cnsa All of these can be (detailed explanation of intranet penetration technology) intranet penetration solutions, and several practical intranet penetration tools (with tutorials) can be arranged,
The following content comes from the official account, which started from the front, and focuses on the timely delivery of dry goods every day.
1. Introduction to nps-npc1.1 nps is a lightweight, high-performance and powerful intranet penetration proxy server. Currently, it supports tcp and udp traffic forwarding, and can support any tcp and udp upper layer protocols (access to intranet websites, local payment interface debugging, ssh access, remote desktop, intranet dns resolution, etc.). In addition, it also supports intranet http proxy, intranet socks5 proxy, p2p, etc., and has powerful web management terminal.
A server (VPS) with public IP runs the server (NPS), one or more servers running on the intranet or PC runs the client (NPC)
1.2 Features Go language writing supports cross-platform proxy web management with multiple protocols 1.3 Usage methods https://github.com/ehang-io/nps/releasesNPS Install and configure the server with the corresponding version of your server:
cd ~wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gztar xzvf linux_ amd64_ server.tar.gz
Cd~/nps There will be an nps executable file, conf configuration directory and web page directory under the nps directory. We only need to modify conf/nps.conf: vim conf/nps.conf needs to change several parameters under # web,
web_ Host=server IP or domain name web_ Username=admin (login user name) web_ Password=your password web_ Port=8080 (web management port) Modify # bridge to change the connection port of NPC.
For example, if we get a server with limited permissions and have a firewall, only some ports (80443) may be allowed to go out of the network, so we need to modify it to go out of the network port # # bridgebridge_ type=tcpbridge_ Port=443 # Modify the connection port bridge_ ip=0.0.0.0
Start # Mac/Linux/ Nps test | start | stop | restart | status test profile | start | stop | restart | status # Windowsnps.exe test | start | stop | restart | status test profile | start | stop | restart | status
NPC./ Npc – server=your IP: 8024 – vkey=unique authentication password – type=tcp
After creating a new client, you can also see the detailed client connection commands in+:
The web management side can add client connections in the client interface by adding new methods. The vkey of each connection is unique. After the connection is established, each client can establish multiple tunnels with different protocols. These tunnels are different agents.
An intranet machine that can connect agents through different protocols and ports. 2. Introduction to frp2.1. frp is a high-performance reverse proxy application that focuses on intranet penetration. It supports TCP, UDP, HTTP, HTTPS and other protocols to expose intranet services to the public network in a safe and convenient way through the transit with public IP nodes.
2.2 Features The client-server communication supports the reuse of multiple protocol ports such as TCP, KCP, and Websocket. Multiple services expose cross-platform through the same server port, but it supports a little fewer plug-ins than nps, and provides many functions 2.3 Use methods to download: https://github.com/fatedier/frp/releases
The following is taken from: https://segmentfault.com/a/11900000218768361. Access the home machine through rdp. 1. Modify the frps.ini file. For the sake of security, it is better to configure the authentication
If the token parameters are consistent, the authentication passes: # frps.ini [common] bind_ Port=7000 # is used for authentication. Please modify it yourself to ensure the consistency between the server and the client token=abcdefgh2. Start frps:
./frps -c ./ Frps.ini3. Modify the frpc.ini file, assuming that the public IP of the server where frps is located is x.x.x: # frpc.ini [common] server_ addr = x.x.x.x
server_ Port=7000 # is used for authentication. Please modify it yourself to ensure the consistency between the server and the client token=abcdefgh [rdp] type=tcplocal_ ip = 127.0.0.1local_ port = 3389
remote_ Port=60004. Start frpc:/ frpc -c ./ Frpc.ini5. Access the remote machine through rdp. The address is: x.x.x.x: 6000. The boot-start is for Windows system. For ease of use, you can configure the silent startup when booting.
1.在 frpc.exe 的同级目录创建一个 start_frpc.vbs:start_frpc.vbs请根据实际情况修改路径CreateObject(“WScript.Shell”).Run “””D:\Program Files\frp_windows_amd64\frpc.exe””” & “-c” & “””D:\Program Files\frp_windows_amd64\frpc.ini”””,0
2. Copy start_ Frpc.vbs file, open the following directory, and note that it will be changed to your user name: C: Users AppData Roaming Microsoft Windows Start Menu Programs Startup
3. Right click and paste as shortcut. 2 The deployment steps for accessing the company’s intranet machine frps through SSH are the same as above. 1. Start frpc, and the configuration is as follows: # frpc. ini [common] server_ addr = x.x.x.xserver_ port = 7000
#For authentication, please modify it yourself to ensure that the server is consistent with the client token=abcdefgh [ssh] type=tcplocal_ ip = 127.0.0.1local_ port = 22remote_ port = 6000
2. Access the intranet machine through SSH, assuming the user name is test: ssh – oPort=6000 test@x.x.x.x3. Access the web service deployed on the intranet through a custom domain name. 1. Modify the frps.ini file and set the http access port to 8080:
# frps.ini[common]bind_ port = 7000vhost_ http_ Port=8080 # is used for authentication. Please modify it yourself to ensure that the server is consistent with the client token=abcdefgh2. Start frps:
./frps -c ./ Frps.ini3. Modify the frpc.ini file, assuming that the IP of the server where frps is located is x.x.x, local_ The port is the corresponding port of the Web service on the local machine, and is bound to a custom domain name
www.yourdomain.com:# frpc.ini[common]server_ addr = x.x.x.xserver_ Port=7000 # is used for authentication. Please modify it by yourself to ensure that the server is consistent with the client
token = abcdefgh[web]type = httplocal_ port = 80custom_ Domains=www.yourdomain. com 4. Start frpc:/ frpc -c ./ frpc.ini
5. Resolve the domain name A record of www.yourdomain.com to IPx.x.x. If the server already has a corresponding domain name, you can also resolve the CNAME record to the original domain name of the server. 6. Access through the browser http://www.yourdomain.com:8080 。
You can access the Web service 4 Provide simple external file access service through static_ The file plug-in can provide a simple HTTP-based file access service. The deployment steps of frps are the same as above. 1. Start frpc and enable it.
static_ The file plug-in is configured as follows: # frpc.ini [common] server_ addr = x.x.x.xserver_ Port=7000 # is used for authentication. Please modify it by yourself to ensure that the server is consistent with the client
token = abcdefgh[test_static_file]type = tcpremote_ port = 6000plugin = static_ File # The file directory to be exposed plugin_ local_ path = /tmp/file
#The prefix that will be removed from the access url, and the reserved content is the file path to be accessed plugin_ strip_ prefix = staticplugin_ http_ user = abcplugin_ http_ passwd = abc
2. Access through browser http://x.x.x.x:6000/static/ To view the file located in the/tmp/file directory, you will be asked to enter the user name and password you have set. The Dashboard will view the status of frp and the display of agent statistics through the browser.
Note: Dashboard has not been optimized for the presentation of a large number of proxy data. If the access to Dashboard is slow, please do not enable this function. You need to specify the port used by the dashboard service in frps.ini to enable this function:.
[common]dashboard_ Port=7500 # dashboard username and password, which are admindashboard by default_ user = admindashboard_ Pwd=admin Open the browser through
Http://[server_addr]: 7500 Access the dashboard interface. The user name and password are admin encryption and compression by default. The two functions are not enabled. You need to configure the encryption and compression functions for the specified agent in frpc.ini. The compression algorithm uses snappy:.
# frpc.ini[ssh]type = tcplocal_ port = 22remote_ port = 6000use_ encryption = trueuse_ compression = true
If the company’s intranet firewall has identified and blocked the traffic of the external network access, such as the SSH protocol is prohibited, set use_ Encryption=true, encrypting the communication content between frpc and frps will effectively prevent traffic from being blocked.
If the length of the transmitted message is long, set use_ Compression=true Compressing the transmission content can effectively reduce the network traffic between frpc and frps and speed up the traffic forwarding speed, but it will consume some additional CPU resources [TLS
From v0.25.0 onwards, the encrypted transmission between frpc and frps is supported through TLS protocol. By configuring tls in the common of frpc.ini_ Enable=true to enable this function. The security is higher. For port reuse, the first byte of the TLS connection established by frp is 0x17.
Note: After enabling this function, you do not need to set use except for xtcp_ Encryption proxy speed limit currently supports setting agent-level speed limit in the proxy configuration of the client to limit the bandwidth that a single proxy can occupy # frpc.ini [ssh] type=tcp
local_ port = 22remote_ port = 6000bandwidth_ Limit=1MB Add bandwidth in agent configuration_ The limit field enables this function. Currently, only MB and KB unit range port mapping is supported.
You can specify mapping multiple ports in the configuration file of frpc. At present, only the types of tcp and udp are supported. This function is implemented through the range: paragraph tag. The client will parse the configuration in this tag and split it into multiple proxies. Each proxy is named with a number as the suffix.
For example, to map the six local ports 6000-6005 and 6007, the main configuration is as follows: # frpc.ini [range: test_tcp] type=tcplocal_ ip = 127.0.0.1local_ port = 6000-6006,6007
remote_ Port=6000-60066007 After the actual connection is successful, 8 proxies will be created, named test_ tcp_ 0, test_ tcp_ 1 … test_ tcp_ 73. Introduction to ew3.1 EW is a portable network penetration tool with two core functions of SOCKS v5 service setup and port forwarding. It can complete network penetration in complex network environment.
However, the tool is not updated now
3.2 The feature is lightweight, and the C language can set multi-level agent cross-platform, but only supports Socks5 agent 3.3 Use methods The following use methods are extracted from: http://rootkiter.com/EarthWorm/ For all the following examples, unless otherwise specified, the proxy port is 1080 and the service is SOCKSv5 proxy service
The tool has 6 command formats (ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran) 1 Forward SOCKS v5 server $/ ew -s ssocksd -l 1080。
2. Rebound the SOCKS v5 server in two steps: a) Run the following command on a host A with a public IP address: $/ Ew – s rcsocks – l 1080 – e 8888b)标主机B上启动 SOCKS v5 服务 并反弹到公网主机的 8888端口
$ ./ew -s rssocks -d 1.1.1.1 -e 8888成功3. 多级级联工具中自带的三条端口转发指令, 它们的参数格式分别为:$ ./ew -s lcx_listen -l 1080 -e 8888。
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
通过这些端口转发指令可以将处于网络深层的基于TCP的服务转发至根前,比如 SOCKS v5首先提供两个“二级级联”本地SOCKS测试样例:a)lcx_tran的用法$ ./ew -s ssocksd -l 9999。
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999b)lcx_listen、lcx_slave的用法$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999再提供一个“三级级联”的本地SOCKS测试用例以供参考
$ ./ew -s rcsocks -l 1080 -e 8888$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777数据流向:SOCKS v5 -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks4、ngrok
4.1 简介4.2 特点官方维护,一般较为稳定跨平台,闭源有流量记录和重发功能4.3 使用方法进入ngrok官网(https://ngrok.com/),注册ngrok账号并下载ngrok;根据官网给定的授权码,运行如下授权命令;
./ngrok authtoken 1hAotxhmORtzCYvUc3BsxDBPh1H_******************./ngrok http 80即可将机器的80端口http服务暴露到公网,并且会提供一个公网域名。
可以通过官网的UI界面查看数据包和流量等等(但是要付费==、)
还可以通过一些命令将内网的文件和其他TCP服务 暴露到公网中有授权的设置文件共享ngrok http -auth=”user:password” file:///Users/alan/share无授权的设置文件共享。
ngrok http “file:///C:\\Users\\alan\\Public Folder”将主机的3389的TCP端口暴露到公网ngrok tcp 3389更多使用方法参考:https://ngrok.com/docs
内网渗透之内网穿透开源内网穿透工具 frp 简单使用教程http://rootkiter.com/EarthWorm/
