Limour

Limour

临床医学在读。
HomeArchivesAListUptime

[Exploration] WebSocket-based Intranet Penetration Tool

#ws#proxynt233
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author expresses their dissatisfaction with domestic servers and the need for internal network penetration to access internal services from the external network. They mention using foreign servers but express concerns about potential risks and the need to blend in. They discuss their previous attempts to use QUIC for disguising, but it was unstable. They then mention finding a Python-based tool called ProxyNT for internal network penetration, which is based on WebSocket and can expose local servers to the public network through NAT and firewalls. They also mention the possibility of using CDN for additional protection. The provided code snippets include instructions for setting up the server and client sides of ProxyNT, as well as additional instructions for setting up WebSSH for secure SSH connections.

In addition to filing for record, I don't want any more domestic servers. Many internal network services need to be accessed from the external network, so intranet penetration is essential. However, if using foreign servers, there is an unknown layer that may cause accidental damage, so blending into the vast ocean is necessary. Previously, I tried to disguise it by adding a layer of QUIC, but for some reason, it was always unstable. After searching, I found another intranet penetration tool with fewer features: ProxyNT. ProxyNT is a reverse proxy server based on WebSocket written in Python, which can expose local servers to the public network through NAT and firewalls. From the principle, it is also possible to protect the public IP with a layer of CDN.

Server#

mkdir -p ~/app/proxynt && cd ~/app/proxynt && nano Dockerfile && nano docker-compose.yml
docker build -t limour/proxynt .
nano config.json
sudo docker-compose up -d

FROM python:3.9-alpine
RUN pip install -U proxynt
ENTRYPOINT ["nt_server", "-c", "/opt/config.json"]

version: '3.3'
services:
  proxynt:
    restart: unless-stopped
    volumes:
      - './config.json:/opt/config.json'
      - '/etc/localtime:/etc/localtime:ro'
    image: limour/proxynt
 
networks:
  default:
    external: true
    name: ngpm

{
    "port": 18888,
    "log_file": "/dev/null",
    "path": "/websocket_path",
    "password": "helloworld",
    "admin": {
        "enable": true,
        "admin_password": "new_password"
    }
}

msedge_BI9KRyGXTh

Client#

mkdir -p ~/app/proxynt && cd ~/app/proxynt
pip install -U proxynt -i https://pypi.tuna.tsinghua.edu.cn/simple
whereis nt_client
nano config.json
nt_client -c config.json # Test
nano proxynt.service
sudo mv proxynt.service /etc/systemd/system/proxynt.service
sudo systemctl enable proxynt
sudo systemctl start proxynt
sudo systemctl status proxynt

{
  "server": {
    "url": "wss://limour.top:443/websocket_path",
    "password": "helloworld"
  },
  "client_name": "home_pc",
  "log_file": "/home/limour/app/proxynt/nt.log"
}

[Unit]
Description=proxynt
After=network.target
[Service]
ExecStart=/home/limour/miniconda3/bin/nt_client -c /home/limour/app/proxynt/config.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
  • Access https://limour.top:443/websocket_path/admin
  • After seeing the client online, create a new configuration

Additional WebSSH#

In conjunction with the above intranet penetration, when connecting, fill in "proxynt" as the host, which can ensure that the internal SSH is not exposed to the public network while still being able to connect via the public network.

mkdir -p ~/app/webssh && cd ~/app/webssh && nano docker-compose.yml
sudo docker-compose up -d

version: '3.3'
services:
  webssh:
    restart: unless-stopped
    environment:
      - GIN_MODE=release
      - savePass=true
    volumes:
      - '/etc/localtime:/etc/localtime:ro'
    image: jrohy/webssh:latest
 
networks:
  default:
    external: true
    name: ngpm

msedge_aTYJd5mhvq

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.