Regeorg actual attack and defense

The following article comes from Jiuxianqiao No. 6 army , Author pioneer information station

This is a Jiuxianqiao unit 6 Of the 140 An article .

Total 1620 A word , Expected reading time 6 minute .

Preface

When we have passed various operations getshell After that, you want to conduct internal network horizontal penetration , But because of the goal ACL The policy settings are strict , Only HTTP The protocol and the corresponding port pass through . We cannot use port forwarding or port mapping to access other machines from the external network to the internal network . Then we think reGeorg This tool , Enter the intranet through the tool proxy , adopt HTTP Protocol forwarding request .

This tool was not created to penetrate the intranet , But some enterprise employees want to access intranet resources in the external network environment . So these security conscious kids wrote a web page that can be deployed on the border to forward traffic , So as to access an office tool on the intranet ......

You can see the ' Scabby stem ' Is said " Every office needs such tools "..

Source code analysis

So how exactly is such a powerful tool implemented ？ Let's take a look at the source code ：

From the entrance , It's a standard set ：LOGO + argparse To support and parse parameters , The real logic starts from askGeorg Function to . This function is used to test whether the remote proxy server can access , Let's look at the details of this function ：

You can see that the content is basically to judge whether it is HTTPS, Then which tool to use . use GET Method to request , If the status code is 200 And the content is the same as that in the remote server OK Of .

The content of the comparison is the sentence seen by the browser ：

Python in ：

php in ：

Browser access ：

Let's move on ：

Listening to the port of the client , And set up TCP The queue limit for is 1000, This is enough for ordinary circumstances .

The next step is to create a cycle of receiving messages , And will receive the incoming session Thread and start .

session The structure of is relatively simple ：

Let's look at the most important thread run The content in ：

The content is not much , It is judgement. Socks4 still 5 And analyze , Then create a read / write thread and start.

Judge Socks4 still 5：

Socks Proxy requests of at least three bytes , The first byte must be 5, If it is Socks4, Then the first byte must be 4.

parseSocks5 and parseSocks4 To judge the corresponding Socks Whether the protocol resolution of is successful .

Reader：

Writer：

The read / write part is the normal operation of forwarding .

Actual combat attack and defense

Some special problems may be encountered in actual combat .

For example, accessing in the browser can lead to familiar "Georg says,'All seems fine'", It can be accessed normally . But use reGeorgSocksProxy The client will report ' Not ready , Please check url', Why is that ？

Troubleshooting requires some code debugging .

Search through printed keywords , As you can see, yes askGeorg This function returns False This causes the program to exit .

At this time, we can debug , Use Debug To follow up the code , Line by line, see what went wrong . When there is no debugging environment, you can also use the printing method to locate the problem .

Here we use the print method to locate the problem .

Let's try running the code again , See what went wrong .

You can see that the returned status code is 403, That is to say, it may be WAF Or some other security device intercepts it . We can learn from the code only when the status code is 200 It can only be used normally when , And we can use the browser to open it directly . That is to say, our problem is Python The difference between script and browser request , For example, some common request headers User-Agent 、Accept-Language etc. , We need to make up these one by one .

We need to add every request to the request header contained in the browser , So we extract this process and use it as a function .

The modified code ：

setupRemoteSession Medium CONNECT：

closeRemoteSession Medium DISCONNECT:

reader Medium READ:

Writer Medium FORWORD:

After modifying the code, we actually test .

You can see that the return code has changed to 200 And printed out the familiar 'All seems fine', It indicates that it can be used normally .Happy~

summary

Master debugging / Printing and other methods are of great help to code audit and script modification . We will encounter various problems in actual combat , At this time, you need to be careful, patient and have the ability to modify the code to solve these problems . Only in this way can we make steady progress in this constantly improving attack and defense .