SSH port forwarding and routing configuration on meterpreter shell and proxychains proxy configuration and frp for intranet penetration and ew

ssh port forwarding

Some command parameters
-C compressed data transmission -f background login username and password -N do not execute shell [combined with -g] -g allows open ports to be accessed by remote hosts

Edit the sshd configuration on a public network VPS, enable the ssh forwarding function, and restart the ssh service. This is all necessary operations before using ssh tunnel forwarding:

vim /etc/ssh/sshd_config
AllowTcpForwarding yes
GatewayPorts yes
TCPKeepAlive yes
PasswordAuthentication yes
#systemctl restart sshd.service

Local forwarding:
ssh -fCNg -L 5555:192.168.11.11:80 [email protected]
Local forwarding is to establish a connection with vps locally, and then vps will establish a connection with the port of the target host and forward the port of the target host to the local machine. On the designated port. The final effect is that the machine can access the target port by accessing a certain port of the machine. A bit like a forward proxy, the traffic trend is generally:
local traffic—"vps—" to the target host

Remote forwarding:
ssh -fCNg -R 5555:172.16.99.146:80 [email protected]
ssh -fCNg -R 5555:10.92.78.138:5678 [email protected] #Forwarding
the traffic of port 5555 accessing vps to this machine Then forwarded by the machine to 172.16.99.146:80
Traffic trend: outside traffic—
"vps designated port you—>this machine designated port

Dynamic forwarding: ssh -fCNg -D 5555 [email protected]
# forward all traffic accessing the local port 5555 through 192.168.11.12. It is equivalent to a socks proxy.

Configure routing on meterpreter

run get_local_subnets
run autoroute -s 172.17.0.0/24
add route ip/24 sessionid
https://www.anquanke.com/post/id/85580
配置socks5
background
use auxiliary/server/socks5
run

Configure proxychains

root@kali:~# vim /etc/proxychains.conf
dynamic_chain
socks5 192.168.124.135 8800
proxyresolv www.baidu.com #Check whether the proxy is successful
cp /usr/lib/proxychains3/proxyresolv /usr/bin/ #If it shows that there is no proxyresolv command Just execute this line of command
proxychains nmap -sS ip in the shell

that one

ew agent combat

---

Frp realizes reverse socks proxy and http proxy and port forwarding

Download frp

First go to github to download the corresponding version of frp. Basically, the windows version and the linux version have the next one. Click here to go to the download page ;
after decompression, it looks like this:

There is a prerequisite for using frp, you have to have one The public network server of the public network ip, here assume you have a linux public network server.

---

Specific operation

Step 1: Upload the server frp of the corresponding format

These are the two files I selected.

---

Step 2: Configure frps.ini on the server side

The meanings of these three values ​​are:

bind_port is the port that the client initially connects to the server. The client must connect to this port to establish communication with the server before subsequent operations such as http proxy.

dashboard_port This is the port of the dashboard. You can access the dashboard by directly accessing this port number on the server.

vhost_http_port http proxy port number.

After the configuration file is changed, it can be run directly on the server. The command isfrps -c frps.ini

---

Step 3: Upload the client frp in the corresponding format

Since the client is windows, you have to upload the corresponding client of winodws environment. The corresponding file is:

---

Configure frpc.ini on the client

The parameters in the first [common] block are:

server_addr server's public network address
server_port server's public network ip

The parameters in the second [Remote Window] block are:

type connection type
local_ip directly fill in 127.0.0.1,
local_port local port number that needs to be forwarded
remote_port forward the local port to the specified port on the vps
These parameters are mainly used for port forwarding

The parameters in the third [web] block are:

custom_domains Specify server ip
local_port
Randomly specify a local port remote_port proxy port on vps
These parameters are used for http proxy

The parameters in the fourth block [socks] are:

plugin = socks5 socks type set Socks5.
REMOTE_PORT socks proxy port is provided
using the configuration frpc.exe -c frpc.inicommand.

---

Experimental results

If the server is configured correctly, this will appear:

At this time, use the client to connect to the server, and the client will appear:

Then set the proxy in the chrome browser.

---

socks5 proxy:

---

http proxy

There are three hosts ABC at this time.
A can access B, B can access C, and A cannot access C. After setting up the socks or http proxy, A can visit C's webpage:

A's ip is: 192.168.124.1
B's ip is: 192.168.124.135, 192.168.23.55
C's ip is: 192.168.23.99

You can access 3389 of the target host by accessing the 6000 port bytes of vps

---

You can access the dashboard by accessing port 7500, which stores the existing specific agents.