Arrange several practical intranet penetration tools + tutorials

Preface

From the perspective of penetration, this article summarizes several commonly used intranet penetration and intranet proxy tools for individuals, and introduces their simple principles and methods of use.

nps-npc

Introduction

nps is a lightweight, high-performance, powerful intranet penetration proxy server. Currently supports tcp and udp traffic forwarding, and can support any tcp and udp upper-level protocols (access to intranet websites, local payment interface debugging, ssh access, remote desktop, intranet dns resolution, etc...), and also supports intranet http proxy , Intranet socks5 proxy, p2p, etc., with a powerful web management terminal.

• A server (VPS) with a public IP to run the server (NPS)
• One or more servers running on the intranet or PC running client (NPC)

Features

• Written in Go language
• Support cross-platform
• Agent supporting multiple protocols
• web management

Instructions

https://github.com/ehang-io/nps/releases

NPS

Installation configuration

Find the server of the corresponding version of your own server:

cd ~
wget https://github.com/cnlh/nps/releases/download/v0.23.2/linux_amd64_server.tar.gz
tar xzvf linux_amd64_server.tar.gz
cd ~/nps

There will be a nps executable file, conf configuration directory and web page directory under the nps directory, we only need to modify conf/nps.conf:

vim conf/nps.conf  

Need to change a few parameters under #web,

web_host= 服务器IP或者域名  
web_username= admin（登录用户名）  
web_password= 你的密码  
web_port=8080（web管理端口）  

Modify #bridge to change the connection port of NPC. For example, if we get a server with restricted permissions and a firewall, only some ports (80, 443) may be able to go out of the network, so we need to change it to the outgoing port.

##bridge  
bridge_type=tcp  
bridge_port=443  # 修改连接端口  
bridge_ip=0.0.0.0  

start up

#Mac/Linux  
./nps test|start|stop|restart|status  测试配置文件|启动|停止|重启|状态  
  
#Windows  
nps.exe test|start|stop|restart|status 测试配置文件|启动|停止|重启|状态  

NPC

./npc -server=你的IP:8024 -vkey=唯一验证密码 -type=tcp  

After creating a new client, you can also see in +, the detailed client connection commands:

web management

In the client interface, you can add client connections in a new way, and the vkey of each connection is uniquely distinguished.

Each client, after establishing a connection, can establish multiple tunnels with different protocols, and each tunnel is a different proxy.

Through different protocols and ports, you can connect to the agent's intranet machines.

frp

Introduction

frp is a high-performance reverse proxy application focusing on intranet penetration, supporting multiple protocols such as TCP, UDP, HTTP, and HTTPS. Intranet services can be exposed to the public network through a relay with public IP nodes in a safe and convenient way.

Features

• The client-server communication supports multiple protocols such as TCP, KCP, and Websocket.
• Port reuse, multiple services are exposed through the same server port.
• Cross-platform, but supports a little less than nps
• A variety of plug-ins, providing many functions

Instructions

Download: https://github.com/fatedier/frp/releases

• Access the home machine through rdp

Modify the frps.ini file. For the sake of security, it is best to configure authentication here. If the token parameter in the common configuration of the server and the client is the same, the authentication is passed:

# frps.ini
[common]
bind_port = 7000
# 用于身份验证，请自行修改，要保证服务端与客户端一致
token = abcdefgh

Start frps:

./frps -c ./frps.ini

Modify the frpc.ini file, assuming that the public IP of the server where frps is located is xxxx:

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证，请自行修改，要保证服务端与客户端一致
token = abcdefgh

[rdp]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
remote_port = 6000

Start frpc:

./frpc -c ./frpc.ini

Access the remote machine through rdp, the address is:

x.x.x.x:6000

Self-start

For Windows system, for ease of use, you can configure it to start silently when booting. Create a start_frpc.vbs in the same directory as frpc.exe:

'start_frpc.vbs
'请根据实际情况修改路径
CreateObject("WScript.Shell").Run """D:\Program Files\frp_windows_amd64\frpc.exe""" & "-c" & """D:\Program Files\frp_windows_amd64\frpc.ini""",0

Copy the start_frpc.vbs file, open the following directory, and pay attention to

<USER_NAME>
改为你的用户名：

C:\Users\<USER_NAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Right-click and paste as a shortcut.

• Access the company's intranet machines via SSH

The deployment steps of frps are the same as above.

Start frpc, the configuration is as follows:

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证，请自行修改，要保证服务端与客户端一致
token = abcdefgh

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000

Access the intranet machine through SSH, assuming the user name is test:

ssh -oPort=6000 test@x.x.x.x

• Access the web service deployed on the intranet through a custom domain name

Sometimes we want to let other people access or test the web service we built locally through the domain name, but because the local machine does not have a public IP, the domain name cannot be resolved to the local machine. This function can be achieved through frp. The following example is http Service, https service configuration method is the same, vhost_http_port is replaced with vhost_https_port, and type is set to https.

Modify the frps.ini file and set the http access port to 8080:

# frps.ini
[common]
bind_port = 7000
vhost_http_port = 8080
# 用于身份验证，请自行修改，要保证服务端与客户端一致
token = abcdefgh

Start frps:

./frps -c ./frps.ini

Modify the frpc.ini file, assuming that the IP of the server where frps is located is xxxx, local_port is the port corresponding to the Web service on the local machine, and bind the custom domain name www.yourdomain.com:

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证，请自行修改，要保证服务端与客户端一致
token = abcdefgh

[web]
type = http
local_port = 80
custom_domains = www.yourdomain.com

Start frpc:

./frpc -c ./frpc.ini

Resolve the domain name A record of www.yourdomain.com to IP xxxx. If the server already has a corresponding domain name, you can also resolve the CNAME record to the original domain name of the server.

http://www.yourdomain.com:8080 through a browser to access the Web service on the intranet machine.

• Provide simple file access services to the outside world

A simple HTTP-based file access service can be provided externally through the static_file plug-in.

The deployment steps of frps are the same as above. Start frpc, enable the static_file plug-in, the configuration is as follows:

# frpc.ini
[common]
server_addr = x.x.x.x
server_port = 7000
# 用于身份验证，请自行修改，要保证服务端与客户端一致
token = abcdefgh

[test_static_file]
type = tcp
remote_port = 6000
plugin = static_file
# 要对外暴露的文件目录
plugin_local_path = /tmp/file
# 访问 url 中会被去除的前缀，保留的内容即为要访问的文件路径
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

http://xxxx:6000/static/ through a browser to view the files located in the /tmp/file directory, you will be asked to enter the user name and password that have been set.

Common Functions

• Dashboard

View the status of frp and the display of proxy statistics through the browser.

Note: Dashboard has not been optimized for the display of a large number of proxy data. If the Dashboard access is slow, please do not enable this function.

You need to specify the port used by the dashboard service in frps.ini to enable this function:

[common]
dashboard_port = 7500
# dashboard 用户名密码，默认都为 admin
dashboard_user = admin
dashboard_pwd = admin

Open the browser and http://[server_addr]:7500 . The default username and password is admin.

• Encryption and compression

These two functions are not enabled by default. You need to enable encryption and compression for the specified agent through configuration in frpc.ini. The compression algorithm uses snappy:

# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
use_encryption = true
use_compression = true

If the company's intranet firewall performs traffic identification and shielding for external network access, such as prohibiting the SSH protocol, etc., by setting use_encryption = true, the communication content between frpc and frps will be encrypted and transmitted, which will effectively prevent the traffic from being intercepted.

If the length of the transmitted message is long, compressing the transmission content by setting use_compression = true can effectively reduce the network traffic between frpc and frps, speed up the traffic forwarding, but will consume some additional CPU resources.

[TLS
从 v0.25.0 版本开始 frpc 和 frps 之间支持通过 TLS 协议加密传输。通过在 frpc.ini 的 common 中配置 tls_enable = true 来启用此功能，安全性更高。

For port reuse, the first byte of the TLS connection established by frp is 0x17.

Note: After enabling this function, except for xtcp, there is no need to set use_encryption.

• Proxy speed limit

Currently, it is supported to set the proxy-level rate limit in the proxy configuration of the client to limit the bandwidth that a single proxy can occupy.

# frpc.ini
[ssh]
type = tcp
local_port = 22
remote_port = 6000
bandwidth_limit = 1MB

Add the bandwidth_limit field in the proxy configuration to enable this function. Currently, only MB and KB units are supported.

• Range port mapping

Multiple ports can be mapped in the configuration file of frpc. Currently, only tcp and udp types are supported.

This function is achieved through the range: paragraph mark. The client will parse the configuration in this mark and split it into multiple proxies, each of which is named after a number.

For example, to map the 6 local ports 6000-6005, 6007, the main configuration is as follows:

# frpc.ini
[range:test_tcp]
type = tcp
local_ip = 127.0.0.1
local_port = 6000-6006,6007
remote_port = 6000-6006,6007

After the actual connection is successful, 8 proxies will be created, named test_tcp_0, test_tcp_1 ... test_tcp_7.

ew

Introduction

EW is a portable network penetration tool with two core functions, SOCKS v5 service setup and port forwarding, and can complete network penetration in a complex network environment. However, the tool is no longer updated. . .

Features

• Lightweight, written in C language
• Multi-level proxy can be set
• Cross-platform
• But only supports Socks5 proxy

Instructions

In all the following examples, unless otherwise specified, the proxy port is 1080, and the service is SOCKSv5 proxy service.

The tool has 6 command formats (ssocksd, rcsocks, rssocks, lcx_slave, lcx_listen, lcx_tran).

Forward SOCKS v5 server

$ ./ew -s ssocksd -l 1080  

Rebound SOCKS v5 server, this operation is specifically divided into two steps:

a) First run the following command on a host A with a public network ip:

$ ./ew -s rcsocks -l 1080 -e 8888   

b) Start the SOCKS v5 service on target host B and bounce to port 8888 of the public network host

$ ./ew -s rssocks -d 1.1.1.1 -e 8888   

success.

Multi-level cascade

The three port forwarding instructions that come with the tool, their parameter formats are:

$ ./ew -s lcx_listen -l  1080   -e 8888    
$ ./ew -s lcx_tran   -l  1080   -f 2.2.2.3 -g 9999    
$ ./ew -s lcx_slave  -d 1.1.1.1 -e 8888    -f 2.2.2.3  -g  9999  

Through these port forwarding instructions, TCP-based services in the deep network can be forwarded to the root, such as SOCKS v5. First, provide two "two-level cascade" local SOCKS test examples:

a) Usage of lcx_tran

$ ./ew -s ssocksd  -l 9999  
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999 

b) Usage of lcx_listen, lcx_slave

$ ./ew -s lcx_listen -l 1080 -e 8888  
$ ./ew -s ssocksd    -l 9999  
$ ./ew -s lcx_slave  -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999  

Provide a "three-level cascade" local SOCKS test case for reference

$ ./ew -s rcsocks -l 1080 -e 8888   
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999    
$ ./ew -s lcx_listen -l 9999 -e 7777    
$ ./ew -s rssocks -d 127.0.0.1 -e 7777  

Data flow direction: SOCKS v5 -> 1080 -> 8888 -> 9999 -> 7777 -> rssocks

ngrok

Introduction

ngrok is a reverse proxy. By establishing a secure channel between a public endpoint and a locally running Web server, the services of the internal host can be exposed to the external network. ngrok can capture and analyze the traffic on all channels, which is convenient for later analysis and replay, so ngrok can easily assist the server program testing.

Features

• Officially maintained, generally stable
• Cross-platform, closed source
• Has flow recording and resending function

Instructions

Enter ngrok official website ( https://ngrok.com/), register for ngrok account and download ngrok;

According to the authorization code given on the official website, run the following authorization commands;

./ngrok authtoken 1hAotxhmORtzCYvUc3BsxDBPh1H_******************

./ngrok http 80 can expose the machine's 80 port http service to the public network, and will provide a public network domain name.

You can view data packets and traffic, etc. through the UI interface of the official website (but you have to pay ==,)

You can also expose files and other TCP services on the intranet to the public network through some commands.

Authorized settings file sharing

ngrok http -auth="user:password" file:///Users/alan/share  

Unauthorized setting up file sharing

ngrok http "file:///C:\\Users\\alan\\Public Folder" 

Expose the host's TCP port 3389 to the public network

ngrok tcp 3389  

For more usage, refer to: 1619cd0c3b53c9 https://ngrok.com/docs

Source: v0w.top/2020/08/11/IntranetProxy