# Proxy Tooling

## Overview

Proxying tooling like the AWS CLI, Nmap, or Python scripts is a great way to understand what's happening under the hood. 

{% hint style="danger" %}
Each tool, code, and app may not support the same methods of inspection so you may need to do some research.
{% endhint %}

***

## Getting a Certificate from Caido (or BurpSuite)

First, we need to download the certificate from Caido

<figure><img src="https://2721275171-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8yu8YbDfwd1VqEdUxGyA%2Fuploads%2F5QLd54AoLaInbK039MIC%2FCleanShot%202025-09-24%20at%2015.49.36%402x.png?alt=media&#x26;token=b5648463-2afb-4c77-bc98-7aeb80be7ecf" alt=""><figcaption></figcaption></figure>

I've placed mine in my downloads folder here `/Users/tyler/Downloads/caido_ca.crt`

***

## Proxying Tooling

We need to add the following environment variables either to your current terminal session or to your shell profile e.g., `~/.zshrc`

{% hint style="warning" %}
Make sure this is the IP : Port that your proxy tool is runnnig on (Caido / BurpSuite)
{% endhint %}

```
export HTTP_PROXY="127.0.0.1:8080"
export HTTPS_PROXY="127.0.0.1:8080"
```

### AWS CLI

We need to point the AWS CLI to our certificate otherwise we'll see SSL errors.

```
export AWS_CA_BUNDLE='/Users/tyler/Downloads/caido_ca.crt'
```

Alternatively, we can use this which will work with other tools like Python as well,

```
export REQUESTS_CA_BUNDLE='/Users/tyler/Downloads/caido_ca.crt'
```

Now, just run any command in terminal and we should see it in Caido / BurpSuite,

{% code overflow="wrap" %}

```sh
aws iam get-user --user-name james

{
    "User": {
        "Path": "/",
        "UserName": "james",
        "UserId": "AIDAU[REDACTED]",
        "Arn": "arn:aws:iam::[REDACTED]:user/james",
        "CreateDate": "2022-05-18T23:38:48+00:00",
        "PasswordLastUsed": "2025-09-24T12:30:48+00:00"
    }
}
```

{% endcode %}

And in Caido, under `Proxy > HTTP History`  we'll see,

{% hint style="info" %}
We can also turn on `Caido > Proxy > Intercept` to modify the Requests / Responses
{% endhint %}

**Request**

{% code overflow="wrap" %}

```sh
POST / HTTP/1.1
Host: iam.amazonaws.com
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: aws-cli/2.27.31 md/awscrt#0.26.1 ua/2.1 os/macos#24.6.0 md/arch#arm64 lang/python#3.13.7 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#iam.get-user
X-Amz-Date: 20250924T120540Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIA[REDACTED]/20250924/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=6871952e6714a55bada63b6129038299bd05d08e9c4b1b48ce86dc8c4d54cd41
Content-Length: 51

Action=GetUser&Version=2010-05-08&UserName=james
```

{% endcode %}

**Response**

{% code overflow="wrap" %}

```sh
HTTP/1.1 200 OK
Date: Wed, 24 Sep 2025 12:05:40 GMT
x-amzn-RequestId: 3f0a291f-1f43-4427-b29e-97331c7e37a1
Content-Type: text/xml
Content-Length: 529

<GetUserResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
    <GetUserResult>
        <User>
            <Path>/</Path>
            <PasswordLastUsed>2025-09-24T12:30:48Z</PasswordLastUsed>
            <UserName>james</UserName>
            <Arn>arn:aws:iam::[REDACTED]:user/dev_user</Arn>
            <UserId>AIDA[REDACTED]</UserId>
            <CreateDate>2022-05-18T23:38:48Z</CreateDate>
        </User>
    </GetUserResult>
    <ResponseMetadata>
        <RequestId>3f0a291f-1f43-4427-b29e-97331c7e37a1</RequestId>
    </ResponseMetadata>
</GetUserResponse>
```

{% endcode %}

### curl

One way to proxy curl is by specifying the proxy in the command

{% code overflow="wrap" %}

```sh
curl -x http://127.0.0.1:8080 www.google.com
```

{% endcode %}

### nmap

We can proxy nmap by specifying the proxy as a parameter&#x20;

{% code overflow="wrap" %}

```sh
nmap --proxies http://127.0.0.1:8080 SERVER_IP -pPORT -Pn -sC
```

{% endcode %}

### metasploit

We can proxy metasploit exploits by setting the proxy in the exploit's configuration e.g.,&#x20;

{% code overflow="wrap" %}

```sh
set PROXIES HTTP:127.0.0.1:8080
```

{% endcode %}

***

## Proxychains

Proxychains enables us to easily proxy tools as well which is useful for tooling that may not have a proxy option (this can also work for tools that do).

Update your proxy config file found in:

* Linux:  `/etc/proxychains.conf`&#x20;
* macOS: `/opt/homebrew/etc/proxychains.conf` (assuming installed via [homebrew](https://www.techwithtyler.dev/coding-and-cli-tooling/cli-tools/homebrew "mention"))

{% code overflow="wrap" %}

```
#socks4         127.0.0.1 9050
http 127.0.0.1 8080
```

{% endcode %}

Optionally, uncomment `quite_mode` to reduce the output when running proxychains (can also use `-s` )

{% code overflow="wrap" %}

```
# Quiet mode (no output from library)
quiet_mode
```

{% endcode %}

Then run your commands

```
proxychains4 -q aws sts get-caller-identity

{
    "UserId": "AIDA[REDACTED]",
    "Account": "[REDACTED]",
    "Arn": "arn:aws:iam::[REDACTED]:user/james"
}
```

And this will show up in Caido / BurpSuite.&#x20;