Source: hacking base
Glossary:
protocol
Protocol is a set of rules and conventions that send information on the network. These rules control the content, format, timing, order, and errors between network devices, and popular saying is the communication language of different network programs. Our common QQ uses the UDP protocol, ICQ uses TCP protocols, and the E-mail program uses POP3 and SMTP protocols, and SOCKs in common protocols is a more complex protocol.
port
Port (port) can be considered as an export of computer and external communication. The ports in the hardware domain are also also known as interfaces, such as USB ports, serial ports, etc .; ports in software are generally referring to communication protocol ports that are connected to connection services and connection services in the network, which is an abstract software structure, including some data. Structure and I / O (Basic Input Output) buffer. The port number is actually a bit and a file descriptor, and a resource of the system, but its allocation mode has a fixed mode. There are several basic allocation: the first is global allocation, which is a centralized allocation method, which is unified according to the user needs according to the user needs, and will be published in the public, and different assignments according to the agreement. The port number, which causes many services to be fixed on a port of a certain protocol, such as the 21 port of TCP is occupied by the FTP service; the second is local allocation, also known as dynamic connection, that is, the process requires access to the transport layer service, The local XX system proposes the application, the XX makes the system returns a local unique port number, and the process is connected to the port again through the appropriate system call.
The port may be divided into three categories:
1. Wellsknownsports: From 0 to 1023, they are closely bound to some services. Usually, the communication of these ports clearly shows the protocol of some service, such as the 80-port actually HTTP communication.
2. Register port (RegisteredAports): From 1024 to 49151, they are loosely bound to some services. That is to say, many services are bound to these ports, which are also used in many other purposes, such as many systems processed dynamic ports from 1024.
3. Dynamics and "/" or private ports (Dynamic3and / Or3Private3ports): From 49152 to 65535. In theory, these ports should not be assigned to services. In fact, the machine usually distributes dynamic ports from 1024, but there are also exceptions: Sun's RPC port begins with 32768.
Proxy server
The proxy server (Proxy) is a transfer station of network information, and it is an HTTP proxy server. When we use the web browser to directly link other Internet sites and get the network information, you need to send the request signal to get an answer, and then the other party will transfer the information back. The proxy server is a server between the browser and the web server. After it has it, the browser is not directly to the web server to retrieve the web page but to send a request to the proxy server. The Request signal will be sent to the proxy server. Remove the information required by the browser and transfer it to you by the proxy server. And most of the proxy servers have a buffer function, it seems to be a big Cache that is constantly packaged in its native memory, if the data requested by the browser already exists on its local memory. It is the latest, then it does not re-resend data from the web server, and directly transmits the data on the memory to the user's browser, which can significantly improve the browsing speed and efficiency. In addition to this, there is a SOCKS proxy server, which is similar to the principle.
Firewall
Firewall is a system (or a set of systems) that enhances the security XX of the internal network. The firewall system determines which internal services can be accessed by external access, which people can access internal specific services, and which external resources can be accessed by internal personnel. To make a firewall valid, all access and outgoing information must pass the firewall, accept it. The firewall must only allow the authorized data to pass, and the firewall must also be able to avoid penetration. But unfortunately, once the firewall system is broken or rounded by an attacker, it cannot provide any protection. The implementation of the firewall includes "package filtering router" and "application layer gateway". Package filtering the router can filter the protocol (ICMP, UDP, TCP, etc.), only allowing specific protocols to pass; application layer gateway is the proxy server we often say, it can provide more stringent security strategies than routers, we usually limit various restrictions It is achieved in the application layer.
First trick: SOCKS agent
Generally speaking, BOSS is to prevent internal employees from being lazy, often close common entertainment tools, such as the UDP4000 port used by QQ, but often does not close the 1080 port of SOCKS. This way if you want to use the things itself supports the SOCKS agent, then do it, use the agent directly OK.
Socks is a circuit-level gateway, which is developed in 1990 in 1990, which has been an open standard in Internet9RFC. SOCKS runs on the TCP layer of the protocol stack, and its common port is 1080. Unlike Winsock, Socks does not require applications to follow specific XX as a system platform, such as WINSOCK, follow Windows. The SOCKS agent is different from the application layer agent. The HTTP layer agent is different. The SOCKS agent simply transmits the packet without having to care about what application protocol (such as FTP, HTTP, and NNTP requests), so the SOCKS proxy server is fast than the application layer proxy server. Many, just because the SOCKS proxy server has such a function. We can connect Internet. It is often used to have two versions of SOCKS4 and SOCKS5, where the SOCKS4 agent only supports TCP protocols, and the SOCKS5 agent supports TCP and UDP protocols, and supports various authentication mechanisms, server-side domain name resolution, etc. Simply said that SOCKS4 can dry SOCKS5 can do it, it can't, if QQ can only use the SOCKS5 agent, and FTP can use SOCKS4 and SOCKS5, because QQ data transmission mechanism is UDP, and the data transmission mechanism for FTP It is TCP.
The SOCKS protocol is a almost universal agent agreement. Although it cannot understand the internal structure of the data they forward, it can be faithfully forward the packet, and complete the functionality that the protocol has been completed. It is different from your common HTTP proxy that the HTTP agent is performed by the HTTP protocol, and the HTTP proxy server software understands the internal structure of the communication package, and the communication is also modified and converted during the forwarding process. Let's see how I use the SOCKS agent to penetrate the firewall.
Let's take a look at how we use the SOCKS agent in QQ. First click on the icon at the QQ taskbar, then select the system parameters, then select Network Settings, select Use "SOCKS5 Proxy Server", fill in the SOCKS proxy address and port number you have, you can also test it. This SOCKS5 agent is available. After confirming, your QQ is online through 61.136.132.138:1080, all your packets are now sent to this proxy server, then forward, so that you can bypass the port of UDP4000, pass through Firewall's cage. We can also use another QQ that you can see IP to see the IP where you qq is now, the IP displayed is 61.136.132.138. This is another additional function, hidden your true IP, chatting with strangers without stealth, he seeing the IP address of the SOCKS proxy server. Let's take a look at how to get through the firewall to use the FTP tool ABSOLUTEFTP to download things from the Internet. AbsoluteFTP is a powerful FTP download tool that supports Socks4 and Socks5 agents, and the full Chinese interface, if your LAN is blocked 21 ports, you can use this software plus SOCKS agent to bypass firewalls when using FTP downloads. Implement FTP function. FTP can be used in both SOCKS4, or the SOCKS5 agent, without using the SOCKS5 agent.
In the Options set of Absolute FTP, select the firewall in the global configuration, then you can choose whether to use SOCKS4 or SOCKS5 agent, if you need authentication, then fill in the username and password required for the SOCKS proxy server and port and identity authentication, so Can use FTP through the firewall.
Second: SOCKS2HTTP cooperate with SOCKSCAP32
In the first trick, if the network management only opens 80 port, close the port common to the SOCKS, or the software you want itself does not support the SOCKS agent, such as foxmail, or you can not find the SOCKS agent available (SOCKS available online) The number of agents is much smaller than the number of HTTP proxy available), then the first trick is not good, what should I do? Please see the second trick: Socks2HTTP cooperate with Sockscap32, the result of using it is as long as you have an available HTTP agent, you can use a variety of software to directly bypass the firewall, regardless of whether it supports the SOCKS agent, we It is divided into two situations.
1. The firewall closes the SOCKS port, but the software you want to use supports the SOCKS agent
In this case, you can use Socks2HTTP to get it. Socks2HTTP (
http://www.totalrc.net/) is a proxy ... We use the "netstatj-aj-n" command to look at the ports open (as shown in Figure 7), you will find that the unit is more than 1080 Port, this port is the http2socks simulated SOCKS proxy server listening port running on this machine, and now you have a local SOCKS5 proxy server.
Next we look at how to set the proxy server in software that supports the SOCKS interface of QQ. Look Now, add the SOCKS5 server address to 127.0.0.1, the port is 1080, and tested it quickly.
2. The firewall closes the SOCKS port and the software you want does not support the SOCKS agent.
This is slightly troublesome, requiring another software SOCKSCAP32 to support the firewall. Sockscap32 is NEC companies (
Http://www.socks.nec.com) Developed,? .. P is resolved. HTTPFPROXY online is, as long as there is an HTTP agent, there is a SOCKS agent. Because Socks2HTTP is to simulate the HTTP agent into a SOCKS agent. If you re-cooperate with the SOCKS2HTTP just mentioned, you can wear the firewall to use the software that itself without the SOCKS interface. Let's explain this process! Now there is a Chinese version of Sockscap (
Http://www.ttdown.com/softview.asp?...kscap console.
In order to better understand, I divide this process into a few steps:
Step 1: First configure your SOCKS2HTTP as in the first part, fill in the available HTTP proxy, start, then you have a local SOCKS proxy server 127.0.0.1, port is 1080, now you can use this SOCKS agent Configure your sockscap.
Step 2: Run SOCKSCAP, if you are running, the system will automatically prompt you to enter the setup interface, if not the first run, you can select the file → set into the setup interface in SOCKSCAP.
Step 3: Fill in the local SOCKS agent 127.0.0.0.1 of Socks2HTTP simulation in the setup interface of Sockscap, the port is 1080, "SOCKS version 5 (5)" → "is determined by the remote determines all names, the rest Part, for example, the setting of the direct connection is for some internal Tip disaster benzene brawler sword OCKS proxy, the log part can set whether the log is generated, the log function can help diagnose the connection failure, we can directly Using the default settings.
Step 4: Establish "Application Items". The application identification item is a new shortcut in Sockscap. This shortcut pointing to the tool you want, starting this tool in Sockscap is equivalent to "give" the SOCKS interface capability of this tool. There are two ways to build this shortcut:
1. Use the mouse to drag the CTERM shortcut to SOCKSCAP, release the mouse, will pop up the menu, select the "Application Item" system automatically establish a good identity item (see Figure 11), click OK .
2. You can also click "New" to fill in the corresponding content in the pop-up dialog box, click OK.
Step 5: Run the program. Double-click the new CTERM shortcut in the Sockscap Console, you can use it directly. For example, I want to connect BBS.Mit.edu (Figure 12), before I can't access foreign websites in education network, and network management Telnet 23 port, I can't connect to this BBS, now I can use Socks2HTTP and Sockscap, not only can go abroad, but also use Telnet service to connect to the MIT's BBS, penetrate the firewall! Other tools, for example, FTP, Outlook, etc., are also used. It is particularly worth mentioning that I can use Outlook to collect Hotmail, if there is no such approach, for these poor people in education network (no national authority), I can only use HTTP proxy on Hotmail's website, use WWW method is closed. Now there is this well, which is equivalent to equipped Outlook with a SOCKS interface, and directly will be included in Outlook.
The third stroke: HTTPTunel may be enough, but the premise of the above two tricks is that you have to have an HTTP agent, from all the packets sent here, all the packets pass after packaging, then turn a circle through the agent and then Then reach its destination, this will bring two questions:
First: Speed problem, more than one sends data from A to C arrive C, if there is no firewall, data is sent directly from A to C; now you must bypass the firewall, you must first send data from A, make It is able to bypass the firewall, then send it to the agent B, B, and then uncheck these data to C, and the data from C is also the same process. In this way, it is not considered to pack these data, and the time to take it takes the time. Single is a big circle around C around, and the speed must be a discount, so it is generally not as fast as the direct connection.
Second: Excessive Dependent on the stability XX problem caused by the agent, the agent found on the Internet is definitely not very stable, and many times it is easy to generate a loss of packets and service interrupts. In fact, we don't have to transfer it through the agent. For example, your buddy has opened FTP in the dormitory, then he put the wonderful movie, you have to look, but your local area network management closed 21 FTP port, so you didn't What should I do if Down? With httptunnel, Tunnel This English word means a tunnel, usually HTTPTunnel is called HTTP dark road, its principle is to pass the data in the form of an HTTP to pass through the firewall, in fact, in the HTTP request created a bidirectional Virtual data connection to penetrate the firewall. To be simple, it is to say that a conversion program is set up on both sides of the firewall, and the packets that the original need to send or accepted into the format of the HTTP request to defraud the firewall, so it does not require another proxy server and directly through the firewall. HTTPTunnel just starts only UNIX version, now someone has transplanted it on the Window platform, which includes two programs, HTC and HTS, where HTC is the client, and how do we now see how I now look at how I? Use them. For example, the IP of the FTP machine is 192.168.1.231, my local machine IP is 192.168.1.226, now I haven't connected to the FTP because of the reasons for the firewall, now use HTTPTunnel's process as follows:
Step 1: Start the HTTPTunnel client on my machine (192.168.1.226). Start the MS-DOS command line method, then execute the command, where HTC is a client program, the -f parameter represents all data from 192.168.1.231:80 to the 8888 port of this machine, this port can be selected, as long as this The machine is not occupied.
Then we look at the port that is now open with NetStat and found that the 8888 port is listening.
Step 2: Start the HTTPTunnel server side on the other machine, and execute the command "HTSJ-FJLOCALHOST: 21J80", this command means that all the data sent out of the unit 21 is transferred through the 80-port, and open 80 The port acts as a listener port, and then look at his machine with NestStat, it will find that the 80-port is now listening.
Step 3: Use FTP to connect to the 8888 port of this machine on my machine. Now I have already connected the machine. I saw Movie, hey, hurry to download it!
However, how is people see about 127.0.0.1 instead of 192.168.1.231? Because I am now connecting to the 8888 port of this machine, the firewall will definitely not react, because I didn't go to the outer bag, of course, the firewall of the LAN did not know. Now, after the 8888 port of this unit, the FTP packet is not controlled by the control information or data information, and it is attached to the HTTP packet by HTC, and in the firewall, this is normal data, which is equivalent to deceiving firewalls. . It should be noted that the use of this trick requires the cooperation of other machines, that is, to start an HTS on his machine, turn his service, such as FTP, etc., such as the 80 port allowed to the firewall, Can be successfully bypass firewall! It is sure that someone will ask, if the other party itself has a WWW service, that is, his 80-port is listening, will this do not conflict? The advantage of httptunnel is that even if his machine is on the 80-port, there will be no problem, and the normal web access is still walking the old road, and the redirected tunnel service is also unimpeded! Moreover, this method has people to detect the Snort of Ding Ding's intrusion detection system, but did not find that the XX is very strong.
However, there is also the last point to remind, that is, all these tricks actually use the vulnerability on firewall configuration and system security management. If you encounter a dead endless network management, you will squat in the gateway every day, see if there are those vulnerabilities There is no added, or more cattle uses tcpdump to capture the package analysis, a packet of packet analysis, that can only hook
HK is not from the true meaning, but challenges yourself, challenges difficulties, perseverance, persistence, wisdom ...
