From the perspective of penetration, this paper summarizes several commonly used intranet penetration and Intranet agent tools, and introduces their simple principles and application methods.
1.1 INTRODUCTION
nps is a lightweight, high-performance and powerful intranet penetration proxy server. At present, it supports tcp and udp traffic forwarding, and can support any tcp and udp upper layer protocols (access to intranet website, local payment interface debugging, ssh access, remote desktop, intranet dns resolution, etc.). In addition, it also supports intranet http proxy, intranet socks5 proxy, p2p, etc., and has a powerful web management terminal.
- A server with public IP (VPS) runs the server (NPS)
- One or more servers or PC clients (NPC s) running on the Intranet
1.2 features
- Written in Go language
- Support cross platform
- Agent supporting multiple protocols
- web management end
1.3 application method
https://github.com/ehang-io/nps/releases
NPS
Installation configuration
Find the corresponding version of your server:
cd ~ wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz tar xzvf linux_amd64_server.tar.gz cd ~/nps
There will be an nps executable file, conf configuration directory and web page directory under the nps directory. We only need to modify conf / nps Conf:
vim conf/nps.conf
You need to change #web the following parameters,
web_host= The server IP Or domain name web_username= admin(Login user name) web_password= Your password web_port=8080(web (management port)
Modifying #bridge can change the connection port of NPC. For example, if we get a server with limited permissions and a firewall, maybe only some ports (80443) can go out of the network, so we need to modify it into an out of network port.
##bridge bridge_type=tcp bridge_port=443 # Modify connection port bridge_ip=0.0.0.0
start-up
#Mac/Linux ./nps test|start|stop|restart|status Test profile|start-up|stop it|restart|state #Windows nps.exe test|start|stop|restart|status Test profile|start-up|stop it|restart|state
NPC
./npc -server=Yours IP:8024 -vkey=Unique authentication password -type=tcp
After creating a new client, you can also see the detailed client connection commands in +:
web management end
In the client interface, you can add client connections by adding new ones. The vkey of each connection is unique.
After establishing a connection, each client can establish multiple tunnels with different protocols, which are different agents.
The agent's intranet machine can be connected through different protocols and ports.
frp
2.1 introduction
frp is a high-performance reverse proxy application focusing on Intranet penetration. It supports TCP, UDP, HTTP, HTTPS and other protocols. Intranet services can be exposed to the public network in a safe and convenient way through transit with public network IP nodes.
2.2 features
- Client server communication supports TCP, KCP, Websocket and other protocols.
- Port reuse: multiple services are exposed through the same server port.
- Cross platform, but less supported than nps
- A variety of plug-ins provide many functions
2.3 application method
Download: https://github.com/fatedier/frp/releases
The following is taken from: https://segmentfault.com/a/1190000021876836
1. Access home machines through rdp
1. Modify FRPs INI file. For security reasons, it is best to configure authentication here. If the token parameters in the common configuration of the server and client are consistent, the authentication passes:
# frps.ini [common] bind_port = 7000 # For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh
2. Start frps:
./frps -c ./frps.ini
3. Modify FRPC INI file, assuming that the public IP of the server where frps is located is x.x.x.x:
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh [rdp] type = tcp local_ip = 127.0.0.1 local_port = 3389 remote_port = 6000
4. Start frpc:
./frpc -c ./frpc.ini
5. Access the remote machine through rdp. The address is:
x.x.x.x:6000
Start and start automatically
For Windows system, for ease of use, you can configure silent startup when starting up.
1. In FRPC Exe to create a start_frpc.vbs:
'start_frpc.vbs
'Please modify the path according to the actual situation
CreateObject("WScript.Shell").Run """D:\Program Files\frp_windows_amd64\frpc.exe""" & "-c" & """D:\Program Files\frp_windows_amd64\frpc.ini""",02. Copy start_frpc.vbs file, open the following directory, pay attention to
<USER_NAME>
Change to your user name:
C:\Users\<USER_NAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
3. Right click and paste as a shortcut.
2. Access the intranet machine of the company through SSH
The deployment steps of frps are the same as above.
1. Start frpc, and the configuration is as follows:
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 remote_port = 6000
2. Access the intranet machine through SSH, assuming that the user name is test:
ssh -oPort=6000 test@x.x.x.x
3. Access the Web services deployed in the intranet through the custom domain name
Sometimes we want others to access or test the Web services we set up locally through the domain name, but because the local machine has no public IP, it is unable to resolve the domain name to the local machine. This function can be realized through frp. The following example is HTTP service, HTTPS service configuration method is the same, Vhost_ http_ Replace port with vhost_https_port and type can be set to HTTPS.
1. Modify FRPs INI file, set the http access port to 8080:
# frps.ini [common] bind_port = 7000 vhost_http_port = 8080 # For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh
2. Start frps:
./frps -c ./frps.ini
3. Modify FRPC INI file, assuming that the IP of the server where frps is located is x.x.x.x, local_port is the port corresponding to the Web service on the local machine, and the user-defined domain name www.yourdomain.com is bound com:
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh [web] type = http local_port = 80 custom_domains = www.yourdomain.com
4. Start frpc:
./frpc -c ./frpc.ini
5. Put www.yourdomain.com The domain name A record of COM is resolved to IP x.x.x.x. if the server already has A corresponding domain name, the CNAME record can also be resolved to the original domain name of the server.
6. Access via browser http://www.yourdomain.com:8080 You can access the Web service on the intranet machine.
4. Provide simple external file access services
Through static_ The file plug-in can provide a simple file access service based on HTTP.
The deployment steps of frps are the same as above.
1. Start frpc and enable static_file plug-in, configured as follows:
# frpc.ini [common] server_addr = x.x.x.x server_port = 7000 # For authentication, please modify it yourself to ensure that the server is consistent with the client token = abcdefgh [test_static_file] type = tcp remote_port = 6000 plugin = static_file # File directory to be exposed plugin_local_path = /tmp/file # Access the prefix that will be removed from the url, and the reserved content is the file path to be accessed plugin_strip_prefix = static plugin_http_user = abc plugin_http_passwd = abc
2. Access via browser http://x.x.x.x:6000/static/ To view the files located in the / tmp/file directory, you will be asked to enter the set user name and password.
Common functions
Statistics panel (Dashboard)
View the status of frp and the display of proxy statistics through the browser.
Note: the Dashboard has not been optimized for a large number of proxy data display. If the Dashboard access is slow, please do not enable this function.
Need to be in FRPs Ini specifies the port used by the dashboard service to enable this function:
[common] dashboard_port = 7500 # The user name and password of dashboard are admin by default dashboard_user = admin dashboard_pwd = admin
Open the browser and access the dashboard interface through http://[server_addr]:7500. The user name and password are admin by default.
Encryption and compression
These two functions are not enabled by default and need to be in FRPC Ini enables encryption and compression for the specified agent through configuration. The compression algorithm uses snappy:
# frpc.ini [ssh] type = tcp local_port = 22 remote_port = 6000 use_encryption = true use_compression = true
If the company's intranet firewall identifies and shields the traffic of external network access, such as prohibiting SSH protocol, set use_encryption = true, encrypting and transmitting the communication content between frpc and frps will effectively prevent the traffic from being intercepted.
If the length of the transmitted message is long, set use_compression = true compresses the transmitted content, which can effectively reduce the network traffic between frpc and frps and speed up the traffic forwarding speed, but it will consume some additional CPU resources.
[TLS
From v0 Since version 25.0, encrypted transmission through TLS protocol is supported between frpc and frps. Through frpc Configuring TLS in common of ini_ Enable = true to enable this function for higher security.
For port multiplexing, the first byte of frp establishing TLS connection is 0x17.
Note: after enabling this function, there is no need to set use except xtcp_ encryption.
Proxy speed limit
At present, it supports setting the speed limit of proxy level in the proxy configuration of the client to limit the bandwidth that a single proxy can occupy.
# frpc.ini [ssh] type = tcp local_port = 22 remote_port = 6000 bandwidth_limit = 1MB
Add bandwidth in agent configuration_ The limit field enables this function. Currently, only MB and KB units are supported.
Range port mapping
Mapping multiple ports can be specified in the configuration file of frpc. At present, only tcp and udp types are supported.
This function is realized through the range: paragraph tag. The client will analyze the configuration in this tag and split it into multiple proxies. Each proxy is named after a number.
For example, to map the six local ports 6000-6005 and 6007, the main configurations are as follows:
# frpc.ini [range:test_tcp] type = tcp local_ip = 127.0.0.1 local_port = 6000-6006,6007 remote_port = 6000-6006,6007
After the actual connection is successful, 8 proxies will be created and named test_tcp_0, test_tcp_1 ... test_tcp_7.
ew
3.1 introduction
EW is a portable network penetration tool, which has two core functions: SOCKS v5 service erection and port forwarding. It can complete network penetration in complex network environment. However, the tools are not updated now...
characteristic
1. Lightweight, written in C language
2. Multi level agents can be set
3. Cross platform
4. However, only Socks5 agents are supported
3.3 application method
The following methods of use are taken from: http://rootkiter.com/EarthWorm/
In the following examples, unless otherwise specified, the proxy port is 1080 and the service is SOCKSv5 proxy service
The tool has six command formats (socksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran).
1. Forward SOCKS v5 server
$ ./ew -s ssocksd -l 1080
2. Rebound SOCKS v5 server
This operation is divided into two steps:
a) First run the following command on A host A with public ip:
$ ./ew -s rcsocks -l 1080 -e 8888
b) Start the SOCKS v5 service on the target host B and bounce back to the 8888 port of the public network host
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
success.
3. Multistage cascade
The three port forwarding instructions included in the tool have the following parameter formats:
$ ./ew -s lcx_listen -l 1080 -e 8888 $ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999 $ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
Through these port forwarding instructions, TCP based services in the deep layer of the network can be forwarded to the front of the root, such as SOCKS v5. First, provide two "two-level cascade" local SOCKS test samples:
a) lcx_ Usage of tran
$ ./ew -s ssocksd -l 9999 $ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
b) lcx_listen,lcx_ Usage of slave
$ ./ew -s lcx_listen -l 1080 -e 8888 $ ./ew -s ssocksd -l 9999 $ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
A "three-level cascade" local SOCKS test case is provided for reference
$ ./ew -s rcsocks -l 1080 -e 8888 $ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999 $ ./ew -s lcx_listen -l 9999 -e 7777 $ ./ew -s rssocks -d 127.0.0.1 -e 7777
Data flow direction: socks V5 - > 1080 - > 8888 - > 9999 - > 7777 - > rssocks
ngrok
4.1 introduction
Ngrok is a reverse proxy. By establishing a secure channel between the public endpoint and the locally running Web server, the services of the intranet host can be exposed to the Internet. Ngrok can capture and analyze the traffic on all channels, which is convenient for later analysis and playback, so ngrok can easily assist the server program testing.
4.2 features
- Official maintenance, generally stable
- Cross platform, closed source
- It has the function of traffic recording and retransmission
4.3 application method
- Enter the official website of ngrok( https://ngrok.com/ ), register the ngrok account and download the ngrok;
- Run the following authorization command according to the authorization code given on the official website;
- ./ngrok authtoken 1hAotxhmORtzCYvUc3BsxDBPh1H_******************
- . / ngrok http 80 can expose the 80 port http service of the machine to the public network and provide a public domain name.
You can view data packets and traffic through the UI interface of the official website (but you have to pay = =,)
Some commands in the public network and other services can also be exposed through TCP.
Authorized settings file sharing
ngrok http -auth="user:password" file:///Users/alan/share
Unauthorized settings file sharing
ngrok http "file:///C:\\Users\\alan\\Public Folder"
Expose the TCP port of 3389 of the host to the public network
ngrok tcp 3389
Refer to for more usage methods: https://ngrok.com/docs