1. Introduction to EW
Earthworm (EW) is a portable network penetration tool with two core functions: SOCKS v5 service setup and port forwarding, which can complete network penetration in complex network environments.
This tool can open a network tunnel through "forward", "reverse", "multi-level cascade" and other methods, reaching deep into the network, using earthworm's unique means to break through network restrictions and loosen the firewall.
The toolkit provides a variety of executable files to suit different operating systems, including Linux, Windows, and MacOS.
2. Instructions for use
Parameter Description
-l listenport open a port for the service startup. // Open a port for the service startup.
-d refhost set the reflection host address. //Set the reflection host address.
-e refport set the reflection port. // Set the reflection port.
-f connhost set the connect host address . // Set the connection host address.
-g connport set the connect port. // Set the connection port.-t usectime set the milliseconds for timeout. The default value is 1000
// Set the number of milliseconds for timeout. The default value is 1000-s state setup the function. // State setup function.
Six link states, selected through the -s parameter, are:
ssocksd rcsocks rssocks
lcx_slave lcx_tran lcx_listen
The core logic support of the SOCKS5 service is provided by ssocksd and rssocks, which correspond to forward and reverse socks proxies respectively.
The lcx link status is used to open the path between the test host and the socks server.
lcx_slave control pipe: One side connects to the proxy requester via bounce, and the other side connects to the proxy provider host.
lcx_tran forwarding pipeline: receives proxy requests by listening on the local port and forwards them to the proxy to provide the host.
lcx_listen listening pipe: receives data by listening on the local port and forwards it to the proxy server connected back to the target network.
By combining the characteristics of the lcx category pipeline, penetration testing in a multi-layer intranet environment can be achieved.
Reference link: EarthWorm
3. Actual Combat (CFS)
To access the CFS three-layer intranet target machine penetration, I used Kali’s own proxy tool before, and it was extremely unstable! The second goal of penetration is to use sqlmap and it will fail! Here we use ew for actual combat and found that it is quite stable!
Including port detection is no problem!
Here are two target machines that have obtained shells. One is in network segment 75, one is in network segment 22, and the other is in network segment 33. Only the target machine in network segment 33 and segment 22 can be accessed. Now we use ew Performing a three-level jump allows the attack machine Kali to access the intranet as the second target machine.
Upload ew through Ant Sword here
First, establish a connection with the first target machine and enable the reverse proxy so that kali can access the second target machine as the first target machine.
The operation is omitted here. It is to detect the target machine in network segment 22 through proxychains4, which is the second one. Use the proxy to use sqlmap to blast the database, use the browser proxy to access the web service of the target machine in network segment 22, etc.
Use the following command on the kali machine to map port 1097 to port 8888 for monitoring.
Enable the forward proxy on the second target machine and specify port 9999
There is a pitfall here, that is, the second target machine needs to install the environment to use ew, otherwise it will not be able to be uploaded and executed.
Enter the following port on the first target machine to connect kali to the second target machine, and direct the traffic to the corresponding port.
Then you can use the proxy on kali to detect the ports of the intranet target machine. Here you can see that 139 and 445 are open. Eternal Blue will take action!
Although I have obtained meterpreter here, there is a problem when using the shell. Maybe I am too good at it. When setting up the shell, it will be established with 127.0.0.1 and then stop. If there is an expert, you can give me some guidance. One or two, thank you very much!