Inner Mesh Penetration Tool (instead of ngrok and peanut shell)

brief introduction

Due to the limitation of IPv4 resources, most local computers currently do not have public network IP.So to access your own local services (ssh, http, vnc, NAS, smart home interface callbacks - such as Typhoon elf custom semantics), you need a service to penetrate your intranet.
There are currently some tools such as peanut shells, ngrok, and so on.However,

  1. Peanut shells are charged;
  2. The second version of ngrok is also starting to charge fees (the first version is said to have some serious bugs).

Therefore, an open source solution is required.

Solution

I wrote a tcp penetration tool called Tcp Through with netty, which can be downloaded directly.Installation methods are described below

This project is divided into server side and client side, you can go to github to see more information
Server side: https://github.com/longshengwang/tcpthrough-server
Client side: https://github.com/longshengwang/tcpthrough-client

This tool has some useful functions

  1. Support for http api management server and command line management (self-written python library, I feel cool)
  2. Support security mode.client can only be accessed at the IP address of the trust list (best way to prevent attacks)
  3. Supports speed limits, functionality has been tested and available.However, there are currently no speed limits in the code, so you can modify the code yourself, as described in the comments in OuterServer in the server library.
  4. Client can set server control not allowed (isRemoteManage parameter on client side)
  5. Supports viewing real-time rates (no total is required)
  6. The management channel is encrypted with SSL to prevent registration information from being caught
  7. Separate the data plane from the control plane to improve performance (10 Gb/s+) for speed measurement under mac).
  8. Security checks are performed on both the management and control planes, and incorrect connections are kill ed and attacks are rejected.
  9. Server can add password validation and does not allow other client registrations.Server starts with the -s parameter.

Note: If it is a public network virtual machine (Ali cloud or Tencent cloud), remember to open the corresponding port

Server Installation and Running

# Download and Unzip
wget https://github.com/longshengwang/tcpthrough-server/releases/download/v1.0/server-1.0.zip
unzip server-1.0.zip
cd server-1.0
# Starting the server side takes up three ports for control surface (default 9000), data surface (9009), and http service (8080).You can use--help to see how to set it
bin/server

Note: Detailed parameters can be viewed through bin/server --help

The following example accesses port 22 of the localhost on the intranet through port 333 on the server side

Client Installation and Running

# Download and Unzip
wget https://github.com/longshengwang/tcpthrough-client/releases/download/client-1.0/client-1.0.zip
unzip client-1.0.zip
cd client-1.0
# Start the client side, and the following field indicates that the client's localhost:22 service (here is the ssh service) is accessible through port 333 on the server
bin/client -u my_home -s <server ip>  -p 333 -l localhost:22 -p 333 -c true -a true

Note: Detailed parameters can be viewed through bin/client --help

Parameter description:

  • -c denotes whether the client can be controlled by the server (whether the proxyed service can be increased)
  • -u client name, which is also the unique identity, cannot be duplicated under server
  • -a indicates that the port being proxied can only be accessed by trusted hosts (how to add trusted hosts is mentioned on the command line below)
  • -f means you can write all parameters to a file and point to it with-f

The file template is as follows

name=wls_home
password=wo_shi_server_password
remote_host=192.168.122.20
remote_data_port=9009
remote_manager_port=9000
local_host=192.168.122.20
local_port=22
remote_proxy_port=2222
is_remote_manage=true

command line

You can view and manage connection information on server s through a python library (written by yourself)

➜ ~ pip install tcpth.cmd
➜ ~ tcpthcmd  # If the http port on the server is not the default 8080, you can add-p <port>
Welcome to use the tcp through.
tcpthrough> help
tcpthrough> help
    list -- get all registration
    get <name> -- get special name information
    monitor [<name>] -- monitor the information, refresh on 2s
    register add <name> <localhost:port> <proxy port> -- add registration
    register delete <name> <proxy port> -- delete registration
    trust add <name> [<proxy port>] <trusted ip> -- add trust ip
    trust delete <name> [<proxy port>] <trusted ip> -- delete trust ip
    trust get <name> [<proxy port>] -- get trust ip
tcpthrough>
tcpthrough> list   # Columns are aligned on the command line, not after copies
 Name | Local Service | Proxy Port | Out Conn Count | Remote Managed | Security | Write Speed | Read Speed
--------------------------------------------------------------------------------------------------------------
 my_home | localhost:22 | 333 | 0 | true | true | 0KB/s | 0KB/s
tcpthrough>

Explain:

  • Exit command line mode with exit or ctrl + d or ctrl + c
  • If the client allows server-side control, the register command can be used to add and remove
  • If the client turns on security mode-a, only trust adds <your-client-name> <your-ip>are used to add trusted IP addresses.
  • monitor is connection information that can be printed once per 2s on the server side
  • localhost in register add can be the IP address of other hosts in the client network

Tags: Java github network ssh Python

Posted on Thu, 07 Nov 2019 09:23:54 -0800 by switchdoc