Penetration attack and defence in the common 20 kinds of breakthrough intranet not out of the network skills

Breaking into an intranet environment is a challenging task in penetration testing, especially when the target host does not have direct access to the external network. In this case, attackers need to use a variety of techniques and tools to penetrate the intranet without going directly out of the network. In this article, we will detail 20 common techniques to break into the intranet without going out of the network for reference.

I. Tunneling and agent-based breakout techniques

(i) Port forwarding (Port Forwarding)

Port forwarding is a commonly used technique to forward traffic to or direct traffic from a destination host to an external network via an intermediate host. Common port forwarding methods include:

1. 1. Local Port Forwarding (LPF)

The attacker forwards certain services from the target host to the attacker's local port via an intermediate host, thus accessing these services as if they were local. For example, access to a database server in the target intranet is forwarded through the SSH port:

The above command forwards the MySQL service (port 3306) from the target host 192.168.1.100 to the attacker's local port 3306.

1. 2. Remote Port Forwarding (RPF)

When the target host is unable to actively access the external network, traffic can be reverse forwarded through the target host to the attacker's host. Example:

The above command forwards the target host's local HTTP service (port 80) to the attacker's host port 8080.

(ii) Proxy tunnel (Proxy) Tunnel)

Proxy tunnelling is a method of bypassing network restrictions through an existing host or service. Common proxy tunnelling tools include:

1. 3. Socks proxy

Use tools such as proxychains to forward traffic through a proxy server. Example:

Intranet host scanning using proxies via proxychains.

1. 4. HTTP proxy

Proxy tunnels are created by uploading proxy scripts to the target server. For example, reGeorg andProxifieris a commonly used proxy tunnelling tool.

(iii) DNS Tunneling (DNS) Tunneling)

DNS tunnelling uses DNS requests to embed data in DNS queries to enable external communications. Even if HTTP, HTTPS and other traffic is blocked, DNS traffic is usually not completely intercepted. Commonly used DNS tunneling tools include iodine and dnscat2.

1. 5. Using iodine to establish DNS tunnelling

Running on the attacker's hostDNS server::

Run the client on the target host:

Data transfer is achieved through DNS tunnelling.

(iv) ICMP Tunneling

ICMP tunnelling uses ICMP traffic for data transfer, bypassing firewalls. In some cases, ICMP (e.g., Ping) may still be available even if TCP/UDP traffic is blocked. Commonly used ICMP tunneling tools include Ptunnel and icmpsh.

1. 6. Establishing an ICMP tunnel using Ptunnel

Run Ptunnel on the attacker's host:

Run the client on the target host:

Data transfer is achieved through ICMP tunnelling.

II. Intranet service-based breakthrough techniques

(v) Lateral movement of the Intranet

Lateral intranet movement is used to gain access to other intranet hosts by exploiting weak passwords, unpatched vulnerabilities, or domain account privileges that exist in the intranet. Example:

1. 7. UsePsExecRemote Execution Commands

Remotely execute commands via PsExec to gain access to other intranet hosts.

1. 8. Pass-the-Hash attack

Direct authentication using a hash that has been captured, bypassing password verification. Example:

Pass-the-Hash attack via pth-winexe tool.

(vi) Use of Intranet services

Check whether the target host has intranet-specific services, such as database services, file sharing services, etc., through which you can find ways to bypass network restrictions.

1. 9. Use of intranet database services

Communicate with external hosts through intranet database services. For example, using MySQL's LOAD DATA INFILE function to write data to the file system and transfer it by other means.

1. 10. Use of SMB tunnels

Transferring data through an SMB tunnel using an intranet file sharing service. Example:

smbclient //192.168.1.100/share -U user

Access to intranet file sharing services via SMB clients.

(vii) Mail, FTP or other protocols out of the network

Some intranet environments may block regular HTTP/HTTPS access, but still allow other protocols (e.g., email, FTP) for external communications.

1. 11. Sending e-mail using the SMTP protocol

Data is sent out by sending an e-mail via the SMTP protocol. Example:

Sends data via the SMTP protocol.

1. 12. Use FTP to upload or download files

Upload or download files via FTP. Example:

Upload files via FTP.

III. Breakthrough techniques based on reverse connections

(viii) Reverse Shell and Reverse Tunneling

Reverse Shell and Reverse Tunneling are used to establish a return connection by having the target host initiate a connection to the attacker host.

1. 13. Creating a Reverse Shell with Netcat

Runs on the target host:

Listening on the attacker's host:

Connect to the attacker's host via a reverse shell.

1. 14. Creating a Reverse Shell with Metasploit

Runs on the target host:

running on the attacker's host:

Create a reverse shell via Metasploit.

(ix) Cobalt Strike's transit function

Cobalt Strike is a commonly used tool in intranet penetration, and its Socks proxy function can establish a proxy connection through the transit function when the target host does not have access to the extranet.

1. 15. Socks proxy using Cobalt Strike

Run Beacon on the target host and establish a proxy connection through the Socks proxy function. Example:

Use a proxy tool on the attacker host to connect to the target host.

(x) SMB Beacon

SMB Beacon is a special feature in Cobalt Strike that is available through the Windowsnamed pipeCommunicate with relative stealth.

1. 16. Use of SMB Beacon

After creating an SMB's Listener. you can link or disconnect sub-Beacons on the main Beacon. for example:

The connection is established via SMB Beacon.

IV. Tool- and script-based breakthrough techniques

(xi) reGeorg and Neo-reGeorg

reGeorg is a commonly used proxy tunneling tool that establishes a proxy tunnel by uploading a script to the target server's web directory. neo-reGeorg adds encryption on top of this to make the data transfer even more covert.

1. 17. Establishment of proxy tunnelling using reGeorg

Upload the reGeorg script on the target server:

Run the proxy client on the attacker's host:

Proxy tunnelling via reGeorg.

(xii) Pystinger

Pystinger implements an intranet SOCK4 proxy via WebShell, and port mapping allows targets to come online without leaving the network.

1. 18. Establishment of proxies using Pystinger

Upload stinger_server.exe to the target server and run stinger_client on the public VPS to establish a proxy connection. Example:

Proxy connections are established through Pystinger.

(xiii) Frp

Frp is an intranet penetration tool that can establish a channel through a controlled dual network card intranet server when the target host does not have access to the extranet.

1. 19. Establishing Intranet Penetration with Frp

Run the Frp client on the target host:

Run the Frp server on the attacker's host:

Establish intranet penetration via Frp.

(xiv) Other tools and scripts

In addition to the above tools, there are a number of other tools and scripts that can be used to break out of the intranet without going out of the network scenario.

1. 20. Tunneling with Chisel

Chisel is a lightweight tunneling tool that can be used for intranet penetration. Example:

Runs on the target host:

running on the attacker's host:

Tunneling through Chisel.