Back to Blog
RUENZHESARPTDEFRJAKOITTRIDVIFAHI

Proxies for Ethical Hacking and Pentesting: How to Hide Your IP and Bypass Security Safely

A complete guide to using proxies in pentesting: from choosing the type of proxy to setting up chains and rotating IPs to bypass security systems.

📅March 4, 2026

When conducting penetration testing (pentest) and ethical hacking, it is critically important to hide your real IP address — not only to simulate attacks from different locations but also to protect your own infrastructure. WAF, IDS, and IPS protection systems quickly block suspicious activity from a single IP, making further testing impossible. In this article, we will discuss which proxies to use for pentesting, how to set up IP rotation, and bypass modern protection systems.

Why Proxies are Needed in Pentesting

Penetration testing is a legal activity conducted with the consent of the system owner. However, technically it looks like an attack, and protection systems respond accordingly. Proxies solve several critical tasks in pentesting:

1. Protecting the Real IP Address. Even during legal testing, it is important not to disclose your actual location and infrastructure. If you are testing the external perimeter, your IP may end up in the blacklists of various security systems, creating problems in the future. Additionally, when working with bug bounty programs, it is crucial to maintain anonymity until the vulnerability is disclosed.

2. Bypassing Rate Limiting and IP Blocks. Modern WAF (Web Application Firewall) and IDS (Intrusion Detection System) track the number of requests from a single IP. When scanning ports, brute-forcing, or fuzzing, you will quickly exceed the limits and get banned. IP rotation through proxies allows you to distribute the load and continue testing.

3. Simulating Attacks from Different Geographical Locations. Some protection systems implement geo-blocking or have different rules for different regions. For comprehensive testing, you need to check how the system responds to requests from the US, Europe, and Asia. Proxies with IPs from different countries allow you to conduct such testing without physical relocation.

4. Testing Distributed Attacks (DDoS Simulation). When testing resilience against DDoS attacks, you need to simulate traffic from multiple IP addresses. Proxy pools allow you to create realistic loads and check how mitigation systems handle distributed attacks.

5. Bypassing Fingerprinting and TLS Analysis. Advanced protection systems analyze not only IPs but also TLS fingerprints, User-Agent, and HTTP headers. Using proxies in conjunction with the proper client configuration helps bypass such analysis and test deeper.

Which Types of Proxies are Suitable for Ethical Hacking

Different types of proxies are used for pentesting depending on the task. Let's look at the main options and their applications:

Proxy Type Advantages Disadvantages Application
HTTP/HTTPS Easy setup, works at the application level Only web traffic, headers are visible Testing web applications, scanning websites
SOCKS5 Any protocol, UDP support, authentication Slightly more complex setup Port scanning, working with any protocols
Residential Real IPs from ISPs, low trust score More expensive, variable speed Bypassing strict WAFs, testing geo-restrictions
Datacenter High speed, stability, low cost Easily identified as proxies Mass scanning, brute forcing, fuzzing
Mobile Highest trust score, dynamic IPs Most expensive, lower speed Testing mobile applications, bypassing strict blocks

SOCKS5 vs HTTP/HTTPS Protocols. For pentesting, SOCKS5 is preferable as it operates at a lower level and allows any type of traffic — TCP, UDP, DNS requests. This is critical when using tools like Nmap, Metasploit, sqlmap, which may not work solely with HTTP. HTTP proxies are suitable only for web testing via a browser or specialized web application scanners (Burp Suite, OWASP ZAP).

SSH Tunnels and VPNs. Some pentesters use SSH tunnels (dynamic port forwarding) or VPNs instead of proxies. An SSH tunnel works like a SOCKS proxy and is suitable for most tasks but requires an SSH server. A VPN encrypts all traffic and changes the IP, but is less flexible for IP rotation — changing the VPN server breaks all connections.

Residential vs Datacenter: What to Choose

The choice between residential proxies and datacenter proxies depends on the target system and its level of protection.

When to Use Residential Proxies:

  • Testing systems with advanced bot detection (Cloudflare, Akamai, PerimeterX)
  • Checking geo-restrictions and regional versions of applications
  • Testing mobile applications and APIs that block datacenters
  • Bug bounty programs where maximum stealth is important
  • Social engineering and OSINT reconnaissance through social networks

Residential proxies have IP addresses from real internet providers used by ordinary users. Protection systems cannot simply block the entire range of such a provider, as this would block legitimate users. The trust score of such IPs is significantly higher, allowing them to pass bot detection checks.

When to Use Datacenter Proxies:

  • Mass port and service scanning (Nmap, Masscan)
  • Brute-forcing passwords and directories (Hydra, Gobuster, ffuf)
  • Fuzzing web applications (Burp Intruder, wfuzz)
  • Testing internal systems without strict protection
  • Tasks where speed and traffic volume are important

Datacenter proxies operate 5-10 times faster than residential ones and are significantly cheaper. For most pentesting tasks where bypassing complex protection systems is not required, they are the optimal choice. Speed is critical when scanning thousands of ports or brute-forcing thousands of paths on a web server.

Combined Approach. Experienced pentesters use both types of proxies: datacenters for initial reconnaissance and mass scanning, and residential ones for targeted testing of specific vulnerabilities and bypassing protections. For example, you can perform port scanning through fast datacenter proxies and then exploit the discovered vulnerabilities through residential IPs to minimize detection risks.

Setting Up Proxy Chains

Proxy chains are a technique for routing traffic through multiple proxy servers sequentially. Each server in the chain sees only the IP of the previous proxy, significantly complicating tracking the real source of requests.

Installing and Configuring Proxychains in Linux: 

# Installation
sudo apt-get install proxychains4

# Editing the configuration
sudo nano /etc/proxychains4.conf

Example configuration of proxychains4.conf: 

# Mode: dynamic (skips unavailable proxies)
dynamic_chain

# Quiet mode (does not output proxy information)
quiet_mode

# DNS requests through proxy (important for anonymity)
proxy_dns

# List of proxies (added sequentially)
[ProxyList]
socks5  192.168.1.100  1080  username  password
socks5  45.67.89.123   1080
http    34.56.78.90    8080  user      pass

Proxychains Operating Modes:

  • dynamic_chain — uses all available proxies in order, skipping unavailable ones. Optimal for pentesting.
  • strict_chain — uses all proxies strictly in order, terminating the connection if one is unavailable.
  • random_chain — selects a random number of proxies from the list for each connection.

Using with Pentesting Tools: 

# Nmap through proxy chain
proxychains4 nmap -sT -Pn target.com

# Metasploit
proxychains4 msfconsole

# Sqlmap
proxychains4 sqlmap -u "http://target.com/page?id=1" --dbs

# Gobuster (directory brute-forcing)
proxychains4 gobuster dir -u http://target.com -w wordlist.txt

# Curl
proxychains4 curl https://target.com

Important Points When Using Proxy Chains:

  • Each proxy in the chain adds latency — a chain of 3 proxies can increase ping from 50ms to 500ms
  • DNS requests must go through the proxy (proxy_dns), otherwise your real IP will leak through DNS
  • Not all tools work correctly through proxychains — some use raw sockets
  • For Nmap, use only TCP scanning (-sT), SYN scanning (-sS) does not work through proxies

Alternative: Tor + Proxychains. You can combine Tor with additional proxies for enhanced anonymity. Tor already uses a chain of 3 nodes, adding a proxy before entering Tor or after exiting creates an additional layer of protection: 

# Configuration: Proxy → Tor → Target
[ProxyList]
socks5  45.67.89.123   1080  # External proxy
socks5  127.0.0.1      9050  # Local Tor

IP Rotation: How to Avoid Blocks

IP rotation is a key technique for bypassing rate limiting and IP-based blocks. Modern WAFs track the number of requests from a single IP over a certain period (for example, 100 requests per minute). Exceeding the limit leads to temporary or permanent blocking.

Types of Proxy Rotation:

1. Rotation at the Proxy Provider Level (Rotating Proxies). Some providers offer a single endpoint (IP:port) that automatically changes the outgoing IP with each request or after a certain interval. This is the simplest option — it does not require code changes, just specify one proxy address. 

# Example with rotating proxy (Python + requests)
import requests

proxies = {
    'http': 'http://user:pass@rotating.proxy.com:8080',
    'https': 'http://user:pass@rotating.proxy.com:8080'
}

# Each request goes with a new IP
for i in range(100):
    response = requests.get('https://api.ipify.org', proxies=proxies)
    print(f"Request {i}: IP = {response.text}")

2. Rotation at the Application Level (Proxy Pool). You receive a list of proxies and implement the switching logic in your code. This gives you more control: you can manage the frequency of changes, exclude non-working proxies, and distribute the load. 

# Example of proxy pool with rotation (Python)
import requests
import random
from itertools import cycle

# List of proxies
proxy_list = [
    'http://user:pass@45.67.89.1:8080',
    'http://user:pass@45.67.89.2:8080',
    'http://user:pass@45.67.89.3:8080',
    'http://user:pass@45.67.89.4:8080',
]

# Cyclic iterator for sequential rotation
proxy_cycle = cycle(proxy_list)

def get_with_rotation(url):
    proxy = next(proxy_cycle)
    proxies = {'http': proxy, 'https': proxy}
    
    try:
        response = requests.get(url, proxies=proxies, timeout=10)
        return response
    except requests.exceptions.RequestException as e:
        print(f"Error with proxy {proxy}: {e}")
        return None

# Usage
for i in range(20):
    response = get_with_rotation('https://httpbin.org/ip')
    if response:
        print(f"Request {i}: {response.json()}")

3. Session-Based Rotation. For tasks that require maintaining state (cookies, sessions), proxy binding to the session is used. One proxy is used for all requests within one session, then it changes for a new session. 

# Session-based rotation
import requests

class ProxySession:
    def __init__(self, proxy_list):
        self.proxy_list = proxy_list
        self.current_proxy_index = 0
    
    def new_session(self):
        session = requests.Session()
        proxy = self.proxy_list[self.current_proxy_index]
        session.proxies = {'http': proxy, 'https': proxy}
        
        # Switch to the next proxy for the next session
        self.current_proxy_index = (self.current_proxy_index + 1) % len(self.proxy_list)
        
        return session

# Usage
proxy_manager = ProxySession(proxy_list)

# Session 1 with proxy 1
session1 = proxy_manager.new_session()
session1.get('https://target.com/login')
session1.post('https://target.com/api', data={'key': 'value'})

# Session 2 with proxy 2
session2 = proxy_manager.new_session()
session2.get('https://target.com/login')

Rotation Strategies Depending on the Task:

  • Password Brute-Forcing — change IP every 5-10 attempts to avoid exceeding the limit of failed logins
  • Port Scanning — change IP every 100-500 ports to prevent IDS from noticing scanning from one source
  • Fuzzing Web Forms — rotation every 20-50 requests, simulating different users
  • OSINT Data Gathering — rotation with each request to social media or search engine APIs

Monitoring Proxy Functionality. During rotation, some proxies may stop working. It is important to implement checks and exclude non-working proxies: 

# Checking and filtering proxies
def check_proxy(proxy):
    try:
        response = requests.get(
            'https://httpbin.org/ip',
            proxies={'http': proxy, 'https': proxy},
            timeout=5
        )
        return response.status_code == 200
    except:
        return False

# Filtering the list
working_proxies = [p for p in proxy_list if check_proxy(p)]
print(f"Working proxies: {len(working_proxies)}/{len(proxy_list)}")

Integrating Proxies with Pentesting Tools

Most pentesting tools support working through proxies. Let's consider the setup for popular tools:

Burp Suite. One of the main tools for testing web applications. Proxy setup:

  • User options → Connections → Upstream Proxy Servers
  • Add → specify the proxy address, port, type (HTTP/SOCKS)
  • For rotation, you can use extensions like "Proxy Rotator"

OWASP ZAP. An open-source alternative to Burp Suite:

  • Tools → Options → Connection → Use outgoing proxy server
  • Specify address, port, authentication
  • Supports SOCKS proxies for all types of traffic

Nmap. A port and service scanner. Direct proxy support is not available (except for HTTP CONNECT for some NSE scripts), used through proxychains: 

# Only TCP scanning works through proxies
proxychains4 nmap -sT -Pn -p 80,443,8080 target.com

# SYN scanning requires raw sockets and does not work through proxies
# nmap -sS target.com  # DOES NOT WORK through proxychains

Sqlmap. A tool for automatically finding and exploiting SQL injections: 

# Single proxy
sqlmap -u "http://target.com/page?id=1" --proxy="socks5://user:pass@45.67.89.1:1080"

# File with a list of proxies (rotation)
sqlmap -u "http://target.com/page?id=1" --proxy-file=proxies.txt

# Through Tor
sqlmap -u "http://target.com/page?id=1" --tor --tor-type=SOCKS5

Metasploit Framework. A platform for developing and executing exploits: 

# Running through proxychains
proxychains4 msfconsole

# Or setting up inside Metasploit
msf6 > setg Proxies socks5:45.67.89.1:1080
msf6 > setg ReverseAllowProxy true

# For a specific module
msf6 exploit(windows/smb/ms17_010_eternalblue) > set Proxies socks5:45.67.89.1:1080

Gobuster / ffuf. Tools for brute-forcing directories and parameters: 

# Gobuster
gobuster dir -u http://target.com -w wordlist.txt -p socks5://45.67.89.1:1080

# ffuf with proxy
ffuf -u http://target.com/FUZZ -w wordlist.txt -x socks5://45.67.89.1:1080

# ffuf with rotation through replay-proxy
ffuf -u http://target.com/FUZZ -w wordlist.txt -replay-proxy http://rotating.proxy.com:8080

Hydra. Password brute-forcing for various protocols: 

# Through proxychains (for all protocols)
proxychains4 hydra -l admin -P passwords.txt ssh://target.com

# Native support for HTTP (limited)
hydra -l admin -P passwords.txt target.com http-get -s 8080 -m /admin

Nuclei. A modern vulnerability scanner based on templates: 

# HTTP proxy
nuclei -u https://target.com -proxy-url http://user:pass@45.67.89.1:8080

# SOCKS5
nuclei -u https://target.com -proxy-url socks5://user:pass@45.67.89.1:1080

# Multiple proxies (rotation)
nuclei -list targets.txt -proxy-url http://proxy1.com:8080,http://proxy2.com:8080

Bypassing WAF, IDS, and Other Protection Systems

Modern protection systems use various methods to detect attacks. Proxies are just part of the bypass strategy. Let's consider a comprehensive approach:

1. Bypassing IP-Based Blocks. The simplest level of protection is IP blocking. This is solved by rotating proxies while adhering to rate limits:

  • Use delays between requests (time.sleep in Python)
  • Change IP upon receiving HTTP 429 (Too Many Requests)
  • Simulate human behavior — random intervals between requests

2. Bypassing Geo-Blocking. Some systems block entire countries or regions. Use residential proxies from the desired country: 

# Example: testing from different countries
countries = ['US', 'GB', 'DE', 'FR']

for country in countries:
    proxy = f'http://user-country-{country}:pass@proxy.com:8080'
    response = requests.get('https://target.com', proxies={'http': proxy, 'https': proxy})
    print(f"{country}: Status {response.status_code}")

3. Bypassing Fingerprinting (Browser Fingerprints). Advanced WAFs analyze TLS fingerprints, HTTP headers, and the order of headers. Use libraries that simulate real browsers: 

# curl-impersonate — simulating TLS fingerprints of browsers
curl_chrome116 --proxy socks5://45.67.89.1:1080 https://target.com

# Python: requests + curl_cffi (bypassing Cloudflare)
from curl_cffi import requests

response = requests.get(
    'https://target.com',
    proxies={'https': 'socks5://45.67.89.1:1080'},
    impersonate='chrome116'
)

4. Bypassing Bot Detection (Cloudflare, PerimeterX, Akamai). These systems use JavaScript calls, canvas fingerprinting, WebGL, and mouse movement analysis. Solutions:

  • Use headless browsers with proper settings (Playwright, Puppeteer)
  • Apply anti-detection techniques: spoofing WebGL, Canvas, AudioContext
  • Combine residential proxies with realistic User-Agent
  • Use ready-made solutions: undetected-chromedriver, playwright-stealth
# Playwright with proxy and anti-detection
from playwright.sync_api import sync_playwright

with sync_playwright() as p:
    browser = p.chromium.launch(
        proxy={
            'server': 'socks5://45.67.89.1:1080',
            'username': 'user',
            'password': 'pass'
        }
    )
    
    context = browser.new_context(
        user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        viewport={'width': 1920, 'height': 1080},
        locale='en-US',
        timezone_id='America/New_York'
    )
    
    # Masking webdriver
    context.add_init_script("""
        Object.defineProperty(navigator, 'webdriver', {get: () => undefined})
    """)
    
    page = context.new_page()
    page.goto('https://target.com')
    # ... further actions

5. Bypassing IDS/IPS (Intrusion Detection/Prevention Systems). These systems analyze network traffic for attack signatures:

  • Packet fragmentation — break payload into smaller parts
  • Obfuscation — encode payload (base64, URL-encoding, Unicode)
  • Distributing the attack over time — slow scanning with large intervals
  • Proxy rotation — each stage of the attack from different IPs
# Nmap: slow scanning to bypass IDS
proxychains4 nmap -sT -Pn -T2 --scan-delay 5s -p- target.com

# -T2: slow timing template
# --scan-delay 5s: 5 seconds between port probes
# Combining with proxy rotation makes scanning almost undetectable

6. Bypassing CAPTCHA. During aggressive testing, you may encounter CAPTCHA. Options:

  • Reduce aggressiveness — fewer requests, more delays
  • Use CAPTCHA solving services (2captcha, Anti-Captcha) — for bug bounty
  • Look for alternative endpoints without CAPTCHA (API, mobile versions)

Operational Security (OPSEC) When Using Proxies

Even when using proxies, mistakes can be made that reveal your identity or location. Operational security (OPSEC) is a set of practices to minimize such risks.

Common Leaks When Using Proxies:

1. DNS Leaks. Even when using proxies, DNS requests may go directly from your provider, revealing your real location: 

# Checking for DNS leak
dig @8.8.8.8 target.com  # DNS request goes directly to Google DNS

# Solution: use DNS through proxy
# In proxychains: proxy_dns
# In Python requests: use IP instead of domains or set up DNS over HTTPS

2. WebRTC Leaks (for browser tools). WebRTC can expose your real IP even through proxies:

  • Disable WebRTC in the browser or use extensions (WebRTC Leak Shield)
  • When using Playwright/Puppeteer — block WebRTC through permissions

3. Timezone and Locale Leaks. Your timezone and language settings may not match the proxy IP: 

# Correct timezone setup in Playwright
context = browser.new_context(
    proxy={'server': 'socks5://us-proxy.com:1080'},
    locale='en-US',  # Matches US proxy
    timezone_id='America/New_York',  # US timezone
    geolocation={'latitude': 40.7128, 'longitude': -74.0060}  # NY coordinates
)

4. Cookie and Session Leaks. Do not use the same cookies across different proxies — this links your requests:

  • Each proxy = new session with clean cookies
  • Do not log in under the same account from different IPs unnecessarily
  • Use browser containers or separate profiles

5. Fingerprinting Consistency. The browser fingerprint should match the proxy IP:

  • US proxy + Russian browser language = suspicious
  • Mobile proxy + desktop User-Agent = mismatch
  • Use tools to generate consistent fingerprints

OPSEC Recommendations for Pentesters:

  • Use a dedicated VM for pentesting — isolate from the main system
  • Logs and Artifacts — store on encrypted disks, delete after project completion
  • Proxy Separation — use different proxy pools for different projects
  • Do not mix legal and illegal traffic through the same proxies
  • Check proxies for leaks — regularly test through ipleak.net, browserleaks.com
  • Documentation — keep records of proxy usage for client reports (which IPs, when)

Legal Aspects. Even in legal pentesting, it is important to:

  • Have written permission (scope of work) from the client
  • Not exceed the agreed scope — test only authorized systems
  • Notify the client of the proxy IPs used for whitelisting in their systems
  • Comply with the laws of the country where the tested systems are located

Conclusion

Proxies are an essential tool for modern pentesters and information security specialists. They allow you to hide your real IP, bypass protection systems, simulate attacks from different locations, and distribute the load to avoid blocks. The choice of proxy type depends on the task: fast datacenter proxies are suitable for mass scanning, while residential proxies with high trust scores are ideal for bypassing complex WAFs and bot detection.

Key points when using proxies for pentesting: proper setup of IP rotation to bypass rate limiting, integration with tools through proxychains or native support, and maintaining operational security to prevent leaks of the real IP through DNS, WebRTC, or fingerprinting. A combination of technical measures (proxy chains, anti-detection techniques, obfuscation) and proper OPSEC ensures effective and safe testing.

For ethical hacking tasks, we recommend using residential proxies when testing systems with advanced protection and datacenter proxies for mass scanning and tasks where speed is important. The right choice and setup of proxies significantly enhance testing efficiency and minimize detection risks.