A case of bouncing around the system firewall

0x01 Preface

Date/time：2016 year , The problems encountered this time are some strange flowers , Here is a simple record of the test process . You have obtained the highest permission of the target host , But in forwarding 3389 Port encountered a problem .

tried 《 A summary of a round the firewall bounce forwarding 》 All the methods in this article have been intercepted , I also tested some ports with good penetration, but they still can't , Such as ：53/110/443/1040/8080 etc. .

 Reverse connection ：
1. Lcx、2. Aspx Client、3.1 Reverse_tcp、3.3 Reverse_http、3.3 Reverse_https

 Forward connection ：
3.2 Bind_tcp

HTTP Tunnel ：
4. reDuh_Gui、5. Http_Tunna、reGeorg、neo_reGeorg

0x02 Simple analysis

Based on the analysis of the target host , stay WebShell On multiple domain names and public networks IP Conduct Ping test , Make sure this host is ping No domain name or other public networks IP Of （ I've had it before. I can't Ping domain name , But it can Ping Public network IP The situation of ）.

According to my previous experience, I can be sure that there is something like a firewall to intercept , It has not established a normal TCP Connect .

I have written a similar article before 《Metasploit bind_tcp Actual combat application 》, Use it directly Nmap The scanning target host port status is close As the listening port , use bind_tcp The forward connection method bypasses the firewall restrictions to obtain the session , And then use portfwd The order will 3389 The remote port is forwarded .

In this case, the test was not so smooth , Use Nmap To the target host IP Scan and find that only 80 port , And the status is Open, So we can't directly use the method in the previous article to bypass the restrictions of the firewall .

0x03  Way around

The test process is no longer recorded in detail , Just say the bypass method , In fact, it's quite simple , Directly execute the following command on the virtual terminal of the Chinese kitchen knife to close the firewall of the target host , And then use Nmap Scan for excess 2 The states are close The port of ：53、443.

net stop sharedaccess

Then we'll go back to what was mentioned in that article bind_tcp To get the conversation . There is another way to use port reuse , But it will IIS Service stopped , At the same time, the terminal services 3389 Port to 80 port , Because it's so noisy , So don't try .

msfpayload windows/meterpreter/bind_tcp LPORT=53 X > /tmp/53.exe

use exploit/mutil/handler
set PAYLOADY windows/meterpreter/bind_tcp
set RHOST 218.**.***.37
set LPORT 53
exploit

0x04  A little trick

A small knowledge point discovered by accident , Use Meterpreter Of portfwd Port forwarding will not expose our connection RDP The real IP Address , Instead, it is opened randomly on the target host 1 Ports with his 3389 Port to connect , You can compare it with other port forwarding tools to see the difference , It can also be used to bypass some security protection .

meterpreter > portfwd add -l 1234 -r 127.0.0.1 -p 3389

notes ： If we didn't delete portfwd Forwarding of opened ports , Use it directly migrate When the command executes process migration, it may disconnect all port forwarding that has been opened , In other words, you must delete the opened port forwarding before performing process migration .