1 Introduction
Taking advantage of the fact that the Spring Festival has just started and the work is not too busy, I will fill in the previous pits.
It is mainly for learning and testing reverse proxy and tunneling tools.
I have tested FRP, HTTPTunnel, and NPS before, and they are relatively simple, and the above tools can also be used in daily needs.
reGeorg and Neo-reGeorg are great for penetration testing.
I wanted to test reGeorg first, but reGeorg does not support php, and the version of python is required to be 2.7. My environment runs with a syntax error. Simply test Neo-reGeorg directly in one step.
You can test ABPTTS later.
2. Introduction
Neo-reGeorg is an upgraded version of reGeorg and reDuh, which is designed to cope with complex network environment reconstruction projects. This tool establishes a tunnel based on the HTTP(S) protocol, and will create a Socket locally to listen on port 1080 for the forward proxy to access the web server tunnel script, and encrypt and encapsulate the data into the HTTP data packet and forward it to the horizontal direction of the server through the forward proxy In the network, at the same time, the tunnel script will also encrypt and encapsulate the data of the intranet server port into HTTP packets and forward them to the local Socket interface.
(excerpt from the Internet)
To put it simply, it is used when we control a web server and want to use the server as a springboard to jump horizontally in the target intranet. We can upload dynamic pages such as jsp, php, asp, etc., and realize the function of socks proxy or port forwarding by accessing the page.
3. Download
https://github.com/L-codes/Neo-reGeorg
Download and unzip.
4. Introduction to Test Topology
In order to make the test environment closer to reality, I set up an environment based on my network situation:
S2 is the test server IP: 172.16.10.14, running phpstudy, and opening port 80.
Do port mapping on the Xiaomi router and map it to 50022 (because port 80 is blocked by the operator by default).
External network IP: 182.119.229.17, VPS address: 43.143.119.200
S1 is the attack host, the effect to be achieved is to open port 8024 of VPS is to open port 3389 of S2.
Copy Neo-reGeorg to VPS for backup.
5. Configuration
After decompressing Neo-reGeorg on the VPS, enter the corresponding directory (the python environment needs to be installed).
Run this command:
$ python neoreg.py generate -k password
[+] Create neoreg server files:
=> neoreg_servers/tunnel.jsp
=> neoreg_servers/tunnel.jspx
=> neoreg_servers/tunnel.ashx
=> neoreg_servers/tunnel.aspx
= > neoreg_servers/tunnel.php
=> neoreg_servers/tunnel.go
(-k followed by a password, which can be customized.)
Copy the generated corresponding tunnel file to the corresponding directory. I use phpstudy, so copy the php file to the corresponding website directory.
In order to verify that the upload is successful, you can directly open the path with a browser.
After opening, the page is blank, but you can press F12 to open the browser debugging tool.
Through the tool, you can see the content interaction.
Execute the following command on the VPS:
python3 neoreg.py -k password -u http://182.119.229.17:50022/tunnel.php -l 0.0.0.0 -p 8024 -t 172.16.10.14:3389
By default, there is no need to add -l -p -t parameters, the default is to listen to port 127.0.0.1 1080, and enable the socks proxy protocol.
I use a VPS, so I need to specify the IP address, because the VPS has an internal IP and an external network IP, and the port 1080 is disabled by default, and it cannot be opened in the rules.
-t means to specify the target IP and port.
The interface after running.
6. Test effect
Run mstsc on S1, enter the target address and port:
The verification window can be seen.
Test success.