Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what are the port forwarding traffic control tools in web security". The content is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "what are the port forwarding traffic control tools in web security".

Application scenarios:

In Web security penetration testing is often faced with a problem, but also a very important part of Web server reinforcement, that is, Web server only open a port 80. The security protection of Web server can be the port customization of operating system or the port customization of network management before fire prevention. At this time, if the penetration tester wants to further test the intranet, he must first take down the target server and have certain control rights. In the past, some methods commonly used by penetration testers are to upload some executable files for the operating system to the target server, and the program must be executed as a process. However, due to a variety of limitations, different types of port forwarding and traffic manipulation tools have emerged one after another.

Tool preliminary: 2.1reDuh:

How it works:

I think most testers know more about port forwarding than I do. To put it bluntly, reDuh is a port transponder implemented by asp; php; jsp. As a matter of fact, this transponder has been transferred twice. Let's do an illustration with the connection to the remote desktop service:

We can also see from the diagram that there is actually a process like this from the MSTSC client to the target Terminal server:

Mstsc client-- > reDuh Agent-- > HTTP tunne-- > Web Server-- > Terminal Server

Of course, for MSTSC clients, these processes are transparent, and we just need to specify in MSTSC that the port of the connection is the port that the local reDuh listens on.

Software use:

1) run the reDuhGUI program and the following interface appears. Enter the address of the reDuh in the URL input box and click the Start button:

2) if the target URL exists and works properly, the interface will change to the following style. We can see that the status of the Create button becomes available. This is, we enter the address and port to which the target server needs to connect, as well as the port number of the local listening in the Create Tunnel, and click the Create button. It should be noted that the address of Remote Host is not the IP address of the target server, but any address that can be accessed by the target server. Assuming that the address of the target server is 10.10.10.10, if Remote Host is 127.0.0.1, it is actually equivalent to the address on the connection server; if Remote Host is 10.10.10.11, it is equivalent to letting the server connect to another server in the private network:

3) A piece of data will be added to the list box on the interface, indicating that the local listening port 1234 corresponds to the 127.0.0.1 3389 endpoint of the target server connection:

After the HTTP tunnel is created successfully, we can use MSTSC to test the connection. Enter the corresponding local listening address in Computer and select the connection:

4) at this time, we can see a large number of data transfers from the log box of the program:

5) the remote desktop can be connected normally in MSTSC:

6) if we complete the operation and need to be disconnected, we can select an item in the list box on the right, and then click the Close button to complete the destruction of a link. If we want to completely disconnect the current connection, click the Kill button:

2.2 reGeorg+Proxifier

Operating environment: pythony and urllib3

Download address: https://github.com/sensepost/reGeorg.git

The principle is more or less the same, so I won't explain it. I'll just test the use process.

Application scenarios:

During the internal network test, mysql has root permission, read the configuration file, get the root directory of the website, write down the horse, connect it with a kitchen knife, and find that it is system permission, and there is a problem when port 3389 is open. when the external network accesses port 3389, it is found that it is not connected, only open to the internal network. This is very embarrassing, I am in the intranet, the server is also in the intranet, and I do not have a public network machine. You need to use reGeorg+Proxifier at this time.

How to use reGeorg:

First, upload the corresponding script of reGeorg to the server. ReGeorg provides PHP, ASPX and JSP scripts. The direct access displays "Georg says, 'All seems fine'", which means that the script is running normally.

Run the command prompt to switch to C:\ Python27\, and run python reGeorgSocksProxy.py-u (the address of the upload reGeorg script)-p (forwarding port). There is no mandatory parameter order.

Since it is based on socks5, you also need to install a socks5 agent tool locally. There are many such tools on the Internet. Take Proxifier as an example.

Then change the agent rule to proxy socket5 127.0.0.1

At this time, the interview successfully entered the connection with 3389.

2.3 rinetd to achieve traffic forwarding

Example:

The company's firewall only allows outbound traffic at port 53 (but inbound traffic is still allowed). If you want to access the Internet through port 80, it is rejected.

Solution: by placing a machine at home and using the company's computer to access port 53 at home, the home computer 20.1.1.1 forwards the website's traffic back to the company's network.

Installation:

Apt-get install rinetd

Configuration:

Vim / etc/rinetd.conf

Launch: rinetd

Determine if the process starts:

Access port 53 of kali (IP:1.1.1.16) from the XP system and find that you can access the website of 110s

Forward shell

Listen on port 333 on the 192.168.1.110 machine

Forward port 333 on kali:

Restart the service:

Enter it on the private network machine 1.1.1.12, and command: nc 192.168.1.1653 (connect to kali)

It is found that you have successfully gained control of the intranet machine:

2.4 other:

SSH penetration

Ssh-D 127.0.0.1 in 1080-p 22 user@IPAdd socks4 127.0.1 1080 in / etc/proxychains.confproxychains commands target

SSH penetrates from one network to another

Ssh-D 127.0.0.1 user1@IP2Add socks4 1080-p 22 user1@IP1Add socks4 127.0.0.1 1080 in / etc/proxychains.confproxychains ssh-D 127.0.1 0.1 user1@IP2Add socks4 127.0.0.1 1081 in / etc/proxychains.confproxychains commands target

Ptunnle-Ping tunnel ICMP

Tunneling through ICMP echo (ping requests) and reply (ping reply)

Server:

Ptunnel-x 1234 (- x sets password)

Client:

Sudo ptunnel-p proxy-lp 2222-da destination-dp 22-x 1234 (da is the destination address dp destination port-x password)

Nested SSH tunnels:

Ssh-CNfg-D 7000 root@127.0.0.1-p 2222 and above are all the contents of this article entitled "what are the port forwarding traffic control tools in web security?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.