Intranet penetration series: frp of intranet tunnel

foreword

This article studies a tool that goes out through TCP and HTTP, frp

github：https://github.com/fatedier/frp

I. Overview

1 Introduction

Written in 2015, continuously updated, written in Go, a classic online tool

• Supports TCP and UDP, as well as HTTP and HTTPS protocols, and also supports P2P
• Support for encryption and compression
• Cross-platform support
• Has GUI
• depends on configuration file
  

2. Principle

• First, after frpc starts, connect frps, and send a request to login(), then keep this long connection, if disconnected, try again
• After frps receives the request, it will establish a listener to listen for requests from the public network
• When frps receives the request, it will check locally whether there is an available connection (frp can set a connection pool), if not, it will send a msg.StartWorkConn and wait for the request from frpc
• After frpc receives it, it initiates a request to frps. At the beginning of the request, it will specify which proxy the connection is going to.
• After frps receives the connection from frpc, it will transfer traffic between the newly established connection and the connection from the public network
• If the request is disconnected, then the request on the other end is also disconnected
  

3. Usage

(1) Server

frps.ini configuration file

[common]
#frp服务器监听地址，如果是IPV6地址必须用中括号包围
bind_addr = 0.0.0.0 
#frp服务器监听端口
bind_port = 7000
 
#kcp的udp监听端口，如果不设那就不启用
#kcp_bind_port = 7000
#指定使用的协议，默认tcp，可选kcp
#protocol = kcp
 
#如果要使用vitual host，就必须设置
#vhost_http_port = 80
#vhost_https_port = 443
 
#Web后台监听端口
dashboard_port = 7500
 
#Web后台的用户名和密码
dashboard_user = admin
dashboard_pwd = admin
 
#Web后台的静态资源目录，调试用的，一般不设
#assets_dir = ./static
 
#日志输出，可以设置为具体的日志文件或者console
log_file = /var/log/frps.log
 
#日志记录等级，有trace, debug, info, warn, error
log_level = info
#日志保留时间
log_max_days = 3
 
#启用特权模式，从v0.10.0版本开始默认启用特权模式，且目前只能使用特权模式
#privilege_mode = true
 
#特权模式Token，请尽量长点且复杂
privilege_token = 12345678
 
#特权模式允许分配的端口范围
privilege_allow_ports = 2000-3000,3001,3003,4000-50000
 
#心跳超时，不用改
#heartbeat_timeout = 90
 
#每个代理可以设置的连接池上限
#max_pool_count = 5
 
#认证超时时间，一般不用改
#authentication_timeout = 900
 
#如果配置了这个，当你的模式为http或https时，就能设置子域名subdomain
#subdomain_host = frps.com
 
#是否启用tcp多路复用，默认就是true，不用管
#tcp_mux = true

run

./frps -c ./frps.ini
./frps -c ./frps.ini & # 后台运行
# 如果要运行多个服务端：只需要复制并修改frps.ini配置文件中的端口号

(2) Client

frpc.ini configuration file

[common]
#frp服务器地址
server_addr = 1.2.3.4
#frp服务器端口
server_port = 7000
#特权模式Token
privilege_token = 12345678
#转发SSH
[ssh]
type = tcp
#可以指定为其它IP，默认是本地
#local_ip = 127.0.0.1
local_port = 22  #代理出去的端口
remote_port = 6000 #出去的端口
#启用加密
use_encryption = true
#启用压缩
use_compression = true
 
#转发Web
[web]
type = http
local_port = 80
custom_domains = www.yourdomain.com
#修改header中的host
#host_header_rewrite = dev.yourdomain.com
#启用简单HTTP认证
#http_user = abc
#http_pwd = abc
#在服务端配置了subdomain_host的情况下用于自定义二级域名
#subdomain = test
#在存在多个相同域名的情况下通过请求的URL路由到不同的配置
#locations = /news,/about
 
#转发DNS请求
[dns]
type = udp
local_ip = 8.8.8.8
local_port = 53
remote_port = 6000
 
#转发Unix域套接字（这儿是Docker）
[unix_domain_socket]
type = tcp
remote_port = 6000
plugin = unix_domain_socket
plugin_unix_path = /var/run/docker.sock
 
#HTTP代理
[http_proxy]
type = tcp
remote_port = 6000
plugin = http_proxy
#配置http代理的简单认证
#plugin_http_user = abc
#plugin_http_passwd = abc

run

./frpc -c ./frpc.ini
./frpc -c ./frpc.ini & # 后台运行
# 如果要运行多个客户端：只需要复制并修改frpc.ini配置文件中的端口号

2. Practice

1. Test scenario

Attacker (server): kali 192.168.10.128
Target (client): ubuntu 192.168.10.129

Neither limit TCP connections

2. Establish a tunnel

(1) Server

./frps -c ./frps.ini

(2) Client

Start Apache

configuration file

./frpc -c ./frpc.ini

(3) Tunnel establishment

Similarly, the port can be determined based on the service

3. Take a look at the package

The three-way handshake establishes the connection

during the service call

3. Explore

1. Source code and analysis

In order to combine the request between frpc and frps, the frp program code encapsulates the protocol on top of TCP, so it uses a lot of channels, so the code is scattered everywhere, and it is not easy to connect

Available at: https://jiajunhuang.com/articles/2019_06_19-frp_source_code_part2.md.html

2. Detection and bypass

(1) Configuration file

Using configuration files is a big deal

Bypass method: refactoring, no configuration file

(2) Feature string and feature code

The feature string in the command and log can be used as the detection feature
and then the feature code in the code

Bypass method: modify the corresponding features

(3) Port control

Do a good job of port control and only open necessary ports

Bypass method: port multiplexing

(4) Process and library calls

The process chain control of the terminal and the call of the third-party library are being detected

Bypass method: use the white process, do not call the library as much as possible, pack the package, mainly the Trojan-free killing set

Epilogue

frp is too famous and mature (that is to say, the detection of frp should also be very mature), but the source code is very scattered