How to Use SocksCap for internal network breakthrough

The port ing function is used to map the "fake" IP address (intranet IP address) of a host into a "real" IP address (Internet independent IP address ), when a user accesses a port of the host that provides the ing, the server forwards the request to a host on the LAN that provides this specific service. The port ing function can also be used to map multiple ports of a computer with a "real" IP address to different ports on different internal computers. The port ing function can also complete some specific proxy functions, such as proxy Ftp, Pop, Smtp, Telnet, and other protocols. In theory, a host can provide over 60 thousand port ing.

In this case, we can learn:

(1) knowledge about port ing

(2) Port ing using SocksCap

Port ing is divided into dynamic and static port ing. Static port ing is to open a fixed port on the NAT gateway, and then set the data received by this port to be forwarded to an intranet IP address and port, no matter whether the ing exists or not, the public network host can actively access a computer on the Intranet. The NAT gateway can be a switch, router, or other computer with an independent IP address.

Dynamic port ing means that when a computer in the Intranet needs to access xinlang, it will send data packets to the NAT gateway, including the IP address, port, and local IP address and port of the Peer (I .e. xinlang, the NAT gateway will replace the local IP address and port with its own public IP address and an unused port, and write down the ing relationship for future packet forwarding. Then, send the data to Sina. Upon receiving the data, Sina responds and sends the data to the unused port of the NAT Gateway. Then, the NAT Gateway forwards the data to the computer on the Intranet, implement communication between the Intranet and the Internet. when the connection is closed, the NAT Gateway releases the port allocated to the connection so that later connections can continue to be used. Dynamic port ing is actually the way the NAT Gateway works.

Currently, many Trojans and professional software have Socks proxy functions. After Trojans or these software are installed on bots (computers with independent Internet IP addresses), bots have proxy functions, using proxy software such as SocksCap can easily break through the Intranet and access computers in the Intranet from this bot.

1. Install and run SocksCap Software

The sc32r238 Chinese version is used in this case. Earlier versions have expired and cannot be used. After installing SocksCap, a "License" agreement is provided. In this window, click "accept" to accept the license.

Description

(1) It takes a little longer to start installing the SocksCap software. At the beginning, the software needs to decompress the files, so it takes a little longer.

(2) after installing the original sc32r238 version, you need to run the corresponding Chinese application. Otherwise, the system will prompt that the application has expired and the program will be automatically closed.

2. Set SocksCap Software

After running the SocksCap software, click "file"-"Settings" to open the SocksCap settings window, enter the IP address and port in the SOCKS Server, and select "SOCKS version 5, in the domain name resolution field, select "try local first and then remote resolution", as shown in 1, and click "OK" or "Apply" to complete the settings.

 

Figure 1 Set SocksCap Software

3. Create an Application Identifier

In the SocksCap software main window, click the "new" icon to open the "New Application identification item" window, then, in the "New Application ID item" window, enter an ID name, for example, "3389" in this example, and then select an application, as shown in figure 2, finally, click OK to complete the application identification item settings.

Figure 2 create an Application Identifier

Description

(1) The purpose of creating an application identity item is to run the SocksCap software to quickly open the application, after the "Application identity item" is created, the icons of the created "command line" program are automatically extracted to the main window of SocksCap, as shown in 3.

Figure 3 automatically sort Application Identifiers

(2) The "command line" (Application) in the application identity item is represented by the SocksCap software, that is, the "command line" (Application) can use the Socks proxy.
4. Run the "command line" proxy.

Click the "3389" Application ID to open the remote terminal connection interface, enter the logon IP Address "192.168.80.129", and click "Connect" to log on to the "3389" application, after entering the user name and password in the 3389 login window, go to the remote terminal desktop, as shown in 4. After opening the command prompt on the remote terminal desktop, after entering the "netstat-an" command, you can see that the 3389 remote terminal connection of the computer is the IP address itself. Now, the remote terminal desktop of a computer that obtains the password on the Intranet has been successfully entered.

Figure 4 Use the SocksCap proxy to log on to the Remote Terminal

Tips

(1) On the SocksCap main interface, double-click the newly created "Application ID item" icon to quickly open the application.

(2) when using the SocksCap proxy, if the connection fails, you can select different domain name resolution methods in Socks settings to try.

Summary

With the help of SocksCap software, you can easily penetrate the Intranet. However, the key to using the SocksCap software is to build a Socks server on the zombie. If you fail to build a Socks proxy server at the Intranet entrance, it is difficult to access the Intranet by using the IP address and port of the Socks Proxy Server searched by some Socks proxy search software. However, many Trojans currently provide this socks proxy server function, you only need to set the port and password of the socks proxy during the initial configuration of the Trojan. After the zombie runs the trojan program, the zombie becomes the socks proxy server.