Intranet penetration series: spp of intranet tunnel

foreword

This paper studies a tool that supports multi-protocol bidirectional proxies, spp

github：https://github.com/esrrhs/spp

I. Overview

1 Introduction

Freshly released in 2020, continuously updated, from Tencent, written in Go

• Supported protocols: tcp, udp, rudp (reliable udp), ricmp (reliable icmp), rhttp (reliable http), kcp, quic
• Supported types: forward proxy, reverse proxy, socks5 forward proxy, socks5 reverse proxy
• Combinations of protocols and types are supported
• Support all platforms

2. Principle

3. Usage

(1) Server

Start the server, assuming the server ip is www.server.com, listening on port 8888

./spp -type server -proto tcp -listen :8888

You can also listen to other types of ports and protocols at the same time

./spp -type server -proto tcp -listen :8888 -proto rudp -listen :9999 -proto ricmp -listen 0.0.0.0

You can also use docker

docker run --name my-server -d --restart=always --network host esrrhs/spp ./spp -proto tcp -listen :8888

(2) Client

Start the tcp forward proxy and map the 8080 port of www.server.com to the local 8080, so that accessing the local 8080 is equivalent to accessing the 8080 of www.server.com

./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp

Start the tcp reverse proxy and map the local 8080 to the 8080 port of www.server.com, so that accessing the 8080 of www.server.com is equivalent to accessing the local 8080

./spp -name "test" -type reverse_proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp

Start the tcp forward socks5 proxy, open the socks5 protocol on the local port 8080, and access the network where the server is located through the server

./spp -name "test" -type socks5_client -server www.server.com:8888 -fromaddr :8080 -proxyproto tcp

Start the tcp reverse socks5 proxy, open the socks5 protocol on port 8080 of www.server.com, and access the network where the client is located through the client

./spp -name "test" -type reverse_socks5_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp

For other proxy protocols, you only need to modify the proxyproto parameter of the client, for example

# 代理udp
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp

# 代理rudp
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8081 -toaddr :8081 -proxyproto rudp

# 代理ricmp
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8082 -toaddr :8082 -proxyproto ricmp

# 同时代理上述三种
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp -fromaddr :8081 -toaddr :8081 -proxyproto rudp -fromaddr :8082 -toaddr :8082 -proxyproto ricmp

The internal communication between the client and the server can also be modified to other protocols, and the external protocol and the internal protocol are automatically converted. E.g

# 代理tcp，内部用rudp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto rudp

# 代理tcp，内部用ricmp协议转发
./spp -name "test" -type proxy_client -server www.server.com -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto ricmp

# 代理udp，内部用tcp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp -proto tcp

# 代理udp，内部用kcp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp -proto kcp

# 代理tcp，内部用quic协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto quic

# 代理tcp，内部用rhttp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto rhttp

You can also use docker

docker run --name my-client -d --restart=always --network host esrrhs/spp ./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp

2. Practice

1. Test scenario

Attacker (server): kali 192.168.10.128
Target (client): ubuntu 192.168.10.129

The target machine can ping the attacking machine

2. TCP reverse connection

(1) Server

Listen to port 8888, TCP protocol

./spp -type server -proto tcp -listen :8888 

(2) Client

Start the reverse proxy, TCP protocol, and map port 2222 of the server to port 80 of the client, that is, the server accessing its own port 2222 is equivalent to accessing port 80 of the client

./spp -name "test" -type reverse_proxy_client -server 192.168.10.128:8888 -fromaddr :2222 -toaddr :80 -proxyproto tcp

You can open Apache on port 80 to see

(3) Tunnel establishment

The server accesses port 2222, maps to port 80 on the client side, and opens the Apache interface

(4) Take a look at the package

Establish connection, return port, user and password

Use port 80, encrypted

3. ICMP SOCKS5 proxy reverse connection

(1) Server

./spp -type server -proto ricmp -listen 0.0.0.0

(2) Client

./spp -name "test" -type reverse_socks5_client -server 192.168.10.128 -fromaddr :1080 -proxyproto tcp -proto ricmp

(3) Establish a tunnel

Setting proxychains

and then performing nmap through the proxy


will print the following log

(4) Take a look at the package

Establish connection, return port, user and password During

heartbeat packet

nmap

3. Explore

1. Source code and analysis

Maintained a very large go-engine library
that can be studied in depth

2. Detection and bypass

Since the spp function is too complete, in addition to the traffic characteristics when a certain function is used, more may be considered from the end behavior

Epilogue

spp has taken a big step on the road to complete a unified online tool