Ultra-detailed frp configuration to bypass firewall intranet penetration

Table of contents

1 Introduction

2. Preparatory work (take my own successful reproduction as an example)

3. FRP-based ssh intranet penetration

3.1 Server deployment

 3.2 Client Deployment

3.3 Remotely connect to intranet computer

4. Bypass firewall intranet penetration

4.1 Turn on the firewall

5. FRP-based web intranet penetration service

6. Precautions

---

1 Introduction

We know that the company computer is in a local area network, and the home computer is in a local area network. We can think of the home computer as being in the intranet, and we generally cannot access the hosts in the intranet. However, machines on the internal network or behind the firewall provide tcp and udp services to the external network, so we can use frp to remotely log in to the home computer from the company computer. frp is a high-performance reverse proxy application that can be used for intranet penetration and supports tcp, udp, http, https protocols.

If we get a host on the intranet during the attack, we can use frp to bypass the firewall for intranet penetration, and then attack other hosts. Because the intranet machines can visit each other.

2. Preparatory work (take my own successful reproduction as an example)

Need a public network server (I bought Alibaba Cloud myself)

Need an intranet machine (here I use the virtual machine linux system installed on my physical machine, in bridge mode)

frp download address https://github.com/fatedier/frp/releases

3. FRP-based ssh intranet penetration

3.1 Server deployment

1. Directly log in to my server and use the download command (as of the date I wrote, the latest version is 0.39.1), because my server is linux, so download linux corresponding to version l, and window to download the corresponding version of window,

wget https://github.com/fatedier/frp/releases/download/v0.39.0/frp_0.39.0_linux_amd64.tar.gz

2. After the download is complete, unzip it,

tar -zxvf  frp_0.39.0_linux_amd64.tar.gz

3. After decompression, enter the directory and you will see the following files. We only need to pay attention to the files related to frps, because s stands for servers, and the files related to frpc can be deleted or ignored. frps runs on the server side, and frpc runs on the client side, that is, a computer on our intranet. If you only access the intranet computer frps.ini file through ssh, no configuration is required.

4. Run frps, the running code is as follows, you can see that it runs successfully, at this time, leave it still, do not close the terminal.

./frps -c ./frps.ini

 

 3.2 Client Deployment

1. My client is one of my virtual machines, which is connected to the physical machine in bridge mode. I use the same download command and the same command to decompress. At this time, we need to configure the frpc.ini file

vim frpc.ini

[common]
server_addr = 11x.x.x.x#你的服务器IP地址，我自己就不放出来了
server_port = 7000 # 之前frps.ini里面的端口，

[ssh]
type = tcp
local_ip = 192.168.43.141#虚拟机的IP地址（你想渗透的那天电脑IP地址）
local_port = 22#因为我们是希望通过ssh服务连接，所以端口是22 这是linux 如果是window则改成3389
#本地需要替换的端口
remote_port = 6000 #这是我们内网的电脑将22端口映射到服务器端6000端口。
#替换成6000端口

2. Run frpc, the command is as follows

./frpc -c ./frpc.ini

3.3 Remotely connect to intranet computer

At this time, we will remotely control this computer at home. I asked my family members to turn on my computer at home and run frpc. I connected outside, and after connecting remotely, I can perform command operations. The connection command is as follows:

ssh [email protected] -p 6000#服务器端的IP地址

4. Bypass firewall intranet penetration

Just now we used frp to remotely connect to the computer in the intranet without opening the firewall. The next step is whether we can still connect when we open the firewall. Then this experiment is relatively simple.

4.1 Turn on the firewall

1. First, we come to the virtual machine and use commands to enable the firewall, then I will give you the relevant firewall commands.

1.	检查防火墙的状态（默认 inactive） # ufw status
2.	防火墙版本 # ufw version
3.	启动ufw防火墙 # ufw enable
4.	关闭ufw防火墙 # ufw disable
5.	默认禁止访问所有 # ufw default deny
6.	
7.	开放22/TCP端口 # ufw allow 22/tcp
8.	开放53端口(tcp/udp) # ufw allow 53
9.	禁止外部访问 # ufw deny 3306
10.	删除已经添加过的规则 # ufw delete allow 22
11.	允许此IP访问所有的本机端口 # ufw allow from 192.168.1.100
12.	删除上面的规则 # ufw delete allow from 192.168.1.100
13.	
14.	查看规则，显示行号 # ufw status numbered
15.	删除第三条规则 # ufw delete 3
16.	关闭ufw # ufw disable
17.	禁止对8888端口的访问 # ufw deny 8888
18.	
19.	打开来自192.168.0.1的tcp请求的22端口 # ufw allow proto tcp from 192.168.0.1 to any port 2

2. You can see that the firewall of my virtual machine is turned on. At this time, we use ssh to connect in the cmd of the physical machine and find that the connection cannot be made.

3. When I close the firewall, I can log in remotely when the physical machine is connected. Next we turn off the firewall and use frp to connect.

 4. We run frps on the server as before, run frpc on the virtual machine with the firewall turned on, and connect on the physical machine, but note that you need to use your server address and port number to connect when connecting. I used the IP address connection of the virtual machine to show you. I turned on the firewall and simulated that my local physical machine is no longer connected. It can be seen that the firewall has been successfully bypassed for remote connection.

 

5. FRP-based web intranet penetration service

The above are all remote connections based on ssh, and the following are based on web services. If the host on the intranet provides web services, we can use frp to further infiltrate.

1. Change the frps.ini configuration file to the following

[common]
bind_port = 7000  
vhost_http_port = 801

2. Change the frpc.ini configuration file to the following, custom_domains write your server domain name or IP address.

 3. Open port 80

 4. Run frps and frpc respectively, and you can access the intranet web service through the server IP/domain name + port in the browser

6. Precautions

1. The server should open port 7000

2. The client opens the ssh service, that is, port 22 and port 80

3. If your ssh service refuses to connect, you can refer to the following link to solve the problem of enabling the ssh connection function in kali_I don’t know why blog-CSDN blog_kali ssh connection

4. The client does not need the server to maintain the same environment. The server can be Linux, and the client computer can be Windows

5. If the client is windows, the frpc.ini configuration file needs to be a little different from linux, change it to the following

[common]
server_addr = 11x.x.x.x#你的服务器IP地址，我自己就不放出来了
server_port = 7000 # 之前frps.ini里面的端口，

[rdp]
type = tcp
local_ip = 192.168.43.141#虚拟机的IP地址（你想渗透的那天电脑IP地址）
local_port = 3389#因为我们是希望通过ssh服务连接，所以端口是22 这是linux 如果是window则改成3389
#本地需要替换的端口
remote_port = 6000 #这是我们内网的电脑将22端口映射到服务器端6000端口。
#替换成6000端口

Run the command as follows

frpc.exe -c frpc.ini

6. When ssh connects remotely, you need to enter the user password, which is the user and user password of the client computer.