Intranet penetration is also called NAT penetration. If a computer in a local area network wants to communicate with an external network, it must be forwarded through nat. Intranet penetration is to skip nat and directly enter the intranet.
ptunnel
In some network environments, TCP and UDP packets will be intercepted without authentication. If users can ping the remote computer, they can try to establish an ICMP tunnel and send TCP data through the tunnel to achieve unrestricted network access. Users need to start the tool in advance to establish a proxy server outside the restricted network. Then run the tool in client mode to establish an ICMP tunnel. To avoid abuse of the tunnel, users can also set a password for the tunnel.
working principle
1. icmptunnel can encapsulate IP traffic into IMCP ping packets. The purpose is to use ping to penetrate the
firewall detection, because usually firewalls will not block ping packets.
Second, the Ping tool on the requesting end will append a random piece of data as a payload after the ICMP data packet, and the responding end will copy this Payload to the ICMP response data packet and return it to the requesting end for identifying and matching Ping requests.
3. When using ptunnel for intranet penetration, the client encapsulates the IP frame in an ICMP request packet and sends it to the server, and the server uses a matching ICMP response packet to reply. In the eyes of others, only normal ICMP packets are propagated in the network.
About icmp protocol analysis: icmp protocol analysis
Experimental test
The command can be used directly in the ptunnel path
/ pentest / backdoors / ptunnel
kali
parameter:
1: [-p] proxy server address
2: [-lp] local port
3: [-da] target intranet IP
4: [-dp] target port
echo server command list
[marked] net available on windows logo is Need to be used under windows, this experiment does not involve
1: [-c] network card number
2: [-v] display detailed process, the value can be -1-5, -1 is not displayed, 5 is the most detailed]
2: [ -u] dp [transmit through dns protocol, port is udp53]
3: [-x] enter this tunnel password, if the server adds this parameter, the client needs to add the same parameter and value]
4: [-f] specify a log file
We need a proxy server, an attack machine, and a target machine.
Attacker IP: 192.168.3.106
Springboard IP: 192.168.3.104
Target IP: 192.168.3.101
Proxy server
Grab the target traffic packet
Test found that the mysql port does not allow connection
Modify the target machine database to allow all IP access. This
is not recommended under normal circumstances, it is extremely insecure, because it is a local experiment, all open the display effect
./ptunnel -p 192.168.0.108 -lp 1080 -da 192.168.0.105 -dp 3306 -x 123456
-lp local port
-da target port (mappable)
-x tunnel password
analysis
