How to use git over an HTTP proxy, with socat
a word about socat
proxying the git protocol
proxying the ssh protocol
ssh proxy using corkscrew instead of socat
extra coolness for github
Corporate firewalls and proxy typically block both of these (and often a lot more); here's how to get around them.
If you're tracking a public repo, you will need to use the "git" protocol, because the "http" protocol is not very efficient, and/or requires some special handling on the server side. If you're pushing code to a public repo, you definitely need to use the "ssh" protocol.
a word about socat
I will be using "socat", an absolute corker of a program that does so many things it's incredible! Other people use corkscrew, ssh-https-tunnel, etc., which are all specialised for just one purpose. I prefer socat, and once you spend the 2-3 years :-) needed to read the man page, you will see why!The basic idea is that you will somehow invoke socat, which will negotiate with the HTTP(S) proxy server using the CONNECT method to get you a clean pipe to the server on the far side.
However, do note that socat does have one disadvantage: the passwords to your proxy server are visible in to local users running
ps -ef
or something. I don't care since I don't have anyone else logging into
my desktop, and the ability to use a program I already have anyway
(socat) is more important.proxying the git protocol
When I want to download a public repo, I just typeproxied_git clone ...repo...
proxied_git pull
and so on, instead ofgit clone ...repo...
git pull
Here's the how and why of it.To proxy the git protocol, you need to export an environment variable called
GIT_PROXY_COMMAND
, which contains the command that is to be invoked. I have a shell function in my .bashrc
that looks like this:proxied_git ()
(
export GIT_PROXY_COMMAND=/tmp/gitproxy;
cat > $GIT_PROXY_COMMAND <<EOF
#!/bin/bash
/usr/bin/socat - PROXY:172.25.149.2:\$1:\$2,proxyport=3128
EOF
chmod +x $GIT_PROXY_COMMAND;
git "$@"
)
Possible variations are:- you could give
/tmp/gitproxy
a more permanent name and remove the middle pararaph completely. I don't do this because that's too small a file to bother with; it just seems cleaner this way) - you could permanently set the environment variable if all your git repos are remote (very unlikely)
proxying the ssh protocol
The git protocol is handled directly by git (duh!), but if you use the ssh protocol, it invokes ssh explicitly (again, duh!).Ssh already has this sort of stuff built-in, so you simply add a few lines to your
~/.ssh/config
host gh
user git
hostname github.com
port 22
proxycommand socat - PROXY:your.proxy.ip:%h:%p,proxyport=3128,proxyauth=user:pwd
Now you can just say (for example):git clone gh:sitaramc/git-notes.git
ssh proxy using corkscrew instead of socat
- download and install corkscrew (http://www.agroman.net/corkscrew/)
- create a file (eg., ~/.ssh/myauth) and put your http proxy username and password as "username:password" in it and save it.
-
safeguard the file
chmod 600 ~/.ssh/myauth
-
open ~/.ssh/config and add the following entry, adding an explicit path to corkscrew if needed.
host gh user git hostname github.com port 22 proxycommand corkscrew your.proxy.ip 3128 %h %p ~/.ssh/myauth
extra coolness for github
Noting that many corporate firewalls block access to the CONNECT method on ports other than 443, the good folks at github have an ssh server listening on 443 if you use the host "ssh.github.com", so you can replace the hostname and the port in the above ssh config stanza as appropriate, and you're all set.from http://sitaramc.github.com/tips/git-over-proxy.html
------------------------------------------------------------------------------
socat 端口转发设置及使用
背景:在服务器上面需要设置端口转发,当然使用nc也可以做到,但是发现socat更加方便而且,听说更牛,实际两个对比我是没有搞懂。主要是看那个方便使用。在网络上找来几篇文章,然后整理出来给大家参考。我对这个软件运用比较少,有问题可以互相交流。
*
【正文开始】
文章类型:网络收集整理,半原创 :)
适合人群:通过socat端口转发,设置NAT转发双向流,寻找比NC更强大的人
知识背景:基本软件安装,网络端口相关知识有一定的了解
*
0、基本介绍
socat是一個netcat(nc)的替代產品,可以稱得上nc++。socat的特點就是在兩個流之間建立一個雙向的 通道。socat的地址類型很 多,有ip, tcp, udp, ipv6, pipe,exec,system,open,proxy,openssl,,其实发现socat的参数也是很有规律、简洁的。socat 可以在任意的两个(广义的)管道(socket,标准输入输出流,管道等)之间建立一个通道,在该通道中交换两端的数据。
1、安装方法
Debian\Ubuntu : sudo apt-get install socatCentOS\Redhat:yum install socat
其他的Linux: 点击这个 下载链接 下载源码编译吧。
2、使用方法
例如,我需要的转发功能是:对于所有15000端口的TCP访问,一律转发到 server.wesnoth.org:15000 上。
于是,对应的命令就是:
socat -d -d -lf /var/log/socat.log TCP4-LISTEN:15000,reuseaddr,fork,su=nobody TCP4:server.wesnoth.org:15000
“-d -d -lf /var/log/socat.log”是参数,前面两个连续的-d -d代表调试信息的输出级别,-lf则指定输出信息的保存文件。
“TCP4-LISTEN:15000,reuseaddr,fork,su=nobody”是一号地址,代表在15000端口上进行TCP4协议的监听,复用绑定的IP,每次又连接到来就fork复制一个进程进行处理,同时将执行用户设置为nobody用户。
“TCP4:server.wesnoth.org:15000″是二号地址,代表将socat监听到的任何请求,转发到server.wesnoth.org:15000上去。
下面的例子需要认真去理解里面表达的意思,假设要转发端口就要先在本地打开一个端口,然后再监听提供给外部连接的端口。
$socat – tcp:192.168.1.18:80
這個命令等同於 nc 192.168.1.18 80。 socat裡面,必須有兩個流,所以第一個參數-代表標準的輸入輸出,第二個流連接到192.168.1.18的80端口。再看一個反向telnet的例子:
on server:
$socat tcp-listen:23 exec:cmd,pty,stderr
這個命名把cmd綁定到端口23,同時把cmd的Stderr重定向到stdout。
on client:
$socat readline tcp:server:23
連接到服務器的23端口,即可獲得一個cmd shell。readline是gnu的命令行編輯器,具有歷史功能。
再看文件傳遞的例子。nc也經常用來傳遞文件,但是nc有一個缺點,就是不知道文件什麼時候傳完了,一般要用Ctrl+c來終止,或者估計一個時間,用-w參數來讓他自動終止。用socat就不用這麼麻煩了:
on host 1:
$socat -u open:myfile.exe,binary tcp-listen:999
on host 2:
$socat -u tcp:host1:999 open:myfile.exe,create,binary
這個命令把文件myfile.exe用二進制的方式,從host 1 傳到host 2。-u 表示數據單向流動,從第一個參數到第二個參數,-U表示從第二個到第一個。文件傳完了,自動退出。
再來一個大家喜歡用的例子。在一個NAT環境,如何從外部連接到內部的一個端口呢?只要能夠在內部運行socat就可以了。
外部:
$socat tcp-listen:1234 tcp-listen:3389
內部:
$socat tcp:outerhost:1234 tcp:192.168.12.34:3389
這樣,你外部機器上的3389就影射在內部網192.168.12.34的3389端口上。
3、参考资料
《 使用socat进行端口转发》《Port Forwarding in user space [INFO]》
《How to forward port in user space using socat》
from http://www.issacy.com/archives/807.html
----------------------------------------------------
socat - Multipurpose relay
Abstract
what: "netcat++" (extended design, new implementation) OS: AIX, BSD, HP-UX, Linux, Solaris e.a. (UNIX) lic: GPL2 inst: tar x...; ./configure; make; make install doc: README; socat.html, socat.1; xio.help ui: command line exa: socat TCP6-LISTEN:8080,reuseaddr,fork PROXY:proxy:www.domain.com:80 keyw: tcp, udp, ipv6, raw ip, unix-socket, pty, pipe, listen, socks4, socks4a, proxy-connect, ssl-client, filedescriptor, readline, stdio, exec, system, file, open, tail -f, termios, setsockopt, chroot, fork, perm, owner, trace, dump, dgram, ext3, resolver, datagram, multicast, broadcast, interface, socket, sctp, generic, ioctl
What's new?
2012/05/14: A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address. Successful exploitation may allow an attacker to execute arbitrary code with the privileges of the socat process (advisory). Fixed versions are 1.7.2.1 and 2.0.0-b5. Patches are available in the download area.2011/12/05: socat version 1.7.2.0 allows tun/tap interfaces without IP address and introduces options openssl-compress and max-children. It fixes 18 bugs and has 11 changes for improved platform support, especially for Mac OS X Lion, DragonFly, and Android.
2011/05/29: Michael Terzo provided a patch that fixes the compile error of socat 2.0.0 up to b4 on non-Linux systems.
2010/10/03: Vitali Shukela provided a patch that allows to use the original target address of an accepted connection in a socks or proxy address.
2010/08/02: A stack overflow vulnerability has been fixed that could be triggered when command line arguments were longer than 512 bytes. Fixed versions are 1.7.1.3 and 2.0.0-b4. See socat security advisory 2 for details.
2009/04/04: the third beta version (2.0.0-b3) of socat version 2 is ready for download. It contains all new bug fixes and features of 1.7.1.0 (plus fix:setenv, see below) and introduces the possibility to integrate external programs in address chains (see doc/socat-addresschain.html and doc/socat-exec.html).
2008/11/01: a public git repository containing socat 1.6.0.0 and all later releases is available.
Get it!
You can download socat 1.7.2.0 in source form (.gz, .bz2). Feel free to check the md5 hashes.Many actual Linux and BSD distributions already provide socat; for other distributions and for some commercial UNIX platforms, precompiled socat packages are available too, so search the internet if you dont´t want to bother with compiling it yourself.
There is a page with socat patches and contributions.
socat binaries for Windows based on Cygwin are provided by Gentil Kiwi for download.
Documentation
Classical documentation:- README file
- socat man page in HTML format.
- examples section of the man page
Mini tutorials:
- Securing traffic between two socat instances using SSL
- IP multicasting with socat
- Building TUN based virtual networks with socat
- socat-gender.txt contains a simple TCP `gender changer´ example.
- Generic sockets with socat
Contact
If you have more questions, please contact socat@dest-unreach.orgfrom http://www.dest-unreach.org/socat/
-------
socat的主要特点就是在两个数据流之间建立通道;且支持众多协议和链接方式:ip, tcp, udp, ipv6, pipe,exec,system,open,proxy,openssl,socket等。
socat是一个多功能的网络工具,名字来由是” Socket CAT”,可以看作是netcat的N
倍加强版,socat的官方网站:http://www.dest-unreach.org/socat/ 。
socat是一个多功能的网络工具,名字来由是” Socket CAT”,可以看作是netcat的N
倍加强版,socat的官方网站:http://www.dest-unreach.org/socat/ 。
安装步骤:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
解决方法有两种:
第一种是禁用fips,使用如下命令配置:
./configure –disable-fips
第二种是安装fips,首先到网站http://www.openssl.org/source/ 下载openssl-fips安装包,然后解压安装:
./configure
make && make install
socat使用:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
Linux上的实用的端口转发工具:socat安装/使用记录
写在前面:
在实际生产中我们经常会遇到到一个场景就是,用一台机器作为转发服务器,连接AB两个网段,将转发服务器的某个端口上的流量转发到B网段的某台机器的某个端口,这样A网段的服务器就可以通过访问转发服务器上的端口访问到B网段的服务器端口。
这样的场景一般在和客户建立专线的连接时候经常用到,一般也可以采用iptables做转发,但是比较复杂,socat可以很轻松的完成这个功能。
socat可以看做netcat(nc)的替代产品,作用是在两个流之间建立双向的通道,且支持众多协议和链接方式:ip,tcp,udp,ipv6,pipe,exec,system,open,proxy,openssl,socket等
一、socat的安装方式:
1.源码方式安装:
socat的官方网站:http://www.dest-unreach.org/socat/
socat源代码包下载地址:http://www.dest-unreach.org/socat/download/
编译安装:
# tar zxf socat-1.7.2.4.tar.gz
# cd socat-1.7.2.4
# ./configure
# make
# make install
2.yum方式安装:
# yum install socat
二、主要功能
1.端口转发功能:
格式:
# nohup socat TCP4-LISTEN:访问端口reuseaddr,fork TCP4:192.168.xxx.xxx:转发端口
实例:
开启日志,在本地的监听192.168.162.43网卡的123端口,并将请求转发至192.168.162.44的123端口
# nohup socat -d -d -lf /var/log/socat.log TCP4-LISTEN:188,bind=192.168.162.43,reuseaddr,fork TCP4:192.168.162.44:123 &
nohup...& : 这个是保证命令可以在后台运行
-d -d -lf /var/log/socat.log : 前面两个连续的-d -d代表调试信息的输出级别,-lf则指定输出信息的保存文件。
TCP4-LISTEN:在本地建立的是一个TCP ipv4协议的监听端口;
bind:指定监听的IP地址,不写这个参数的话将监听服务器上的全部IP
reuseaddr:绑定本地一个端口
fork:设定多链接模式,即当一个链接被建立后,自动复制一个同样的端口再进行监听
2.文件传递功能:
nc也经常用来传递文件,但是nc有一个缺点,就是不知道文件什么时候传完了,一般要用Ctrl+c来终止,或者估计一个时间,用-w参数来让他自动终止。用socat就不用这么麻烦:
192.168.162.43:
# socat -u open:file,binary tcp-listen:123
192.168.162.44:
# socat -u tcp:192.168.162.43:123 open:file,create,binary
-u 表示数据单向流动,这个命令把文件file用二进制的方式,使用123端口(不能是已使用的端口),从192.168.162.43传到192.168.162.44,文件传输完毕,会自动退出。
3.读写分流功能:
socat还具有一个独特的读写分流功能,比如:
# socat open:read.txt!!open:write.txt,create,append tcp-listen:80,reuseaddr,fork
这个命令实现一个假的web server,客户端连过来之后,就把read.txt里面的内容发过去,同时把客户的数据保存到write.txt里面。”!!”符号用户合并读写流,前面的用于读,后面的用于写。
from http://www.jiagoumi.com/work/1500.html
--------------
--------------
rinetd、socat端口转发部署
[root@PortForward02 src]# wget http://www.boutell.com/rinetd/http/rinetd.tar.gz
[root@PortForward02 src]# ls
rinetd.tar.gz
[root@PortForward02 src]# tar -zxvf rinetd.tar.gz
[root@PortForward02 src]# cd rinetd
[root@PortForward02 rinetd]# make
cc -DLINUX -g -c -o rinetd.o rinetd.c
rinetd.c:176: warning: conflicting types for built-in function ‘log’
cc -DLINUX -g -c -o match.o match.c
gcc rinetd.o match.o -o rinetd
[root@PortForward02 rinetd]# make install
install -m 700 rinetd /usr/sbin
install -m 644 rinetd.8 /usr/man/man8
install: cannot create regular file `/usr/man/man8': No such file or directory
make: *** [install] Error 1
[root@PortForward02 rinetd]#
运行make可能会出现错误,需如下修改,将rinetd.c文件中bindPort >= 65536和connectPort >= 65536修改为65535,不然在make的时候会提示超出系统最大定义端口,按n可以查找下一处
[root@PortForward02 rinetd]# vim rinetd.c
544 if ((bindPort == 0) || (bindPort >= 65535)) {
567 if ((connectPort == 0) || (connectPort >= 65535)) {
或者
[root@localhost rinetd]# sed -i "s/35536/35535/g" rinetd.c
手动建目录/usr/man/
[root@PortForward02 rinetd]# mkdir -p /usr/man/
[root@PortForward02 rinetd]# make clean
[root@localhost rinetd]# make
cc -DLINUX -g -c -o rinetd.o rinetd.c
rinetd.c:176: warning: conflicting types for built-in function ‘log’
cc -DLINUX -g -c -o match.o match.c
gcc rinetd.o match.o -o rinetd
[root@localhost rinetd]# make install
install -m 700 rinetd /usr/sbin
install -m 644 rinetd.8 /usr/man/man8
[root@localhost rinetd]#
成功后会提示文件路径
install -m 700 rinetd /usr/sbin
install -m 644 rinetd.8 /usr/man/man8
程序路径/usr/sbin/rinetd
建立配置文件/etc/rinetd.conf,内容格式:源IP 源端口 要跳转的IP 要跳转的端口;在每一单独的行中指定每个要转发的端口。源地址和目的地址都可以是主机名或IP 地址,IP 地址0.0.0.0 将rinetd 绑定到任何可用的本地IP地址上:
例如将所有发往本机80端口的请求转发到192.168.4.247的80端口
[root@localhost rinetd]# vim /etc/rinetd.conf
allow 10.15.44.162 //设置允许访问的ip地址信息
# allow 0.0.0.0
#allow 10.15.44.*
#deny 10.15.44.144
0.0.0.0 8090 10.15.44.133 80 //设置端口转发
logfile /var/log/rinetd.log //设置打印的log
启动程序并将rinetd加入开机启动
[root@PortForward02 rinetd]# /usr/sbin/rinetd
或者
[root@localhost rinetd]# rinetd -c /etc/rinetd.conf
[root@localhost rinetd]# netstat -antulp|grep -i rinetd
tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 5849/rinetd
[root@localhost rinetd]# killall -9 rinetd 或者pkill -9 rinetd
[root@localhost rinetd]# netstat -antulp|grep -i rinetd
[root@localhost rinetd]# rinetd
[root@localhost rinetd]# netstat -antulp|grep -i rinetd
tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 5861/rinetd
[root@PortForward02 rinetd]# cat /etc/rc.d/rc.local |grep -v "#"
/usr/sbin/rinetd -c /etc/rinetd.conf
touch /var/lock/subsys/local
[root@PortForward02 rinetd]#
这样的话只要在任意浏览器访问:http://10.15.44.125:8090(rinetd服务器地址)就和访问http://10.15.44.133同样的效果。但是这个只能在10.15.44.162机器上实现,其他机器就不行,如果
注意事项
1. rinetd.conf中绑定的本机端口必须没有被其它程序占用
2. 运行rinetd的系统防火墙应该打开绑定的本机端口
1. rinetd.conf中绑定的本机端口必须没有被其它程序占用
2. 运行rinetd的系统防火墙应该打开绑定的本机端口
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
3.不支持FTP的跳
socat作用是在两个流之间建立双向的通道,且支持众多协议和链接方式:ip,tcp,udp,ipv6,pipe,exec,system,open,proxy,openssl,socket等
yum 方式安装:
wget –no-cache http://www.convirture.com/repos/definitions/rhel/6.x/convirt.repo -O /etc/yum.repos.d/convirt.repo
yum makecache
yum install socat
使用方式:
nohup socat tcp-l:外部访问端口,reuseaddr,fork tcp:192.168.xxx.xxx:内部转发端口
nohup socat TCP4-LISTEN:188,reuseaddr,fork TCP4:192.168.1.22:123 &
在本地监听188端口,并将请求转发至192.168.1.22的123端口
TCP4-LISTEN:在本地建立的是一个TCP ipv4协议的监听端口;
reuseaddr:绑定本地一个端口;
fork:设定多链接模式,即当一个链接被建立后,自动复制一个同样的端口再进行监听
socat启动监听模式会在前端占用一个shell,因此需使其在后台执行。
附:socat官方文档:http://www.dest-unreach.org/socat/doc/socat.html
from http://blog.51cto.com/ityunwei2017/1621753
---------
---------
如何利用 socat 更方便地穿透目标内网
0x01 此次环境说明:
|
|
|
|
|
|
0x02 需要注意的一些前提条件
|
|
0x03 最终目的,实现双内网通信,即在我自己的内网中操作目标内网中的机器,当然,实现双内网通信的方式还有非常多,比如常用的几种方法:
|
|
0x04 大概实现思路:
|
|
0x05 先在 lnmp01 安装好socat,实战中推荐用编译安装,走的时候直接一并把整个安装目录干掉,干净:
|
|
0x06 本地准备好reverse的 payload,注意,这里的反连ip,要写目标边界DMZ的那台机器[即lnmp01]的ip:
|
|
0x07 本地开始执行监听:
|
|
0x08 在 lnmp01 上执行代理操作,意思比较简单,就是将本地的53和443端口进行绑定,相当于在本机建立一条管道,其实本机就是个中介,当有人访问本机的53端口,它就会把数据自动丢到本机的443端口上去,而443正好是我马的端口,这样,自然就造成了上线的效果:
|
|
0x09 此时,再回到本地和proxy端建立双向通道,最好在后台一直挂着,意思就是将本地的443端口和proxy端的53端口进行绑定,这样,当你访问本地的443其实就相当于访问proxy端的53端口,而proxy端的端口又和它本地的443端口进行了绑定,所以当马的443端口流量弹回来的时候就相当于直接弹到我本地:
|
|
0x10 最后在内网机器上执行payload,马成功上线
0x11 关于socat:
|
|
0x12 优点:
|
|
0x13 缺点:
|
|
--------
相关帖子:
https://briteming.blogspot.com/2013/04/ipport-forwarding.html
https://briteming.blogspot.com/2013/03/linux-vpssocatvps.html
https://briteming.blogspot.com/2013/07/linuxwebvpn.html