Speaking of tunneling, it can be traced back to 2018, when I was doing cybersecurity experiments at Syracuse University in the United States, I studied local DNS attacks and remote DNS attacks. A year later, when I joined Situational Awareness in 2019 and was responsible for designing basic network threat detection, I was faced with the task of DNS tunnel and DGA domain name detection. After a year, in 2020, I did an intranet security experiment, powercat DNS tunnel communication, based on dnscat, and gained control of windows from kali linux. After 2 years, in 2022, I was deeply involved in the academic research of DNS tunneling, read a lot of journal papers, and did a lot of experiments, and deeply experienced the difference between academia and industry to treat projects. In the industrial world, as long as you can run, you can just do it, and if the effect is not good, it is the pot of the person in charge of the project design.
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
ICMP Tunnel Practical Guide: ailx10: ICMP tunnel
Abstract:In 2018, Xiao Hei was admitted to the computer major of three universities, and in the hot September in order to drink Kole and run broadband Internet access, Xiao Hei chose the former. The campus dormitory uses the CMCC network, which requires certification to access Baidu. In order to surf the Internet while drinking Kole, Xiao Hei began a tossing of the point of no return. The following is a brief analysis of how ICMP tunnels are set up and used.
ICMP Tunnel Practical Guide: ailx10: ICMP Tunnels
Abstract: Pingtunnel is a tool that disguises tcp/udp/sock5 traffic as icmp traffic for forwarding, but I have tested it, and I can't access mainstream websites such as Google and Facebook through this tool, so this article is just a brief review of ICMP tunnel technology, green and pollution-free, please feel free to read.
LCX Port Forwarding Preliminary Exploration Guide: AILX10: LCX Port Forwarding Preliminary Study
Abstract:In fact, there are a lot of articles about Lcx, but no one tells you where to download Lcx, why? Because Lcx Tencent Manager and other mainstream antivirus software will report that it is a virus, although this false positive, but the mainstream manufacturers have reported it, and latecomers have to follow suit, Lcx is for port forwarding. For example, the company's intranet can access the external network, but the external network cannot access the intranet.
A Practical Guide to the Netcat Networking Swiss Army Knife: AILX10: A Beginner's Exploration of the Netcat Networking Swiss Army Knife
Abstract:I have a knife in hand, I have it all over the world, ubuntu18 and kali rolling both come with netcat, netcat is a small and flexible network tool, with very powerful functions. This experiment is just a peek at the leopard in the tube, throwing bricks and jade, wonderful will meet you unexpectedly, it can not only achieve simple port scanning, listen to the port, but also be able to file transfer, simple chat~
Practical guide to understanding the rebound shell in 3 minutes: ailx10: Understand the rebound shell in 3 minutes
Abstract: Actually, I've heard about the rebound shell for a long, long time, and I started the rebound shell in my earliest cybersecurity experiments. For example, the third experimental TCP session hijacking in Zhihu live bounced back to the shell. A year ago, at the exchange meeting with the offensive and defensive teams, I heard the rebound shell again, and I didn't pay attention to it at the time, but it was very important anyway. It wasn't until today that I fully understood what a rebound shell was all about. If you can summarize it in one sentence, the rebound shell is this: the hacker takes control of the target, bounces a shell, and builds a stable communication backdoor.
NetCat Intranet Proxy Practical Guide: AILX10: NetCat Intranet Proxy Practice
Abstract:In the enterprise, the network control is very strict, there are many bastion hosts that isolate different hosts in the intranet, today's topic is "intranet proxy", our kali little black brother, want to go to ubuntu16 to get some data, but find that the route is not working. Fortunately, Xiao Hei can access ubuntu18, and ubuntu18 can access ubuntu16, and ubuntu18 here is equivalent to bastion host, so smart can you help Xiao Hei establish the shell control channel of ubuntu16 in the end?
windows版瑞士军刀powercat实战指南:ailx10:windows版瑞士军刀powercat之牛刀小试
Abstract: I did 4 small experiments, and the last one failed, PowerCat Forward Shell (Windows-Linux), PowerCat Reverse Shell (Windows-Linux), PowerCat Reverse PowerShell (Windows-Windows), PowerCat Reverse Fetch File (Windows-Windows) (failed).
DNS Tunneling Technology iodine Practical Guide: ailx10: Introduction to DNS Tunneling Technology Iodine
Abstract:After the hacker successfully invades an intranet server, obtains the enterprise confidential documents, and chooses an encrypted tunnel for secret transmission in order to evade the intranet log monitoring system and penetrate the intranet firewall policy. Here's my experiment: In 9 steps, an SSH encrypted connection was successfully established through a DNS encrypted tunnel. Detecting DNS tunnels is an indispensable function module of the current situational awareness system.
DNS Tunneling Practical Guide: ailx10: Looking at DNS Tunnels Again
Abstract: To be honest, the DNS protocol has never disappointed anyone, and when I was a graduate student in 2017, a colleague was assigned to study the DNS protocol, and watched him build a DNS server and carefully configure the domain name information. I'm also secretly glad that this piece is not my research. In 2015, I didn't study hard when I was in school, and it wasn't until 2018 when I was doing a cybersecurity experiment at Syracuse University in the United States that I really faced the DNS protocol, and I wrote 2 articles, which can be regarded as my first collision with DNS. (What is a local DNS attack?, what is a remote DNS attack?)
Practical Guide to Local and Remote Forwarding of SSH Tunnels: ailx10: Local (Remote) Forwarding of SSH Tunnels
Abstract: Our network engineer Xiao Hei can access the jump server, but not the target machine. However, the jump machine has access to the target machine. We can take both local port forwarding and remote port forwarding for network access. Local port forwarding: It is equivalent to pulling data from the jump server locally. Remote port forwarding: It is equivalent to pushing data, and the jump server pushes the data to the local computer. Local port forwarding is performed locally, forwarding the port of the target machine to the specified port locally. Remote port forwarding needs to be performed on the jump server, and all port traffic to the target machine will be forwarded to the corresponding local port through an SSH tunnel.
Practical Guide to Dynamic Forwarding in SSH Tunnels: ailx10: Dynamic Forwarding in SSH Tunnels
Abstract: The same 3 hosts, the victim and the attacker cannot access the network, but both sides of the jump server are connected. We use the jump server to dynamically forward to achieve network access. It's very similar to how we access Google, but with a different protocol.
Published on 2022-05-31 21:03 Zhihu