1. Preamble
In the process of intranet penetration, many intranet hosts cannot access the extranet hosts, or a lot of restrictions are made. As a result, our backdoor Trojan cannot be launched, and at this time, we need to use DNS tunnel, ICMP tunnel and other tunnel technologies according to the specific display, or use intranet penetration, so that the intranet host can penetrate the firewall and access the external network.
1.1. Introduction to tunneling technology
To put it simply, tunnel technology is to solve communication problems, such as the limitation of the firewall, or a certain protocol or port is restricted, this kind of tunnel technology is mainly to borrow different protocols and different ports to bypass the restrictions of the firewall, so as to realize the connection between the host on the internal network and the host on the external network.
1.2. Introduction to Agency Technology
Proxy technology is mainly used to solve the situation that two networks do not communicate, whether it is a forward proxy, a reverse proxy or a transparent proxy, they are to solve the situation that the two networks are not connected, so that the originally non-interoperable network can communicate.
At the same time, proxy technology can also conceal the visitor's information, because in the process of communication, it is actually the proxy server that accesses the server, not the host directly accessing the server, so the access information left on the server is actually the IP address of the proxy server.
1.2.1. Forward Proxy
Forward proxy, under normal circumstances, the proxy technology is the use of forward proxy by default, forward proxy is mainly located between the user host and the server is a forward proxy server, the original user host and the server are not communicating with each other, because some policies may be set to cause mutual access.
To put it simply, the user host is a local area network, the server is a local area network, can the two local area networks communicate with each other? It is similar to two different network segments in the same network, which cannot communicate with each other in essence, so if you want to achieve communication, you need to set up a route, let the router or the layer 3 switch forward the traffic, which is equivalent to the user host sending the requested IP information to the router and letting the router find the target.
The forward proxy server here also acts as this router, the user host hands over the data to the forward proxy server, and the forward proxy server finds the server, the server processes the data of the forward proxy, and then the forward proxy forwards the corresponding results of the server to the user host to form mutual communication. In this case, the forward proxy is where the user sends a request to the server using the forward proxy server.
1.2.2. Reverse Proxies
Reverse proxy, simply put, is that the user sends the traffic request to the reverse proxy server, and then after the reverse proxy server receives the request, the reverse proxy server then builds the request traffic and transfers it to the server for processing, and after the processing is over, the server then transfers the processing result to the reverse proxy server, and the reverse proxy server then builds the request to the client accordingly, in this process, the reverse proxy server is the real server for the user, but for the server, the reverse proxy server is to serve the user instead of the server。
1.2.3. Transparent Proxy
Transparent proxy and forward proxy management behavior is very similar, first of all, the user submits the data to the server in the process, the transparent proxy server will intercept the data, and then the transparent proxy server will access the server on behalf of the user, and then transfer the response result to the user host, and in this process the user is not feeling, thinking that it is accessing the real server, in fact, this data packet has long been replaced by the transparent proxy, and the transparent proxy can also be used to monitor the information accessed by the user, like the Internet behavior management is mostly using this proxy mode。
At the same time, the IP information requested by the transparent proxy during the access process will send real IP information, and when the transparent proxy intercepts, it only sends the packet information on behalf of the agent, and will not modify your request parameters, of course, the encrypted transparent proxy is an anonymous proxy.
1.2.4. Difference Between Forward Proxies and Transparent Proxies
Forward proxy: The forward proxy user needs to configure the corresponding configuration, so that the user knows that he is actually accessing the server through the forward proxy.
Transparent proxy: Transparent proxy users do not need to do the corresponding configuration, when the user accesses the server, he thinks that the whole process is completed by himself, but in fact, the transparent proxy accesses it for him, and the whole process is insensitous for the user.
2. Intranet penetration
In fact, intranet penetration is to use proxies to solve the problem of not communicating with each other, and tunnel technology is essentially able to communicate, but because in some cases it is restricted by the policy of the firewall, and cannot communicate, so it is necessary to use tunnel technology.
那么就出现以下情况:
目标有公网出口,攻击机无公网出口,反向木马无法上线,正向木马能上线。
目标无公网出口,攻击机有公网出口,反向木马能上线,正向木马无法上线。
目标无公网出口,攻击机无公网出口,反向、正向均无法上线,多数情况下都是这种情况。 2.1. Ngrok
Due to personal understanding, if the direction or process is wrong here, please give the big guy advice!!!
The main principle of Ngrok is reverse proxy, and the specific process is based on the process of Trojan launch!
First, the attack machine establishes a tunnel connection with the proxy server, generates the Trojan as the IP address and port of the proxy server, and then sends the Trojan to the target host, and the target host will bounce the shell to the IP and port of the proxy server after it goes online, and the proxy server will send the rebound shell to the local area, which is the whole process.
In this process, the target host does not know the IP address of the attack machine, which means that the target host becomes the user machine, and the attack machine becomes the server.
2.1.1. Access to Ngrok
Since Ngrok now needs to use real-name authentication, it depends on the requirements!!
Ngrok: Member Login
2.1.2. Proxy Settings
If you don't read the official manual here, it's very detailed!!
2.1.2.1. Activate the agent
Here we will use the free tunnel to do the demonstration, but the free tunnel is relatively poor after all, so this is just a demonstration, if in the actual test, it is better to spend a little money!!! Maybe there is a bit of a conflict here, it costs money to buy cloud servers, and it costs money to buy proxies, which is difficult to do!!
2.1.2.2. Configure the tunnel
After purchasing, there will be a tunnel opening, here you can configure the following, the port can be filled in at will, there will be an available port, you can choose one, the IP in the local port should enter the local address of your attack machine and a port.
2.1.2.3. Download the client
Here you can see some detailed information, then you need to download the client, because of the use of cs as a test, then you need to download the Linux client, click on the client to download, find the corresponding system and version.
2.1.3. Configuring the Client
At this point, we need to configure the client.
2.1.3.1. Add execution right
We download Linux and get a total of files, but this file does not have the right to execute, here we add to add an executor to the file.
2.1.3.2. Tunnel connection
After we add the execution rights above, we can connect, and after the connection, the following status can be refreshed, and you can see the successful launch.
./sunny clientid 隧道ID 2.1.4. Generating Trojans
The tunnel is successfully established, here we try to use CS to create a backdoor Trojan, here we need to configure two listeners, one is used to generate the backdoor Trojan, and the other is used to listen.
2.1.4.1. Configure Trojan Generator Listener
The following is the listener used to generate Trojans, the IP address here must be the IP address after the domain name resolution, and the port uses the port prompted above, that is, the port that you fill in when you create the tunnel, not the local port!!
2.1.4.2. Configure the online listener
Here we configure an online listener, where the listening port is the local port, because the backdoor Trojan will forward the traffic to the local after connecting to the address.
2.1.5. Check the online status
Presumably, it should be needless to say that the Trojan should be generated, it's quite simple, I won't talk about how to generate it here, here is a direct look at the online results, you can see that this is a successful launch, and the KAIR client has also generated the corresponding traffic.
2.1.6. Summary
About Ngrok proxy,It's really convenient to use,But there are fewer functions,When the intranet situation is more complicated,It may not be so easy to use,If it's MSF online,Then it's simpler,You can use TCP or http,If it's http,When generating a Trojan, fill in the domain name directly when the connection address is generated,The port default is 80,The local listening is still the port connected to the server,You can see for yourself。
2.2. Frp
FRP is a high-performance reverse proxy application that focuses on intranet penetration, supporting multiple protocols such as TCP, UDP, HTTP, HTTPS, and more. Intranet services can be exposed to the public network in a secure and convenient manner through a relay with a public IP node.
Note that FRP needs to be installed on an ECS, the server must be installed on the ECS, and the client must be installed locally.
2.2.1. FRP Download
For details, you can visit the following address to see the specific introduction, since I am Linux, I will download Linux.
Introduction to FRP Chinese: https://github.com/fatedier/frp/blob/dev/README_zh.md
FRP Download: https://github.com/fatedier/frp/releases/tag/v0.49.0
2.2.2. Modify the relevant configurations
See the specific process below, because after the configuration is completed, the process is understood.
2.2.2.1. Server Configuration
Here upload the relevant files to the cloud server in advance, and then modify the Frp configuration file in the cloud server, and the modified port here needs to be allowed on the cloud server to avoid the situation that you cannot connect.
chmod +777 frps ##给予执行权限
vim frps.ini ##修改端口
[common]
bind_port = 7000 ##开放服务器上的一个端口即可
./frps -c ./frps.ini ##启动服务端 2.2.2.2. Client Configuration
Note that here, it is mainly to establish a proxy tunnel, and there may be many other configurations on the Internet, which are the configurations made to provide services, and the idea does not make sense, so don't be confused.
chmod +777 frpc ##给予执行权限
vim frpc.ini ##修改端口
[common]
server_addr = 124.XX.XX.62 ##云服务器地址
server_port = 7000 ##frpc工作端口,与服务端保持同步
[ssh] ##名字不用管
type = tcp
local_ip = 127.0.0.1 ##本地地址,当然如果存在多个IP,最好定义一下具体的IP。
local_port = 5656 ##转发到本机的5656端口
remote_port = 6000 ##服务端6000端口来转发给本机
./frpc -c ./frpc.ini ##启动客户端 2.2.3. Check the operation status
Here you can see the relevant data traffic on the server side.
2.2.4. Generating Trojans
Here the listener is still the same, you need to create two, one is used to generate the backdoor Trojan, and the other is used to listen.
2.2.4.1. Configure Trojan generation listener
The IP address of the connection must be the IP address of the ECS, and the port is 6000, which is the forwarding port that has just been modified in the configuration file of the client.
2.2.4.2. Configure the online listener
The listener address is the local address, and the listener port is the data port that has just been configured to receive 6000 forwards.
2.2.5. Check the online status
It can be seen that there is traffic coming from the server side, and it is also successfully launched.
2.2.6. Process Introduction
Port 7000 of the attack machine and port 7000 of the ECS are connected to each other to form a tunnel, and then the Trojan bounces the shell to port 6000 of the ECS, and the ECS forwards port 6000 to port 5656 of the attack machine, and the attack machine listens on the local port 5656 to receive the shell.
3. Summary
Here are just two introduced, in fact, there are a few, and a few backdoors will be mentioned in the next article.