Full Report
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. This is convenient in cases where it would be nicer to have a full network route to a target network (with working DNS) vs just having application specific proxy rules. In this post I’ll elaborate a bit on that idea. If you are just looking for the code you can find it here: https://github.com/sensepost/wiresocks.
Analysis Summary
# Tool/Technique: WireSocks
## Overview
WireSocks is an infrastructure solution, utilizing **WireGuard** and **tun2socks**, designed to easily tunnel network traffic from arbitrary client sources over an existing **SOCKS proxy**, effectively establishing a full network route (including DNS) to a target network circumventing application-specific proxy rules.
## Technical Details
- Type: Tool / Infrastructure
- Platform: Client platforms running WireGuard (Windows, Linux, macOS, etc.); Server/Deployment infrastructure often uses Docker/Docker Compose on a jump box.
- Capabilities: Establishes a unidirectional network route for client traffic through a SOCKS proxy. Leverages VPN technology (WireGuard) for network-level redirection.
- First Seen: Published September 30, 2022
## MITRE ATT&CK Mapping
This tool primarily facilitates Command and Control (C2) communication and restricted network reachability.
- **TA0011 - Command and Control**
- **T1090 - Proxy**
- T1090.003 - Multi-hop Proxy (WireGuard acts as a hop between the client and the SOCKS proxy endpoint)
- **TA0008 - Lateral Movement**
- **T1090 - Proxy** (Used to pivot into the target network)
## Functionality
### Core Capabilities
- **Network Redirection:** Redirects client network traffic into a TUN (Tunnel) device.
- **SOCKS Proxy Tunneling:** Uses `tun2socks` to push the traffic from the TUN device through a configured SOCKS proxy.
- **VPN Integration:** Leverages WireGuard to create a secure, easy-to-deploy VPN network that connects clients to the redirection infrastructure.
- **Full Network Route Simulation:** Provides clients with a full network route, including desirable DNS resolution capabilities within the proxied environment, unlike application-specific proxy rules.
### Advanced Features
- **Docker Compose Deployment:** Provides streamlined setup on a jump box using `docker compose` to orchestrate the `tun2socks` and WireGuard services.
- **Docker Network Namespace Sharing:** Allows running other arbitrary Docker containers (`alpine`, or containers with tools like `impacket`) within the *same network namespace* as the WireSocks container, ensuring they automatically inherit the WireGuard routes and SOCKS proxying for seamless operation.
- **Tool Support:** Enables the use of tools like `SeatBelt.exe` over the proxied connection, even if the tool does not natively support SOCKS proxying.
## Indicators of Compromise
As WireSocks is an infrastructure deployment tool, IoCs are highly dependent on the specific configuration.
- File Hashes: N/A (Source code repository: `https://github.com/sensepost/wiresocks`)
- File Names: WireGuard client configuration files (`.conf` files generated in the `config/` directory).
- Registry Keys: N/A
- Network Indicators:
- WireGuard Peer IP/Port (For client connectivity)
- SOCKS Proxy Server IP/Port (The endpoint receiving the tunnelled traffic)
- Behavioral Indicators:
- Establishment of a WireGuard network interface on client machines.
- Client traffic routing through a specific VPN tunnel interface followed by connections to an external SOCKS proxy address.
## Associated Threat Actors
The context suggests this is a custom offensive infrastructure technique developed by SensePost, potentially used by penetration testers or red team operators leveraging publicly available tools (`WireGuard`, `tun2socks`). No specific threat actor group is explicitly mentioned as using it, only its creation for offensive purposes.
## Detection Methods
Detection focuses on the infrastructure components and the resulting network behavior.
- Signature-based detection: Not directly applicable to the tool itself unless specific configuration files are present or malware utilizing this concept is deployed.
- Behavioral detection: Monitoring for the setup of the WireGuard tunnel interface alongside outbound connections attempting to connect to known or suspicious SOCKS proxy servers or C2 infrastructure.
- YARA rules: Not detailed in the article. Detection may focus on specific `docker-compose.yml` or configuration file artifacts if present on systems.
## Mitigation Strategies
- **Network Segmentation/Access Control:** Restrict which hosts can establish WireGuard tunnels or access the Jump Box hosting the WireSocks stack.
- **Host Hardening:** Implement controls to limit the ability of compromised systems to set up VPN clients or utilize containerization tools like Docker if this infrastructure is intended for the environment.
- **Traffic Inspection:** Monitor egress traffic for unusual routing patterns inconsistent with standard operations that suggest a network layer tunnel is in place.
## Related Tools/Techniques
- **Cobalt Strike:** Often used in conjunction with tunneling solutions for C2.
- **Metasploit Framework:** C2 framework that uses proxy mechanisms.
- **Chisel:** A popular tool for SOCKS proxy tunneling over SSH.
- **ReGeorg / Pivotnacci:** Other pivoting/tunneling tools mentioned in the context of proxying traffic.
- **tun2socks:** The underlying Golang component used to convert TUN traffic to SOCKS traffic.
- **WireGuard:** The VPN protocol securing the tunnel link.
- **Proxychains-ng:** A tool that forces applications to use proxy chains, which WireSocks aims to supersede by providing network-level redirection.
- **Proxifier / Proxycap:** Windows applications used to force non-proxy-aware tools to use SOCKS proxies (WireSocks aims to bypass the need for these).