Hacking Book | Free Online Hacking Learning


some knowledge about agent

Posted by patinella at 2020-03-20

Original link: https://xianzhi.aliyun.com/forum/topic/1492/

Author: adog

As for the proxy, maybe I know the simple web proxy, plus the intranet forwarding needed for penetration, and finally the nginx reverse proxy I went to know last time. The following question is the interview question of a big man in wechat group. In line with the attitude of learning, I'd better learn the proxy knowledge in various aspects. (maybe I'll meet you later ~)

The problems are as follows:

1. Web reverse proxy

2. Forward port forwarding, reverse port forwarding, dynamic port forwarding

3. Forward socks / HTTP proxy, reverse socks / HTTP proxy

4. Forward VPN, reverse bridge VPN

How to understand the above questions and what are the representative tools?

Next for the problem to analyze in detail!

Question 1: Web reverse proxy

This should be to use the server to accept the connection request on the Internet, then forward the request to the server on the internal network, and return the result from the server to the client requesting connection on the Internet. At this time, the proxy server acts as a reverse proxy server.

The most common architecture may be nginx reverse proxy. On the one hand, it protects and hides the real server, and on the other hand, it implements load balancing.

Question 2: forward port forwarding, reverse port forwarding, dynamic port forwarding

First of all, what is forward and reverse port forwarding!

In the forward proxy, the proxy and the client belong to the same LAN and are transparent to the server; in the reverse proxy, the proxy and the server belong to the same LAN and are transparent to the client. In fact, what proxy does in the two kinds of agents is to send and receive requests and responses on behalf of each other. However, from the perspective of structure, the left and right are interchanged, so the former is called forward proxy, and the latter is called reverse proxy.

Forward port forwarding process:

In order to access rhost, lhost sends a request to proxy and specifies that the target is rhost. Then proxy transfers the request to rhost and returns the obtained content to lhost. In short, forward proxy is proxy instead of us to visit rhost.

Reverse port forwarding process:


Lhost only sends ordinary requests to the proxy, specifically where to go. The proxy judges by itself, and then submits the returned data. This advantage is that it can effectively penetrate when some firewalls only allow proxy data in and out

Here is a simple distinction. The forward proxy is the client, the reverse proxy is the server, which is also applicable for port forwarding!

Let's explain what forward and reverse port forwarding is:

① Forward port forwarding

As the name implies, the local host port is forwarded to the remote host port through the host port to be logged in.

ssh -L 50000:www.google.com:80 [email protected]

When the above command is executed successfully, accessing the local 50000 port is equivalent to accessing the 80 port of www.google.com. But it is essentially different from direct access: this time, data is transmitted safely by logging in to the host. No one knows what kind of data is transmitted between you and the remote host. Even if you can't establish a connection with the remote host (and the login host can access it), you can break through the restriction of the firewall.

② Reverse port forwarding

This is to forward the login host port to the remote host through the local host port.

For example: SSH - R localhost: 80 user @ host.

After the above command is executed successfully, accessing port 8080 of the login host is equivalent to accessing port 80 of the remote host!

Imagine such a situation: you have developed a web application on this machine, you want to test it for others, but now you are in the intranet, and the Internet can not directly access the host of the intranet. What should you do!? Many people may say that it's OK to find a host with public IP and redeploy it. It works, but it's too much trouble. However, since you know the reverse port forwarding function, everything has become simple. Just execute the command in the above example on the local host to access the intranet web application.

What is dynamic port forwarding

The common application here is SSH dynamic binding. Therefore, dynamic port forwarding is also inseparable from some related applications of SSH, such as over the wall..

Here SSH client is more than just a client. It also opens port 7001 to listen for requests from native applications. This is the biggest difference between SSH and traditional usage. The SSH of the server is not only to process the request of the client, but also to forward the request to the corresponding host and port. The word "dynamic" here is reflected in the fact that the forwarding target of the SSH of the server is not fixed, which is determined by the request of the client.

Question 3: forward socks / HTTP proxy, reverse socks / HTTP proxy

Google has searched for a long time, but has not found the answer that can satisfy itself. Most of them are explaining the difference between HTTP agent and socks agent, which is a bit off the topic! Let's talk about the difference between the two. Socks works at a lower level than the HTTP proxy: socks uses the handshake protocol to notify the proxy software of the connection socks its client is trying to make, and then operates as transparently as possible, while the regular proxy may interpret and rewrite the header (for example, using another underlying protocol, such as FTP; however, the HTTP proxy simply forwards the HTTP request to the required HTTP server). Although the HTTP proxy has different usage patterns, the connect method allows forwarding TCP connections; however, the socks proxy can also forward UDP traffic and reverse proxy, while the HTTP proxy cannot. HTTP proxy usually understands HTTP protocol better and performs higher-level filtering.

Back to the topic, the forward socks / HTTP proxy should be our most common browser proxy. It can grab packets or send traffic to the other server through the proxy server. The common tool is burp or FD.

The reverse agent is to first run the server program of socks agent on server a (such as attacker) to listen for the specified port, and then run the client program on the client (such as target) to connect to the specified port of the server. In this way, a reverse socks tunnel from the target machine to the attacker is established, and the attacker's application program (such as WGet nmap curl...) is established After using the tunnel, all traffic of the program will be forwarded through the target machine first.

It should not be difficult to understand. It is to create a tunnel from the client to connect to our server in reverse. The traffic of the server can go out through this tunnel to realize anonymity of traffic. The common tool is proxychains.

Question 4: forward VPN, reverse bridge VPN

Forward VPN should be well understood, that is, the common VPN structure. Our client connects to the server outside the wall, and then transmits the traffic through the created tunnel.

Reverse bridge VPN here is an example to start with. When participating in offline CTF games, we often need to download the official VPN software, and then log in to the VPN through the registered account password. After successful login, it will display an intranet IP assigned to our machine. Finally, we can access the game title through the VPN client.

There are two technologies used here, one is reverse VPN, the other is bridge mode. The bridge mode should be well understood, which means that the local physical network card and the virtual network card are bridged through the vmnet0 virtual switch. The physical network card and the virtual network card are in the same position in the topology diagram, so the physical network card and the virtual network card are equivalent to the same network segment, and the virtual switch is equivalent to a switch in the real network. With the help of this architecture, we can connect the client and the server through the Internet, so that the user can access the LAN network where the server is running on any networked machine, and the server can realize remote access without special settings of external network IP and firewall.

So the most common application of reverse VPN may be VPN pivoting. Let's briefly introduce VPN pivoting.

This is a working architecture of VPN pivoting. The attack opportunity virtualizes a network interface to connect with the target machine. If any application wants to access the network in the target machine, it will transmit the traffic through the virtual network interface and reach the network of the target machine through the VPN tunnel. At this time, the VPN software of the target machine will monitor the traffic in the tunnel and then transmit the traffic to the network interface through the Tun / tap driver So that the attacker can access the target's network.

If there are any improper points in the above, please point out~

Reference article: