preface
In China, due to the large number of Internet users, operators cannot guarantee to provide each broadband user with a global unique public IPv4 address. Therefore, many users may find that the WAN IP they see through the router is inconsistent with the IP obtained by baidu’s “IP” keyword, and the former IP is a private IP.
In other cases, public IP addresses are expensive. Although an enterprise has a small number of independent public IP addresses, it cannot provide a public IP address for every host in the enterprise due to cost constraints, or not all Intranet services need to be exposed to the public network for access. In this case, enterprises may use NAT technology to map a large number of internal IP addresses to public IP addresses through certain rules. One of the most common techniques is NAPT, or Network Port Address translation. Generally, a service is provided through a port. Therefore, in this way, specific services can be opened to a small number of public IP addresses based on specific rules.
The problem
But sometimes we individual broadband users want to publish our services to public IP. Let’s say we have a beautiful website that we want to put on the Internet for people to see, how do we do that without public IP?
In other cases, when we do penetration test on an enterprise, we find that a public network server only opens the common port 80 to the public network, but the port 3389, which we need to use for authorization, is not open to the public network. What should we do in this case?
The solution to these problems is Intranet penetration.
Principle of NAPT
In short, there is a mapping table on the NAT gateway. The table records which IP address and port the Intranet sends a request to the public network device. Then, if a host on the Intranet sends a request to the public network device, the request packet from the Intranet host is transmitted to the NAT gateway. Then gateway NAT will change the source IP address and source port of the packet to any unused port that does not conflict with the IP address of gateway NAT itself, and record this change to the mapping table. Finally, the modified data packet is sent to the destination host. After the destination host sends back the response packet, the Intranet host to which the packet is forwarded is found in the mapping table according to the destination IP address and destination port in the response packet. In this way, the Intranet host can access the public network device using the unique public IP address of the router through NAPT when there is no public IP address.
Specific principle I found a picture on the Internet
NAPT only solves the problem of how Intranet hosts access public network hosts without public IP addresses, but does not solve the problem of how public network hosts initiate requests to Intranet hosts.
Private address
Private addresses are described earlier in the RFC 1918 documentation.
The Internet Assigned Numbers Authority (IANA) reserves the following three BLOCKS of IP addresses for private networks.
10.0.0.0 to 10.255.255.255 (10/8 bit prefix)
172.16.0.0-172.31.255.255 (172.16/12 bit prefix)
192.168.0.0-192.168.255.255 (192.168/16 bit prefix)
We can see that there are 1 class A address blocks, 32 Class B address blocks, and 256 Class C address blocks. Mainstream home routers often use class C private addresses as THE IP addresses of the ROUTER LAN, so we can see that the IP addresses on the router Settings page generally start with 192.168.
why
Let’s start with home broadband. Home broadband without a public IP address means that any ports you listen on on the local computer can only be accessed on the network where the local network card resides, which is usually the network where the router’s LAN side resides. If no mapping rule is specified, the network connected to the WAN router cannot access the services provided by the host.
In this case, if you want to use the WAN (which is usually the public network to which the WAN is connected if your carrier assigns you a public IP address), you need to do port mapping on the router. For example, the LAN IP of the router is 192.168.1.1, and the WAN IP is 23.23.23.23. I want the HTTP server provided by port 80 of the host at 192.168.1.2 on the Intranet to be directly accessible from the public network through http://23.23.23.23. So 192.168.1.2:80 is mapped to 23.23.23.23.23:80.
Generally, however, carriers do not give public IP addresses to common users. If you use this method of mapping, you are still unable to access the public network, because the WAN end of your router is connected to the LAN end of the carrier’s router, or even the last layer of connection to the public network. This behavior is called traffic penetration. Domestic some electricity, some moving broadband has a lot of this behavior. To provide broadband services by means of flow through, looks cheap, but in fact, due to a Shared IP, can lead to many websites innocent anti SPAM policy, or internal in order to save bandwidth, use the cache, lead to some shouldn’t cache sensitive security a page is cached, and even lead to some sites cache invalidation completely won’t open.
Some people find that even though they have a public IP address, they still can’t set up a server in the normal way. What’s going on? This is the operator in order to prevent individuals to open a variety of illegal services, but also to prevent hackers through the scanner to catch chicken and batch scanning, some commonly used ports were blocked, such as we this China telecom will be 80,8080 and other ports blocked. This ban, although to some extent ensures our network security, such as some time ago to blackmail the virus because most home users do not have independent public IP, and operating system, some of the most easy to burst holes 135139 ports have been banned by operators, such as making the probability of domestic personal family move computer much smaller; However, even if the public IP address is available, the common port cannot be used to provide services to the external network. You can only use another port. What’s wrong with that? A typical problem is that WEB sites use port 80 by default, so you can input the url without the upper end number, which is more beautiful.
The solution
If we encounter the above situation, how can we solve it?
If we do not have a public network server, we can use the well-known domestic “peanut shell”, “NAT123” and other services to achieve, but what is the principle behind them?
If we have a public IP server, we can use this public IP server to provide services. And how do you do it?
Solution implementation
Let’s say we have a public network server whose IP address is 45.45.45.45. We have another Intranet server with the IP address 23.23.23.23. We now want to open the HTTP service on 23.23.23.23:80, i.e. on the Intranet server, to 45.45.45.45.
In the simplest way, we can directly rebuild the entire Intranet server environment on the public network server.
But this is a hassle. Sometimes we don’t want to do this, we just want to simply publish an Intranet service through the network of public network servers.
NAPT allows Intranet hosts to access public network hosts without public IP addresses. So we can do this: Assume the public IP is 23.23.23.23 and the internal IP is 192.168.1.2. The host on the public network first listens on port 80, which is used to provide AN EXTERNAL HTTP service. 80 is the default port of the WEB server. At the same time, any other port (let’s assume the port is 7777) is listened on for the Intranet server to connect to open a tunnel. Then the Intranet initiates a request to 7777 of the public network host. In this way, a connection channel is successfully established between the Intranet and the public network host. And then when you have any client actively internet-facing networks of port 80, public receives the connection request right after the connection request by previously established good tunnel forwarded to a network host, a network host receives the packet from the tunnel after the active connection network hosts its own port 80, after the connection is successful the packet forwarding packets intact to port 80, After processing the data packet, the HTTP server program generates a response packet and forwards it back through the original route. The response packet finally reaches port 80 of the public network and is returned to the client that originally requested port 80 of the public network server.
Does it look a little convoluted? In fact, the well-known Intranet penetration tools such as Peanut Shell Intranet Edition and NAT123 work in this way, but not entirely. As a transport layer port can only provide a service at the same time, but we will find the peanut shell the Intranet through the service is through a public IP to many users provides service at the same time, this is because the peanut shells on traffic forwarding this layer is not like I said before to forward the packet to the intact, but the content of the agreement before forwarding to add some control, This parameter specifies the Intranet host where the peanut shell client resides. The former form of unmodified forwarding is often called transparent transmission or transparent proxy.
Firewall penetration
For security purposes, firewalls are usually added to the network, with inbound and outbound rules. If the security control is not very strict, the outbound rules are not set, but the inbound rules are usually set. For example, the external user can access WEB pages through the WEB server on the Intranet through port 80, but cannot log in to the remote desktop on the Intranet through port 3389.
When encountering this situation in the process of Intranet penetration, we can also use the traditional way of the above Intranet to achieve the inbound rules of penetrating the firewall. Because the firewall usually only intercepts the inbound, not the outbound, so we can let the Intranet server actively outbound (actively connect to the hacker’s server), through the tunnel with the hacker’s own server, and finally bypass the firewall to connect to the 3389 remote desktop.
Another situation is that we have won the network one of them did not do any firewall rules of white list server, but we want to catch another even do the inbound rules of the target server, so we can make the white list server as a springboard, let him listen to any port itself, and then after any user on this port, The whitelist server connects to the target server on the Intranet and uses the whitelist server to break through the connection tunnel between the hacker and the target server.
Such is the principle of the well-known hacking tools LCX, which is implemented by LCX’s LISTEN and slave commands, and the latter by LCX’s TRAN commands.
Code implementation
Now that you know how it works, how do you do it?
I chose to use the Go language programming to implement such an Intranet penetration tool.
Golang itself provides a large number of network libraries, and the built-in Goroutine makes it easy to handle asynchronous IO in network programming. Most importantly, Golang’s programs are cross-platform, meaning that we can write a piece of code and use it on any operating system.
https://github.com/cw1997/NATBypass
The initial runtime outputs the welcome message and syntax prompt as the case may be. (Note that printWelcome is called at the end of the time.sleep function and blocks for one second. This is because the output of the FMT package is non-thread-safe, and the output of the log package is thread-safe. So take a break for a second to prevent the log being typed later in the execution flow from being interspersed with the prompts.)
First, determine the current forwarding policy by judging the incoming parameters
Then check whether the parameters passed in are correct and verify the validity of the IP address and port range through regular expressions
Through the port2port function, the two ports simultaneously listen to bidirectional and forward data.
Springboard relay is implemented in the port2host operation.
The function of actively connecting through the tunnel is implemented in Host2Host.
Looking at the code, you can see that the NET package that does the socket operation in Golang is much simpler than the socket.h operation in C.
The core of the forward function is the forward function.
Output a log indicating which two connections are being forwarded in both ways, and then implement a conditional blocking function using WaitGroup under the sync package to prevent the main thread from exiting before the Goroutine is finished.
Then two Goroutines are fired, which process copies of IO packets from connection 1 to connection 2 and from connection 2 to connection 1. To ensure that the communication between the two ports is full-duplex, that is, both sides need to be able to exchange data with each other at the same time, so the Goroutine is used to realize the concurrency of the two operations.
The core code for copying IO packets is in the connCopy function, which determines whether to use IO.MultiWriter based on whether to log traffic.
If the log file stream is successfully opened, a multiwrite stream is generated using the IO.MultiWriter function, whose variable name is w. Any data written to the stream w is also written to the parameters of the function IO. In this case, the parameters are conn1 and logFile, that is, port 1 and logFile flow.
It then calls IO.Copy to continuously Copy the data from the read stream of the second parameter to the write stream of the first parameter.
Note here that the io.copy function blocks synchronously, meaning that the flow of program execution will remain stuck in this function as long as the connection is not broken. If the Copy fails, the IO.Copy function returns, executing the following code. A copy error means that the connection may be disconnected, so the connection that writes to the stream is disconnected first.
It is important to note here why the write stream is disconnected rather than the read and write stream being disconnected entirely. Since we have launched two Goroutines, if we disconnect them blindly, the data in the other Goroutine may be lost. Specific can be analyzed according to the TCP four wave.
Actual execution
If there is no Golang environmental friend can directly download the compiled executable file, download address: https://github.com/cw1997/NATBypass/releases
Let’s take a look at the code in action after it is compiled. The image on the left shows the virtual machine running on the Intranet server. It has been set up with inbound rules and cannot be connected to the remote desktop through a direct connection to 192.168.2.112:3389.
At this point the figure on the right starts listening to ports 7777 and 9999 with the LISTEN command.
The Intranet server then uses the slave command to start a two-way connection between the hacker’s host (192.168.2.101:7777) and the local 127.0.0.1:3389.
Then the hacker’s host connects to another local listening port 127.0.0.1:9999 to connect to the remote desktop of the Intranet server.
To understand this process, look at the results of netstat -an and the console log output.
Write in the last
This tool is still a simple transparent transmission, and there are many problems. Such as local active connection network service is connection beforehand good from the start, it will lead to some service if there is no data transfer on even after long term, will take the initiative to break the connection, cause the public side occasionally appear unable to connect, disconnect again after reconnection to even small BUG, the concrete in the HTTP server want to refresh the page a few times more, Remote desktops may have to be connected, then unconnected, and then connected again. And there are some details that are not done well on concurrent connections. And currently only support TCP connection forwarding and so on, of course, to achieve UDP forwarding is not very difficult to slightly improve. You can also click a Star and pull request to improve these problems. At present, relevant open source projects have done more mature, such as Golang wrote ngork, you can also refer to reference.
This article by @changwei original, in zhihu column – the beauty of the code zhuanlan.zhihu.com/codes first, reprint please indicate the source. If you like and support my article, you can click my profile picture and column name to follow, or click the “tip” button below to support, thank you!