Article directory
- Preface
- 1. nps-np
- 2. frp
-
-
- 2.1 Introduction
- 2.2 Features
- 2.3 How to use
-
- 1). Access your home machine through rdp
- 2). Access the company intranet machine through SSH
- 3). Access Web services deployed on the intranet through a custom domain name
- 4). Provide simple file access services to the outside world
- Common Functions
- (1) Statistics panel
- (2) Encryption and compression
- (3)TLS
- (4) Agent speed limit
- (5) Range port mapping
-
- 3. ew
- 4. snoring
Preface
From the perspective of penetration, this article summarizes several intranet penetration and intranet proxy tools commonly used by individuals, and introduces their simple principles and usage methods.
1. nps-np
1.1 Introduction
nps is a lightweight, high-performance and powerful intranet penetration proxy server. Currently, it supports TCP and UDP traffic forwarding, and can support any TCP and UDP upper-layer protocols (access to intranet websites, local payment interface debugging, SSH access, remote desktop, intranet DNS resolution, etc...), and also supports intranet http proxy. , intranet socks5 proxy, p2p, etc., and comes with a powerful web management terminal.
-
A server (VPS) with a public IP runs the server ( NPS )
-
One or more servers or PCs running on the intranet running clients ( NPC )
1.2 Features
- Written in Go language
- Support cross-platform
- Proxies that support multiple protocols
- web management terminal
1.3 How to use
https://github.com/ehang-io/nps/releases
1.4 NPS
Installation configuration
Find the server of the corresponding version of your server:
cd ~ wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz tar xzvf linux_amd64_server.tar.gz cd ~/nps
There will be an nps executable file, conf configuration directory and web page directory under the nps directory. We only need to modify it
conf/nps.conf
:vim conf/nps.conf
You need to change
#web
the following parameters:web_host= 服务器IP或者域名 web_username= admin(登录用户名) web_password= 你的密码 web_port=8080(web管理端口)
Modification:
#bridge
You can change the connection port of NPC. For example, if we get a server with limited permissions and a firewall, only some ports (80, 443) may be able to go out, so we need to change them to outgoing ports.##bridge bridge_type=tcp bridge_port=443 # 修改连接端口 bridge_ip=0.0.0.0 ##### 启动 #Mac/Linux ./nps test|start|stop|restart|status 测试配置文件|启动|停止|重启|状态 #Windows nps.exe test|start|stop|restart|status 测试配置文件|启动|停止|重启|状态
1.5 NPC
./npc -server=你的IP:8024 -vkey=唯一验证密码 -type=tcp
After creating a new client, you can also +
see the detailed client connection command in:
1.6 web management terminal
Client connections can be added in the client interface through 新增
, and the vkey of each connection is uniquely distinguished.
Each client can establish multiple tunnels with different protocols after establishing a connection. Each of these tunnels is a different proxy.
You can connect to the agent's intranet machine through different protocols and ports.
2. frp
2.1 Introduction
frp is a high-performance reverse proxy application focused on intranet penetration, supporting multiple protocols such as TCP, UDP, HTTP, and HTTPS. Intranet services can be exposed to the public network through transit with public network IP nodes in a safe and convenient way.
2.2 Features
- Client-server communication supports multiple protocols such as TCP, KCP and Websocket.
- Port reuse, multiple services are exposed through the same server port.
- Cross-platform, but supports a little less than nps
- A variety of plug-ins, providing many functions
2.3 How to use
Download: https://github.com/fatedier/frp/releases
“
The following content is taken from: https://segmentfault.com/a/1190000021876836
1). Access your home machine through rdp
- Modify the frps.ini file. For security reasons, it is best to configure authentication here. If
token
the parameters in the common configuration of the server and client are consistent, the authentication will pass:
# frps.ini
[common]
bind_port = 7000
# 用于身份验证,请自行修改,要保证服务端与客户端一致
token = abcdefgh
- Start frps:
./frps -c ./frps.ini
- Modify the frpc.ini file, assuming that the public IP of the server where frps is located is xxxx:
# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证,请自行修改,要保证服务端与客户端一致
token = abcdefgh
[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000
- Start frpc:
./frpc -c ./frpc.ini
- Access the remote machine through rdp, the address is:
x.x.x.x:6000
Start automatically at boot
For Windows systems, for ease of use, you can configure it to start silently when booting.
- Create a start_frpc.vbs in the same directory as frpc.exe:
'start_frpc.vbs
'请根据实际情况修改路径
CreateObject("WScript.Shell").Run """D:\Program Files\frp_windows_amd64\frpc.exe""" & "-c" &"""D:\Program Files\frp_windows_amd64\frpc.ini""",0
- Copy the start_frpc.vbs file, open the following directory, pay attention to
<USER_NAME>
Change to your username:
C:\Users\<USER_NAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Right-click and paste as shortcut.
**
**
2). Access the company intranet machine through SSH
The deployment steps for frps are the same as above.
- Start frpc and configure it as follows:
# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证,请自行修改,要保证服务端与客户端一致
token = abcdefgh
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000
- Access the intranet machine through SSH, assuming the user name is test:
ssh -oPort=6000 [email protected]
**
**
3). Access Web services deployed on the intranet through a custom domain name
Sometimes we want to let others access or test the Web service we built locally through the domain name, but because the local machine does not have a public IP, the domain name cannot be resolved to the local machine. This function can be achieved through frp. The following example is http Service, https service configuration method is the same, replace vhost_http_port with vhost_https_port, and set type to https.
- Modify the frps.ini file and set the http access port to 8080:
# frps.ini
[common]
bind_port = 7000
vhost_http_port = 8080
# 用于身份验证,请自行修改,要保证服务端与客户端一致
token = abcdefgh
- Start frps:
./frps -c ./frps.ini
- Modify the frpc.ini file, assuming that the IP of the server where frps is located is xxxx, local_port is the port corresponding to the Web service on the local machine, and bind a custom domain name
www.yourdomain.com
:
# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证,请自行修改,要保证服务端与客户端一致
token = abcdefgh
[web]
type = http
local_port = 80
custom_domains = www.yourdomain.com
- Start frpc:
./frpc -c ./frpc.ini
-
Resolve
www.yourdomain.com
the domain name A record of to IPx.x.x.x
. If the server already has a corresponding domain name, you can also resolve the CNAME record to the server's original domain name. -
http://www.yourdomain.com:8080
You can access the Web service on the intranet machine by accessing it through a browser .
4). Provide simple file access services to the outside world
static_file
A simple HTTP-based file access service can be provided externally through the plug-in.
The deployment steps for frps are the same as above.
- Start frpc, enable
static_file
the plug-in, and configure it as follows:
# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证,请自行修改,要保证服务端与客户端一致
token = abcdefgh
[test_static_file]
type = tcp
remote_port = 6000
plugin = static_file
# 要对外暴露的文件目录
plugin_local_path = /tmp/file
# 访问 url 中会被去除的前缀,保留的内容即为要访问的文件路径
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc
http://x.x.x.x:6000/static/
To view the files located in the directory by accessing through a browser/tmp/file
, you will be asked to enter the username and password that have been set.
Common Functions
(1) Statistics panel
View the status of frp and the display of proxy statistics through the browser.
Note: Dashboard has not been optimized for displaying large amounts of proxy data. If Dashboard access is slow, please do not enable this feature.
You need to specify the port used by the dashboard service in frps.ini to enable this function:
[common]
dashboard_port = 7500
# dashboard 用户名密码,默认都为 admin
dashboard_user = admin
dashboard_pwd = admin
Open the browser to http://[server_addr]:7500
access the dashboard interface. The default username and password are admin
.
(2) Encryption and compression
These two functions are not enabled by default. You need to enable encryption and compression for the specified proxy through configuration in frpc.ini. The compression algorithm uses snappy:
# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
use_encryption = true
use_compression = true
If the company's intranet firewall identifies and blocks external network access traffic, for example, disabling the SSH protocol, etc., by setting up the use_encryption = true
encrypted transmission of the communication content between frpc and frps, it will effectively prevent the traffic from being intercepted.
If the length of the transmitted message is long, setting use_compression = true
the compression of the transmitted content can effectively reduce the network traffic between frpc and frps and speed up the traffic forwarding speed, but it will consume some additional CPU resources.
(3)TLS
Starting from version v0.25.0, encrypted transmission through TLS protocol is supported between frpc and frps. Enable this feature by configuring in frpc.ini
for greater security.common
tls_enable = true
For port reuse, the first byte used by frp to establish a TLS connection is 0x17.
Note: After enabling this function, there is no need to set use_encryption except xtcp.
(4) Agent speed limit
Currently, it is supported to set a proxy-level speed limit in the client's proxy configuration to limit the bandwidth that a single proxy can occupy.
# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
bandwidth_limit = 1MB
Add the field in the proxy configuration bandwidth_limit
to enable this feature. Currently only MB
the and KB
units are supported.
(5) Range port mapping
Multiple ports can be specified to be mapped in the frpc configuration file. Currently, only tcp and udp types are supported.
This function is range:
implemented through the paragraph tag. The client will parse the configuration in this tag and split it into multiple proxies. Each proxy is named with a number as a suffix.
For example, to map the six local ports 6000-6005, 6007, the main configuration is as follows:
# frpc.ini
[range:test_tcp]
type = tcp
local_ip = 127.0.0.1
local_port = 6000-6006,6007
remote_port = 6000-6006,6007
After the actual connection is successful, 8 proxies will be created and named test_tcp_0, test_tcp_1 ... test_tcp_7
.
3. ew
3.1 Introduction
“
EW is a portable network penetration tool with two core functions: SOCKS v5 service setup and port forwarding, which can complete network penetration in complex network environments. However, the tool is no longer updated. . .
3.2 Features
- Lightweight, written in C language
- Multi-level proxies can be set up
- Cross-platform
- But only supports Socks5 proxy
3.3 How to use
“
The following usage methods are taken from: http://rootkiter.com/EarthWorm/
In all the following examples, unless otherwise specified, the proxy port is 1080 and the service is SOCKSv5 proxy service.
This tool has 6 command formats (ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran).
1. Forward SOCKS v5 server
$ ./ew -s ssocksd -l 1080
2. Rebound SOCKS v5 server
This operation is divided into two steps:
a) First run the following command on a host A with a public network IP:
$ ./ew -s rcsocks -l 1080 -e 8888
b) Start the SOCKS v5 service on target host B and bounce to port 8888 of the public network host
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
success.
3. Multi-level cascade
There are three port forwarding instructions that come with the tool. Their parameter formats are:
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
Through these port forwarding instructions, TCP-based services deep in the network can be forwarded to the root, such as SOCKS v5. First, two "secondary cascade" local SOCKS test samples are provided:
lcx_tran
Usage of a)
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
b) lcx_listen
, lcx_slave
usage
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
A "three-level cascade" local SOCKS test case is provided for reference.
$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Data flow:SOCKS v5 -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks
4. snoring
4.1 Introduction
“
ngrok is a reverse proxy that establishes a secure channel between a public endpoint and a locally running web server so that the services of the intranet host can be exposed to the external network. ngrok can capture and analyze traffic on all channels for later analysis and replay, so ngrok can easily assist in server-side program testing.
4.2 Features
- Official maintenance, generally relatively stable
- Cross-platform, closed source
- Has traffic recording and retransmission functions
4.3 How to use
- Enter the ngrok official website (https://ngrok.com/), register an ngrok account and download ngrok;
- According to the authorization code given on the official website, run the following authorization command;
./ngrok authtoken 1hAotxhmORtzCYvUc3BsxDBPh1H_****
./ngrok http 80
The machine's port 80 http service can be exposed to the public network, and a public network domain name will be provided.
You can view data packets, traffic, etc. through the UI interface of the official website (but you have to pay ==,)
You can also expose files and other TCP services on the intranet to the public network through some commands.
Set up file sharing with authorization
ngrok http -auth="user:password" file:///Users/alan/share
Setting up file sharing without authorization
ngrok http "file:///C:\Users\alan\Public Folder"
Expose the host's TCP port 3389 to the public network
ngrok tcp 3389
For more usage reference: https://ngrok.com/docs
n 1hAotxhmORtzCYvUc3BsxDBPh1H_**** 4.
./ngrok http 80` will expose the machine’s port 80 http service to the public network and provide a public network domain name.
[External link pictures are being transferred...(img-Hy0jSrCW-1693900445840)]
You can view data packets, traffic, etc. through the UI interface of the official website (but you have to pay ==,)
[External link pictures are being transferred...(img-oHS77AKN-1693900445840)]
You can also expose files and other TCP services on the intranet to the public network through some commands.
Set up file sharing with authorization
ngrok http -auth="user:password" file:///Users/alan/share
Setting up file sharing without authorization
ngrok http "file:///C:\Users\alan\Public Folder"
Expose the host's TCP port 3389 to the public network
ngrok tcp 3389
For more usage reference: https://ngrok.com/docs
! ! ! Original link: https://ngrok.com/docs