1. nps-npc
1.1 Introduction
nps is a lightweight, high-performance and powerful intranet penetration proxy server. Currently, it supports TCP and UDP traffic forwarding, and can support any TCP and UDP upper-layer protocols (access to intranet websites, local payment interface debugging, SSH access, remote desktop, intranet DNS resolution, etc...), and also supports intranet http proxy. , intranet socks5 proxy, p2p, etc., and comes with a powerful web management terminal.
-
A server (VPS) with a public IP runs the server ( NPS )
-
One or more servers or PCs running on the intranet running clients ( NPC )
1.2 Features
-
Written in Go language
-
Support cross-platform
-
Proxies that support multiple protocols
-
web management terminal
1.3 How to use
https://github.com/ehang-io/nps/releases
1.4 NPS
Installation configuration
Find the server of the corresponding version of your server:
plain
cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps
There will be an nps executable file, conf configuration directory and web page directory under the nps directory. We only need to modify it conf/nps.conf:
plain
vim conf/nps.conf
You need to change #webthe following parameters:
plain
web_host= 服务器IP或者域名
web_username= admin(登录用户名)
web_password= 你的密码
web_port=8080(web管理端口)
Modification: #bridgeYou can change the connection port of NPC. For example, if we get a server with limited permissions and a firewall, only some ports (80, 443) may be able to go out, so we need to change them to outgoing ports.
plain
##bridge
bridge_type=tcp
bridge_port=443 # 修改连接端口
bridge_ip=0.0.0.0
start up
plain
#Mac/Linux
./nps test|start|stop|restart|status 测试配置文件|启动|停止|重启|状态
#Windows
nps.exe test|start|stop|restart|status 测试配置文件|启动|停止|重启|状态
1.5 NPC
plain
./npc -server=你的IP:8024 -vkey=唯一验证密码 -type=tcp
After creating a new client, you can also +see the detailed client connection command in:
1.6 web management terminal
Client connections can be added in the client interface through 新增, and the vkey of each connection is uniquely distinguished.
Each client can establish multiple tunnels with different protocols after establishing a connection. Each of these tunnels is a different proxy.
You can connect to the agent's intranet machine through different protocols and ports.
2. frp
2.1 Introduction
frp is a high-performance reverse proxy application focused on intranet penetration, supporting multiple protocols such as TCP, UDP, HTTP, and HTTPS. Intranet services can be exposed to the public network through transit with public network IP nodes in a safe and convenient way.
2.2 Features
-
Client-server communication supports multiple protocols such as TCP, KCP and Websocket.
-
Port reuse, multiple services are exposed through the same server port.
-
Cross-platform, but supports a little less than nps
-
A variety of plug-ins, providing many functions
2.3 How to use
Download: https://github.com/fatedier/frp/releases
The following content is taken from: https://segmentfault.com/a/1190000021876836
1. Access your home machine through rdp
-
Modify the frps.ini file. For security reasons, it is best to configure authentication here. If
tokenthe parameters in the common configuration of the server and client are consistent, the authentication will pass:plain
# frps.ini [common] bind_port = 7000 # 用于身份验证,请自行修改,要保证服务端与客户端一致 token = abcdefgh -
Start frps:
./frps -c ./frps.ini -
Modify the frpc.ini file, assuming that the public IP of the server where frps is located is xxxx:
plain
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # 用于身份验证,请自行修改,要保证服务端与客户端一致 token = abcdefgh [rdp] type = tcp local_ip = 127.0.0.1 local_port = 3389 remote_port = 6000 -
Start frpc:
./frpc -c ./frpc.ini -
Access the remote machine through rdp, the address is:
x.x.x.x:6000
Start automatically at boot
For Windows systems, for ease of use, you can configure it to start silently when booting.
-
Create a start_frpc.vbs in the same directory as frpc.exe:
plain
'start_frpc.vbs '请根据实际情况修改路径 CreateObject("WScript.Shell").Run """D:\Program Files\frp_windows_amd64\frpc.exe""" & "-c" & """D:\Program Files\frp_windows_amd64\frpc.ini""",0 -
Copy the start_frpc.vbs file, open the following directory, pay attention to
plain
<USER_NAME>
Change to your username:
C:\Users\<USER_NAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Right-click and paste as shortcut.
2. Access the company’s intranet machine through SSH
The deployment steps for frps are the same as above.
-
Start frpc and configure it as follows:
plain
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # 用于身份验证,请自行修改,要保证服务端与客户端一致 token = abcdefgh [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 6000 -
Access the intranet machine through SSH, assuming the user name is test:
ssh -oPort=6000 [email protected]
3. Access web services deployed on the intranet through a custom domain name
Sometimes we want to let others access or test the Web service we built locally through the domain name, but because the local machine does not have a public IP, the domain name cannot be resolved to the local machine. This function can be achieved through frp. The following example is http Service, https service configuration method is the same, replace vhost_http_port with vhost_https_port, and set type to https.
-
Modify the frps.ini file and set the http access port to 8080:
plain
# frps.ini [common] bind_port = 7000 vhost_http_port = 8080 # 用于身份验证,请自行修改,要保证服务端与客户端一致 token = abcdefgh -
Start frps:
./frps -c ./frps.ini -
Modify the frpc.ini file, assuming that the IP of the server where frps is located is xxxx, local_port is the port corresponding to the Web service on the local machine, and bind a custom domain name
www.yourdomain.com:plain
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # 用于身份验证,请自行修改,要保证服务端与客户端一致 token = abcdefgh [web] type = http local_port = 80 custom_domains = www.yourdomain.com -
Start frpc:
./frpc -c ./frpc.ini -
Resolve
www.yourdomain.comthe domain name A record of to IPx.x.x.x. If the server already has a corresponding domain name, you can also resolve the CNAME record to the server's original domain name. -
http://www.yourdomain.com:8080You can access the Web service on the intranet machine by accessing it through a browser .
4. Provide simple file access services to the outside world
static_fileA simple HTTP-based file access service can be provided externally through the plug-in.
The deployment steps for frps are the same as above.
-
Start frpc, enable
static_filethe plug-in, and configure it as follows:plain
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # 用于身份验证,请自行修改,要保证服务端与客户端一致 token = abcdefgh [test_static_file] type = tcp remote_port = 6000 plugin = static_file # 要对外暴露的文件目录 plugin_local_path = /tmp/file # 访问 url 中会被去除的前缀,保留的内容即为要访问的文件路径 plugin_strip_prefix = static plugin_http_user = abc plugin_http_passwd = abc -
http://x.x.x.x:6000/static/To view the files located in the directory by accessing through a browser/tmp/file, you will be asked to enter the username and password that have been set.
2.4 Statistics panel
View the status of frp and the display of proxy statistics through the browser.
Note: Dashboard has not been optimized for displaying large amounts of proxy data. If Dashboard access is slow, please do not enable this feature.
You need to specify the port used by the dashboard service in frps.ini to enable this function:
plain
[common]
dashboard_port = 7500
# dashboard 用户名密码,默认都为 admin
dashboard_user = admin
dashboard_pwd = admin
Open the browser to http://[server_addr]:7500access the dashboard interface. The default username and password are admin.
2.5 Encryption and Compression
These two functions are not enabled by default. You need to enable encryption and compression for the specified proxy through configuration in frpc.ini. The compression algorithm uses snappy:
plain
# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
use_encryption = true
use_compression = true
If the company's intranet firewall identifies and blocks external network access traffic, for example, disabling the SSH protocol, etc., by setting up the use_encryption = trueencrypted transmission of the communication content between frpc and frps, it will effectively prevent the traffic from being intercepted.
If the length of the transmitted message is long, setting use_compression = truethe compression of the transmitted content can effectively reduce the network traffic between frpc and frps and speed up the traffic forwarding speed, but it will consume some additional CPU resources.
2.6 TLS
Starting from version v0.25.0, encrypted transmission through TLS protocol is supported between frpc and frps. Enable this feature by configuring in frpc.inifor greater security.commontls_enable = true
For port reuse, the first byte used by frp to establish a TLS connection is 0x17.
Note: After enabling this function, there is no need to set use_encryption except xtcp.
2.7 Proxy speed limit
Currently, it is supported to set a proxy-level speed limit in the client's proxy configuration to limit the bandwidth that a single proxy can occupy.
plain
# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
bandwidth_limit = 1MB
Add the field in the proxy configuration bandwidth_limitto enable this feature. Currently only MBthe and KBunits are supported.
2.8 Range port mapping
Multiple ports can be specified to be mapped in the frpc configuration file. Currently, only tcp and udp types are supported.
This function is range:implemented through the paragraph tag. The client will parse the configuration in this tag and split it into multiple proxies. Each proxy is named with a number as a suffix.
For example, to map the six local ports 6000-6005, 6007, the main configuration is as follows:
plain
# frpc.ini
[range:test_tcp]
type = tcp
local_ip = 127.0.0.1
local_port = 6000-6006,6007
remote_port = 6000-6006,6007
After the actual connection is successful, 8 proxies will be created and named test_tcp_0, test_tcp_1 ... test_tcp_7.
3. ew
3.1 Introduction
EW is a portable network penetration tool with two core functions: SOCKS v5 service setup and port forwarding, which can complete network penetration in complex network environments. However, the tool is no longer updated. . .
3.2 Features
-
Lightweight, written in C language
-
Multi-level proxies can be set up
-
Cross-platform
-
But only supports Socks5 proxy
3.3 How to use
The following usage methods are taken from: http://rootkiter.com/EarthWorm/
In all the following examples, unless otherwise specified, the proxy port is 1080 and the service is SOCKSv5 proxy service.
This tool has 6 command formats (ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran).
1. Forward SOCKS v5 server
plain
$ ./ew -s ssocksd -l 1080
2. Rebound SOCKS v5 server
This operation is divided into two steps:
a) First run the following command on a host A with a public network IP:
plain
$ ./ew -s rcsocks -l 1080 -e 8888
b) Start the SOCKS v5 service on target host B and bounce to port 8888 of the public network host
plain
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
success.
3. Multi-level cascade
There are three port forwarding instructions that come with the tool. Their parameter formats are:
plain
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
Through these port forwarding instructions, TCP-based services deep in the network can be forwarded to the root, such as SOCKS v5. First, two "secondary cascade" local SOCKS test samples are provided:
lcx_tranUsage of a)
plain
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
b) lcx_listen, lcx_slaveusage
plain
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
A "three-level cascade" local SOCKS test case is provided for reference.
plain
$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Data flow:SOCKS v5 -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks
4. snoring
4.1 Introduction
ngrok is a reverse proxy that establishes a secure channel between a public endpoint and a locally running web server so that the services of the intranet host can be exposed to the external network. ngrok can capture and analyze traffic on all channels for later analysis and replay, so ngrok can easily assist in server-side program testing.
4.2 Features
-
Official maintenance, generally relatively stable
-
Cross-platform, closed source
-
Has traffic recording and retransmission functions
4.3 How to use
-
Enter the ngrok official website (https://ngrok.com/), register an ngrok account and download ngrok;
-
According to the authorization code given by the official website, run the following authorization command;
-
./ngrok authtoken 1hAotxhmORtzCYvUc3BsxDBPh1H_**** -
./ngrok http 80The machine's port 80 http service can be exposed to the public network, and a public network domain name will be provided.
You can view data packets, traffic, etc. through the UI interface of the official website (but you have to pay ==,)
You can also expose files and other TCP services on the intranet to the public network through some commands.
Set up file sharing with authorization
plain
ngrok http -auth="user:password" file:///Users/alan/share
Setting up file sharing without authorization
plain
ngrok http "file:///C:\Users\alan\Public Folder"
Expose the host's TCP port 3389 to the public network
plain
ngrok tcp 3389
For more usage reference: https://ngrok.com/docs
5. Reference links
-
https://xz.aliyun.com/t/770
-
https://segmentfault.com/a/119000002187683
-
http://rootkiter.com/EarthWorm/
How to learn hacking & network security
As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.
1. Learning roadmap
There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can complete them, you will have no problem getting a job or taking on a private job.
2. Video tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above.
The content covers the study of network security laws, network security operations and other security assessments, penetration testing basics, detailed explanations of vulnerabilities, basic computer knowledge, etc. They are all must-know learning contents for getting started with network security.
(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are more than 200 e-books. Due to the sensitivity of the content, I will not display them one by one.
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
4. Toolkit, interview questions and source code
"If you want to do your job well, you must first sharpen your tools." I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
There is also the case source code and corresponding toolkit mentioned in my video, which you can take away if needed.
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.
These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.
Content features: Clear organization and graphical representation to make it easier to understand.
Content summary: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.