MAINTAINERS OF PROXYCHAINS DO NOT TAKE ANY
  RESPONSIBILITY FOR ANY ABUSE OR MISUSE OF THIS SOFTWARE AND
  THE RESULTING CONSEQUENCES.

*** Installation ***

  # needs a working C compiler, preferably gcc
  ./configure --prefix=/usr --sysconfdir=/etc
  make
  [optional] sudo make install
  [optional] sudo make install-config (installs proxychains.conf)

  if you dont install, you can use proxychains from the build directory
  like this: ./proxychains4 -f src/proxychains.conf telnet google.com 80

Changelog:
----------
Version 4.11
- preliminary IPv6 support
- fixed bug in hostsreader
- preliminary support for usage on OpenBSD (caveat emptor)

Version 4.10
- fix regression in linking order with custom LDFLAGS
- fix segfault in DNS mapping code in programs with > ~400 different lookups

Version 4.9
- fix a security issue CVE-2015-3887
- add sendto hook to handle MSG_FASTOPEN flag
- replace problematic hostentdb with hostsreader
- fix compilation on OpenBSD (although doesn't work there)

Version 4.8.1:
- fix regression in 4.8 install-config Makefile target

Version 4.8:
- fix for odd cornercase where getaddrinfo was used with AI_NUMERICHOST
  to test for a numeric ip instead of resolving it (fixes nmap).
- allow usage with programs that rely on LD_PRELOAD themselves
- reject wrong entries in config file
- print version number on startup

Version 4.7:
- new round_robin chaintype by crass.
- fix bug with lazy allocation when GCC constructor was not used.
- new configure flag --fat-binary to create a "fat" binary/library on OS X
- return EBADF rather than EINTR in close hook.
  it's legal for a program to retry close() calls when they receive
  EINTR, which could cause an infinite loop, as seen in chromium.

Version 4.6:
- some cosmetic fixes to Makefile, fix a bug when non-numeric ip was
  used as proxy server address.

Version 4.5:
- hook close() to prevent OpenSSH from messing with internal infrastructure.
  this caused ssh client to segfault when proxified.

Version 4.4:
- FreeBSD port
- fixes some installation issues on Debian and Mac.

Version 4.3:
- fixes programs that do dns-lookups in child processes (fork()ed),
  like irssi. to achieve this, support for compilation without pthreads
  was sacrified.
- fixes thread safety for gethostent() calls.
- improved DNS handling speed, since hostent db is cached.

Version 4.2:
- fixes compilation issues with ubuntu 12.04 toolchain
- fixes segfault in rare codepath

Version 4.1
- support for mac os x (all archs)
- all internal functions are threadsafe when compiled with -DTHREAD_SAFE
  (default).

Version 4.0
- replaced dnsresolver script (which required a dynamically linked "dig"
  binary to be present) with remote DNS lookup.
  this speeds up any operation involving DNS, as the old script had to use TCP.
  additionally it allows to use .onion urls when used with TOR.
- removed broken autoconf build system with a simple Makefile.
  there's a ./configure script though for convenience.
  it also adds support for a config file passed via command line switches/
  environment variables.

Version 3.0
- support for DNS resolving through proxy
  supports SOCKS4, SOCKS5 and HTTP CONNECT proxy servers.
  Auth-types: socks - "user/pass" , http - "basic".

When to use it ?
1) When the only way to get "outside" from your LAN is through proxy server.
2) To get out from behind restrictive firewall which filters outgoing ports.
3) To use two (or more) proxies in chain:
 like: your_host <--> proxy1 <--> proxy2 <--> target_host
4) To "proxify" some program with no proxy support built-in (like telnet)
5) Access intranet from outside via proxy.
6) To use DNS behind proxy.
7) To access hidden tor onion services.

Some cool features:

* This program can mix different proxy types in the same chain
 like: your_host <-->socks5 <--> http <--> socks4 <--> target_host
* Different chaining options supported
 random order from the list ( user defined length of chain ).
 exact order  (as they appear in the list )
 dynamic order (smart exclude dead proxies from chain)
* You can use it with most TCP client applications, possibly even network
 scanners, as long as they use standard libc functionality.
 pcap based scanning does not work.
* You can use it with servers, like squid, sendmail, or whatever.
* DNS resolving through proxy.


Configuration:
--------------

proxychains looks for config file in following order:
1) file listed in environment variable PROXYCHAINS_CONF_FILE or
 provided as a -f argument to proxychains script or binary.
2) ./proxychains.conf
3) $(HOME)/.proxychains/proxychains.conf
4) $(sysconfdir)/proxychains.conf  **

** usually /etc/proxychains.conf

Usage Example:

 $ proxychains telnet targethost.com

in this example it will run telnet through proxy(or chained proxies)
specified by proxychains.conf

Usage Example:

 $ proxychains -f /etc/proxychains-other.conf telnet targethost2.com

in this example it will use different configuration file then proxychains.conf
to connect to targethost2.com host.

Usage Example:

 $ proxyresolv targethost.com

in this example it will resolve targethost.com through proxy(or chained proxies)
specified by proxychains.conf

Known Problems:
---------------
- newer versions of nmap try to determine the network interface to use
  even if it's not needed (like when doing simple syn scans which use the
  standard POSIX socket API. this results in errors when proxychains hands
  out an ip address to a reserved address space.
  possible workarounds: disable proxy_dns, use a numeric ip, or use nmap's
  native support for SOCKS proxies.

- Mac OS X 10.11 (El Capitan) ships with a new security feature called SIP
  that prevents hooking of system apps.
  workarounds are to partially disable SIP by issuing
  csrutil enable --without debug in recovery mode,
  or to copy the system binary into the home directory and run it from there.
  see github issue #78 for details.

- the glibc dynlinker has a bug or security feature that inhibits dlopen()ed
  modules from being subject to the same dlsym hooks as installed for the main
  program. this mainly affects scripting languages such as perl or python
  that heavily rely on dlopen() for modules written in C to work.
  there are unconfirmed reports that it works as root though.
  musl libc is unaffected from the bug.

from https://github.com/rofl0r/proxychains-ng
--------------------------------

相关帖子:http://briteming.blogspot.com/2015/10/macosproxychains.html
-----------------------------------

配置

编辑配置文件 nano /usr/local/etc/proxychains.conf
在 [ProxyList] 下面(也就是末尾)加入代理类型,代理地址和端口
例如使用 TOR 代理,注释掉原来的代理并添加
socks5  127.0.0.1 9050
如果所在的网络很复杂,可能需要在配置文件中启用
dynamic_chain - 按照列表中出现的代理服务器的先后顺序组成一条链,如果有代理服务器失效,则自动将其排除,但至少要有一个是有效的
然后在 [ProxyList] 下添加多个代理
默认是:
strict_chain - 按照后面列表中出现的代理服务器的先后顺序组成一条链,要求所有的代理服务器都是有效的

使用

proxychains4 curl twitter.com
配合 wget 和 curl 来下载,非常好用.
-------------------------------------------------------------------------------------------------------------------------------

Mac OSX系统下,通过ProxyChains-NG,实现终端下的代理


起因:
我中华大地大局域网风云变幻,目前git push git pull git clone等,单反需要访问真互联网的操作总让人痛心!痛彻心扉~~
怎么办?shadowsocks可以让我访问真互联网,但是每次命令行都会遇到一些问题,开启全局代理依然无法git 到 GitHub.怎么办?之前试过tsocks,现在,我的体验是,它只能支持wget,不能git
为了方便快捷解决这个问题,这里推荐下ProxyChains-NG,下面具体操作.
项目主页:https://github.com/rofl0r/proxychains-ng
官方说明:
proxychains ng (new generation) - a preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies. continuation of the unmaintained proxychains project.

安装配置

使用 Homebrew 安装




brew install proxychains-ng
编辑配置文件 vim /usr/local/etc/proxychains.conf
[ProxyList] 下面(也就是末尾)加入代理类型,代理地址和端口
例如使用 TOR 代理,注释掉原来的代理并添加




socks5  127.0.0.1 1080
注意,这里的端口号根据你自己的决定,比如我用的shadowsocks,本地端口是1080,那这里就是1080
如果所在的网络很复杂,可能需要在配置文件中启用
dynamic_chain - 按照列表中出现的代理服务器的先后顺序组成一条链,如果有代理服务器失效,则自动将其排除,但至少要有一个是有效的
然后在 [ProxyList] 下添加多个代理
默认是:
strict_chain - 按照后面列表中出现的代理服务器的先后顺序组成一条链,要求所有的代理服务器都是有效的

使用

在命令的前面加上proxychains4即可




proxychains4 git push

OSX 10.11安装失败?

2015-12-05更新
由于 OSX 10.11 的 SIP 特性,会导致 proxychains-ng 安装失败,这里有三种解决方法:
  1. 如果是使用 brew install proxychains-ng 安装的话,由于没有写入权限,必须暂时关闭 SIP,安装成功之后再打开 SIP。具体方法见 http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/
  2. 如果不使用 brew install 的话,可以 clone 源码自己编译安装,关键是避免安装到 usr 目录(无法写入),手动指定写入目录,如 ./configure --prefix=$HOME/.local --sysconfdir=/etc,etc 有写入权限不必修改,记得添加环境变量即可。
  3. 需要先安装 xcode7 , 然后执行 xcode-select -s /Applications/Xcode-beta.app/Contents/Developer ,就能用 brew 安装 proxychains 了,可能以后 xcode7 正式版本出来,要记得改回来。 除此之外,OSX 自带的 git,curl 等版本过低,无法支持 proxychains-ng,请手动更新版本.
------------------------
proxychains - a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Supported auth-types: "user/pass" for SOCKS4/5, "basic" for HTTP.

ProxyChains ver. 4.2.0 README

Build Status
ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies.
Warning
this program works only on dynamically linked programs. also both proxychains and the program to call must use the same dynamic linker (i.e. same libc)

Known limitations of the current version

when a process forks, does a DNS lookup in the child, and then uses the ip in the parent, the corresponding ip mapping will not be found. this is because the fork can’t write back into the parents mapping table. IRSSI shows this behaviour, so you have to pass the resolved ip address to it. (you can use the proxyresolv script (requires "dig") to do so)
this means that you can’t currently use tor onion urls for irssi. to solve this issue, an external data store (file, pipe, …​) has to manage the dns <→ ip mapping. of course there has to be proper locking. shm_open, mkstemp, are possible candidates for a file based approach, the other option is to spawn some kind of server process that manages the map lookups. since connect() etc are hooked, this must not be a TCP server.
I am reluctant on doing this change, because the described behaviour seems pretty idiotic (doing a fork only for a DNS lookup), and irssi is currently the only known affected program.

Installation

Using release version

Proxychains-4.2.0 are available with pkgsrc to everyone using it on LinuxNetBSDFreeBSDOpenBSDDragonFlyBSD orMac OS X. You just need to install pkgsrc-wip repository and run make install in a wip/proxychains directory.
You can find out more about pkgsrc on pkgsrc and about pkgsrc-wip on Pkgsrc-wip homepage

Installing on Mac OS X with homebrew

You can install current proxychains on Mac OS X with an homebrew. You have to download unofficial homebrew formulafrom to your BREW_HOME by default /usr/local/Library/Formula/ and run
$ brew install proxychains

Running Current Source code version

# needs a working C compiler, preferably gcc
./configure
make
sudo make install

Changelog

Version (4.x) removes the dnsresolver script which required a dynamically linked "dig" binary to be present with remote DNS lookup. this speeds up any operation involving DNS, as the old script had to use TCP. additionally it allows to use .onion urls when used with TOR. also it removed the broken autoconf build system with a simple Makefile. there’s a ./configure script though for convenience. it also adds support for a config file passed via command line switches/ environment variables.
Version (3.x) introduces support for DNS resolving through proxy it supports SOCKS4, SOCKS5 and HTTP CONNECT proxy servers.
  • Auth-types
    • socks - "user/pass",
    • http - "basic"

When to use it

  • When the only way to get "outside" from your LAN is through proxy server.
  • To get out from behind restrictive firewall which filters outgoing ports.
  • To use two (or more) proxies in chain:
   like: your_host <--> proxy1 <--> proxy2 <--> target_host
  • To "proxify" some program with no proxy support built-in (like telnet)
  • Access intranet from outside via proxy.
  • To use DNS behind proxy.

Some cool features

  • This program can mix different proxy types in the same chain
  like: your_host <-->socks5 <--> http <--> socks4 <--> target_host
  • Different chaining options supported random order from the list ( user defined length of chain ). exact order (as they appear in the list ) dynamic order (smart exclude dead proxies from chain)
  • You can use it with any TCP client application, even network scanners yes, yes - you can make portscan via proxy (or chained proxies) for example with Nmap scanner by fyodor (www.insecire.org/nmap).
  proxychains nmap -sT -PO -p 80 -iR  (find some webservers through proxy)
  • You can use it with servers, like squid, sendmail, or whatever.
  • DNS resolving through proxy.

Configuration

proxychains looks for configuration in the following order:
  • SOCKS5 proxy port in environment variable ${PROXYCHAINS_SOCKS5} (if set, no further configuration will be searched)
  • file listed in environment variable ${PROXYCHAINS_CONF_FILE} or provided as a -f argument to proxychains script or binary.
  • ./proxychains.conf
  • $(HOME)/.proxychains/proxychains.conf
  • /etc/proxychains.conf
see more in /etc/proxychains.conf

Usage Example

$ proxychains telnet targethost.com
in this example it will run telnet through proxy(or chained proxies) specified by proxychains.conf

Usage Example

$ proxychains -f /etc/proxychains-other.conf targethost2.com
in this example it will use different configuration file then proxychains.conf to connect to targethost2.com host.

Usage Example

$ proxyresolv targethost.com
in this example it will resolve targethost.com through proxy(or chained proxies) specified by proxychains.conf

Usage Example:

$ ssh -fN -D 4321 some.example.com
$ PROXYCHAINS_SOCKS5=4321 proxychains zsh
in this example, it will run a shell with all traffic proxied through OpenSSH’s "dynamic proxy" (SOCKS5 proxy) on localhost port 4321.
from https://github.com/haad/proxychains
-----------

发现了这个程序proxychains, 他可以在原命令前面另加一个代理程序来运行该命令, 从而使得本来不能配置运行代理的程序可以使用代理运行.
该程序原理是通过和网络相关libc动态相关库的函数进行绑定(hook), 使这些函数走一个预加载的动态库并重定向链接. 因为这个工作原理, 他只能对动态连接的程序起效(就是调用动态库的), 另外proxychains和被代理程序需要调用同一个动态连接库.
该程序如名字, 可以使用代理链(一般我们只采用一个代理), 即可以代理接一个代理传输信号, 这样可以使得使用身份更隐蔽. 另外这种代理链可以混杂各种不同的协议, 如HTTP+SOCKS4+SOCKS5的混合. 这种”代理链”的方式可以轻松帮你解决 外网 -> 网关机 -> 内网机 的internet 访问 intranet的功能.
该程序现在主要在Github上维护, 新版本为 ng 版(更新到4.X), 另外也可以从SourceForge下载. 另外原版旧版的Github也有到4.2的, 旧版的sourceforge 上有旧的3.1版. 不过推荐使用最新版本啦~

安装

proxychains: 执行命令时
  • Ubuntu 里面: sudo apt-get install proxychains 装的是3.1的旧版.
  • Mac 里面: brew install proxychains-ng
# needs a working C compiler, preferably gcc
./configure
make
# install proxychains4 and dy-lib
# /usr/local/bin/proxychains4
# /usr/local/lib/libproxychains4.dylib
sudo make install
# installs /etc/proxychains.conf
sudo make install-config 

配置

配置文件

如果是ubuntu或者直接安装, 配置文件一般是 /etc/proxychains.conf , 如果是Mac用brew安装, /usr/local/Cellar/proxychains-ng/4.11/etc/proxychains.conf. (其中版本号会有区别,这里是4.11)
一般地, 配置文件查找顺序为:
  1. ${PROXYCHAINS_SOCKS5} 环境变量定义的端口
  2. ${PROXYCHAINS_CONF_FILE} 定义的配置文件或者-f 选项指定的文件
  3. ./proxychains.conf
  4. ${HOME}/.proxychains/proxychains.conf
  5. ${sysconfdir}/proxychains.conf (e.g. /etc/proxychains.conf or /usr/local/etc/proxychains.conf or /usr/local/…/etc/proxychains.conf)

代理模式

代理模式在配置文件最开头, 有四种模式供选择, 关闭某模式就是注释掉就可以了. 默认模式是strict_chain
  • dynamic_chain,按照列表中出现的代理服务器的先后顺序组成一条链,如果有代理服务器失效,则自动将其排除,但至少要有一个是有效的。
  • strict_chain,按照后面列表中出现的代理服务器的先后顺序组成一条链,要求所有的代理服务器都是有效的
  • round_robin_chain, 类似dynamic_chain, 但是只读取chain_len 长度
  • random_chain,列表中的任何一个代理服务器都可能被选择使用,这种方式很适合网络扫描操作(参数chain_len对random_chain有效)。
默认是选择的strict_chain,一般我们不用多个代理造成链, 只要一个就好了, 所以一般不改变代理模式部分。

配置代理服务器

在最下面的部分就是代理服务器列表配置了, 支持HTTP, SOCKS4, SOCKS5, 貌似新版本还支持HTTPS.
例如:
对于SS代理, 在最后一行加入这句话 socks5 127.0.0.1 1080. 另外把socks4 127.0.0.1 9050 一行# 注释掉或者直接删掉.
http 12.34.56.78 8080 user passwd 可以配置有用户名密码验证的HTTP代理.
一般地, http 采用8080端口, 而 socks4/socks5 采用1080 端口.

使用

使用就很简单了, 就是在原有的运行命令前面加入proxychains4, 例如我要wget 进行代理抓取
proxychains4 wget www.google.com
指定配置文件的话, 是:
proxychains4 -f proxy.conf wget www.google.com
例如结合ssh隧道:
ssh -fN -D 4321 some.example.com
PROXYCHAINS_SOCKS5=4321 proxychains zsh
这个例子使用ssh隧道来用某个服务端4321端口作动态代理, 然后用 PROXYCHAINS_SOCKS5 来指明端口后直接用proxycains 来代理一个zsh, zsh所有命令均走这个ssh代理. 注意这里走的都是 SOCKS5 代理.
如果嫌打那么长命令很麻烦, 那还可以在启动sh配置文件.bashrc 里面加入:
alias pc4=proxychains4
这样只要用pc4 wget www.google.com 就可以进行代理咯.

附录: 一些常用命令自带的代理使用

git

电信访问git来下载那就是一个慢! 所以代理是需要的!
做法很简单, 运行两条命令将代理加到配置.gitconfig 就可以了.
git config --global http.proxy 'socks5://127.0.0.1:1080'
git config --global https.proxy 'socks5://127.0.0.1:1080'
注意这是对git全局都使用代理, 但如果使用gitcafe 或者coding.io 这些国内的git仓库, 代理反而走远路了. 这时proxychains就起到作用啦.

wget 和 curl

wget 使用 -Y on 来打开代理设置, 用 -e "http_proxy=http://ip_address:port" 来指定代理地址.
wget -Y on -e "http_proxy=http://10.0.0.172:8080" "www.google.com"
遗憾的是, wget 只能采用http代理, 不能使用 socks5 代理.
curl 使用 -x ip_address:port 来指定代理服务器IP和端口.
curl -x 10.0.0.172:8080 www.google.com
--socks5 ip:port--socks5-hostname hostname:port 可以使用socks5 来代理.
------------

相关帖子:http://briteming.blogspot.com/2015/09/tsocksproxychains-linux.html