这与之前的一个问题有关,由于我不断更新和编辑,这个问题变得太长且令人困惑,我被告知要重新提问。所以我正在清理它并提出一个更直接的问题。
首先,这是一个理论实验,我必须进行这个实验,以便了解正向和反向 ssh 隧道的工作原理,特别是能够始终完全控制我在网络上的位置,并在整个过程中隐藏我的足迹。我的教练给了我这个任务,但他相信我可以在不需要他帮助的情况下自己解决问题。
我需要想办法强制RDP(远程桌面) 响应特定端口,而不是 RHP (随机高端口)。我不是问如何更改RDP“侦听”的端口,而是相反。
我正在尝试在两个系统之间设置一个实验性的正向/反向SSH隧道。我使用第三个系统作为枢轴点来隐藏正向隧道上的 IP。但我希望通过正向 SSH 隧道远程访问的系统通过单独的反向SSH隧道将响应发送到“指定”端口而不是 RHP。基本想法是我希望能够控制我想要监听和接收的端口,并且我不希望任何东西都是随机的。
这是我的三台机器。Devilsmilk是枢轴点,客户端已打开kgraves并且我正在远程进入duclaw。
- KGRAVES - 10.0.10.113
- DEVILSMILK - 10.0.10.121
- 杜克劳 - 10.0.10.120
所以我想为我的RDP会话设置两个管道。一个用于正向,另一个用于反向。但我不想通过 RHP 将其发送回去。我不知道如何告诉它将其发送到特定端口,例如:44444。
有谁知道如何做到这一点?
我需要以特定方式完成此操作。这些是我需要的端口有使用。我已经设置Duclaw为监听RDP端口1337,而不是3389。我知道这绝不是完成任何事的最简单的方法。
我需要远程桌面连接“看起来”好像来自 ,devilsmilk根据 wireshark 的说法,这已经发生了。但我想duclaw将响应直接发送回 ,kgraves而不经过devilsmilk。因此,kgraves会话RDP被发送到 ,然后通过隧道localhost转发到,但响应该连接而接收的数据包直接从 接收。目前,响应通过 RHP 返回sshdevilsmilkduclawRDPDuclawdevilsmilk
我的命令如下,所有命令都是从完全相同的CYGWIN ssh控制台执行的,kgraves除了mstsc我从另一个CYGWIN终端执行的连接之外,kgraves我为开关添加了换行符:
CNO\kgraves@KGRAVES ~
$ ssh -vg -L 3333:localhost:6666 misfitred@devilsmilk
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to devilsmilk [10.0.10.121] port 22.
debug1: Connection established.
debug1: identity file /home/kgraves/.ssh/id_rsa type 1
debug1: identity file /home/kgraves/.ssh/id_rsa-cert type -1
debug1: identity file /home/kgraves/.ssh/id_dsa type -1
debug1: identity file /home/kgraves/.ssh/id_dsa-cert type -1
debug1: identity file /home/kgraves/.ssh/id_ecdsa type -1
debug1: identity file /home/kgraves/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
key_read: uudecode devilsmilk ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVZRlnAgPRPxTx cbTPALg5XPpOnAMhJabQ3Dv/7a95eqe5l7XnKRciYQZ41B61DRgXCzC/M9ObknMR79zG0mkSl+jQTGJ7 klol7nw0+U1dNFknv4fOn+YGAsqECclWEow3OK5xRcla5eBekRGWjrZ7Wbs4F3FeKGQNqU/OuGvdSaQb 3nqgLPGTZfRhNtykQvpNzXw5cjO7XvM0BBv9di4JblLx9Fk3iq2KwdgWmK9uFDPYjU1gkHR8hk+bns1t 16KFcyDKnzhR1CblU6JT/wlBtnFa11no1UJBEHC2UQy8trwkMU6NqUt0X+D/XqW5F6+uWNc/dY97CCky 9HdfWNGQ==
failed
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b5:d6:eb:64:50:2f:40:04:32:10:bb:4f:a8:d3:f5:37
key_read: uudecode devilsmilk ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVZRlnAgPRPxTx cbTPALg5XPpOnAMhJabQ3Dv/7a95eqe5l7XnKRciYQZ41B61DRgXCzC/M9ObknMR79zG0mkSl+jQTGJ7 klol7nw0+U1dNFknv4fOn+YGAsqECclWEow3OK5xRcla5eBekRGWjrZ7Wbs4F3FeKGQNqU/OuGvdSaQb 3nqgLPGTZfRhNtykQvpNzXw5cjO7XvM0BBv9di4JblLx9Fk3iq2KwdgWmK9uFDPYjU1gkHR8hk+bns1t 16KFcyDKnzhR1CblU6JT/wlBtnFa11no1UJBEHC2UQy8trwkMU6NqUt0X+D/XqW5F6+uWNc/dY97CCky 9HdfWNGQ==
failed
The authenticity of host 'devilsmilk (10.0.10.121)' can't be established.
RSA key fingerprint is b5:d6:eb:64:50:2f:40:04:32:10:bb:4f:a8:d3:f5:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'devilsmilk' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/kgraves/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Trying private key: /home/kgraves/.ssh/id_dsa
debug1: Trying private key: /home/kgraves/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to devilsmilk ([10.0.10.121]:22).
debug1: Local connections to *:3333 forwarded to remote address localhost:6666
debug1: Local forwarding listening on :: port 3333.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 0.0.0.0 port 3333.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
Last login: Wed Jan 30 16:13:02 2013 from kgraves.cno.local
[misfitred@devilsmilk ~]$ ssh -vg -L 6666:localhost:1337 kgraves@duclaw
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to duclaw [10.0.10.120] port 22.
debug1: Connection established.
debug1: identity file /home/misfitred/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'duclaw' is known and matches the RSA host key.
debug1: Found key in /home/misfitred/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: publickey
debug1: Offering public key: /home/misfitred/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: password
kgraves@duclaw's password:
debug1: Authentication succeeded (password).
debug1: Local connections to *:6666 forwarded to remote address localhost:1337
debug1: Local forwarding listening on 0.0.0.0 port 6666.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on :: port 6666.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Wed Jan 30 15:55:29 2013 from devilsmilk.cno.local
"tty" option detected in CYGWIN environment variable.
CYGWIN=tty is no longer supported. Please remove it from your
CYGWIN environment variable and use a terminal emulator like mintty,
xterm, or rxvt.
kgraves@DUCLAW ~
$ ssh -vg -R 3333:devilsmilk:6666 kgraves@kgraves
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to kgraves [10.0.10.113] port 22.
debug1: Connection established.
debug1: identity file /home/kgraves/.ssh/id_rsa type 1
debug1: identity file /home/kgraves/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA de:1c:37:d7:84:0b:f8:f9:5e:da:11:49:57:4f:b8:f1
debug1: Host 'kgraves' is known and matches the ECDSA host key.
debug1: Found key in /home/kgraves/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/kgraves/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti ve
debug1: Next authentication method: password
kgraves@kgraves's password:
debug1: Authentication succeeded (password).
Authenticated to kgraves ([10.0.10.113]:22).
debug1: Remote connections from LOCALHOST:3333 forwarded to local address devils milk:6666
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: remote forward failure for: listen 3333, connect devilsmilk:6666
Warning: remote port forwarding failed for listen port 3333
debug1: All remote forwarding requests processed
Last login: Wed Jan 30 16:21:12 2013 from duclaw.cno.local
"tty" option detected in CYGWIN environment variable.
CYGWIN=tty is no longer supported. Please remove it from your
CYGWIN environment variable and use a terminal emulator like mintty,
xterm, or rxvt.
_____________________________________________________________________________
##From separate CYGWIN Terminal##
CNO\kgraves@KGRAVES ~
$ mstsc /v:localhost:3333 /f
CNO\kgraves@KGRAVES ~
$
_____________________________________________________________________________
kgraves@KGRAVES ~
$ debug1: Connection to port 3333 forwarding to localhost port 6666 requested.
debug1: channel 4: new [direct-tcpip]
debug1: Connection to port 6666 forwarding to localhost port 1337 requested.
debug1: channel 4: new [direct-tcpip]
debug1: channel 4: free: direct-tcpip: listening port 3333 for localhost port 66 66, connect from ::1 port 49496, nchannels 5
debug1: channel 4: free: direct-tcpip: listening port 6666 for localhost port 13 37, connect from 127.0.0.1 port 48808, nchannels 5
debug1: Connection to port 3333 forwarding to localhost port 6666 requested.
debug1: channel 4: new [direct-tcpip]
debug1: Connection to port 6666 forwarding to localhost port 1337 requested.
debug1: channel 4: new [direct-tcpip]
$ debug1: channel 3: free: direct-tcpip: listening port 3333 for localhost port 6666, conne ct from ::1 port 49495, nchannels 5
debug1: channel 3: free: direct-tcpip: listening port 6666 for localhost port 1337, connect from 127.0.0.1 port 48807, nchannels 5
$
已成功建立与 localhost:3333 的远程桌面连接。如您所见,它看起来像是从 发出的devilsmilk。duclaw但实际上kgraves它是从 发出的Devilsmilk。
wireshark这是会话期间在 duclaw 上运行的快照RDP:
这是会话期间wireshark运行的快照:kgravesRDP
所以我的问题仍然存在,我希望 Duclaw 通过完全独立的反向隧道将 RDP 会话发送回 Kgraves-pc。这就是我需要发生的事情,但不知道该怎么做。
我不仅需要duclaw通过单独的隧道将其直接发送回,而kgraves无需经过devilsmilk,还需要控制将其发送到哪个临时端口。我希望它将其发送到端口而不是随机的临时端口。在上面详细的调试打印输出中:44444,它正在:48809随机使用。ssh
在早期阶段,用户 John Siu 向我指出,由于 TCP 通信的性质,这是不可能的。因为kgraves期望从 localhost 建立连接,因为它是与 localhost 建立的。因此必须有一种方法来duclaw发送会话,kgraves但将其转发以使其看起来像是来自localhost?
但是我的培训师告诉我,由于 127.0.0.1(本地主机)的 RFC 的性质,TCP 三次握手永远不会离开 OSI 模型的第 4 层,并且它内置了某种“功能”,在连接到 127.0.0.1 时可以排除 syn、syn-ack、ack 要求。因此,连接到本地主机时,TCP 并不完全遵循相同的规则。他说,如果你可以编写一个“wireshark”类型的程序来嗅探第 4 层并观察连接的建立,你就会明白他在说什么。
到目前为止,我已获得以下可能的答案,这要归功于用户 John Siu。
1.) 要完成您所要求的操作,我能想到的唯一方法是编写自定义 rdp 代理并在 kgraves-pc 和 duclaw 上运行。
2.) 我还被告知,可能存在某种病毒,基本上可以模拟 John Siu 所说的 rdp 代理。在我的虚拟实验室中,我可以使用任何恶意软件/病毒来利用这些系统。所以一切皆有可能。
任何进一步的帮助都将不胜感激!感谢大家的贡献!
希望这是有意义的,如果没有...抱歉让您困惑了!
编辑 #1:我能够重现我最初看到的内容,这让我相信这个反向隧道最初正在发生。您可以从流量中看到wireshark(顶部的流量来自Duclaw,底部的流量来自kgraves),John 在下面解释的正是正在发生的事情。现在这个谜团已经解开,我仍然需要弄清楚如何让 RDP 回调到特定端口而不是随机端口。
答案1
为了满足您的要求,我只能想到以下方法
- C = 客户端(rdp、telnet 等客户端软件)
- S = 服务器(rdp、telnet 等服务器软件)
- 红色和绿色是单独的 TCP/IP 连接。
客户代理 1
(Blue) Listen to a local port to wait for client software connection
(Red) Forward incoming packet from C to Custom Proxy 2 public port
(Green) Listen to a public port, forward incoming packet from Custom Proxy 2 to C (via Blue)
客户代理2
(Red) Listen to public port for incoming packet from Custom Proxy 1
(Blue) Establish connection with S, forward incoming packet from Custom Proxy 1 to S
(Green) Forward incoming packet from S to Custom Proxy 1 public port
PS:重点关注 Telnet、RDP,它们仅使用一个 tcp 连接。FTP 要困难得多,因为它使用带有随机端口的附加 tcp 连接来传输数据(文件)。
答案2
这是为了回答之前评论中的一个“谜题”
... 但在 Kgraves-PC 上,我有来自 Duclaw 10.0.10.120 的 SSH 流量。那么我如何在 Kgraves-PC 上看到来自 Duclaw 的流量?...
三条隧道的故事
红色的kgraves-pc:3333 至 devilsmilk:6666
kgraves-pc $ ssh -vg -L 3333:localhost:6666 misfitred@devilsmilk(10.0.10.121)绿色的devilsmilk:6666 至 duclaw:1337
devilsmilk $ ssh -vg -L 6666:localhost:1337 kgraves@duclaw(10.0.10.120)蓝色的kgraves-pc:3333 至 (duclaw) 至 devilsmilk:6666
duclaw $ ssh -vg -R 3333:devilsmilk:6666 kgraves@kgraves(10.0.10.113)
kgraves-pc$ $ mstsc /v:localhost:3333 /f
红色故事线
如果使用红色隧道,SSH(RDP)数据包将按以下方式来回跟进
kgraves-pc <--(Red)--> devilsmilk <--(Green)--> duclaw(RDP server end point)
这就是 OP wireshark 屏幕截图中所显示的内容。
蓝色故事线
如果使用蓝色隧道,SSH(RDP)数据包将按以下方式来回传输
kgraves-pc <--(Blue-ssh)--> duclaw(en-route) <--(Blue-non-ssh)--> devilsmilk <--(Green)--> duclaw(RDP server end point)
在这种情况下,它看起来像kgraves-pc 和 duclaw 在 wireshark 中建立了直接 SSH-RDP 连接,但是没有。