how to play intranet penetration in actual combat

Posted by millikan at 2020-02-27

A gentleman keeps his utensils when he is ready to move. It's safe to hide them.



When the intranet penetrates, a webshell or cobaltstrike or Metasploit goes online, etc. is just the beginning. It is more about the horizontal movement of the intranet to expand the results of the war and hit the core area. But the premise of post penetration is to build a "exclusive channel" to the intranet to further attack. But in actual combat, because of the different network environment, the way used is different.

The following is the thought map of self summarizing "how to play through the Intranet in real combat":

Target out of network (socks agent)

This is the most willing network environment in the actual combat. The target machine can normally access the Internet, and can directly hang the socks agent or cobaltstrike on the target machine to get through the target's intranet channel.


FRP server configuration file:

FRP client profile:

The two functions of encryption and compression are added here, which are not enabled by default. According to the author's introduction, the compression algorithm uses snappy.

Use_encryption = true enable encryption

use_encryption = true

Use_compression = true enable compression [compress the transmission content, effectively reduce the network traffic of the transmission, speed up the traffic forwarding speed, but it will consume some additional CPU resources]

use_compression = true

Use_encryption = true, use_compression = true must be placed under the relevant protocol.

After the FRP client and the configuration file are transferred to the target machine, the program name and the configuration file are modified and placed in the relevant folders of the system for concealment.

Comparison of encrypted compression

This is that the encryption and compression functions are not used in the FRP client configuration file. By using Metasploit to hang the socks agent and scan the packets transmitted by ms17_, the specific attack behavior can be clearly identified. If the target Intranet has "situation awareness", traffic analysis and other security devices, they will be monitored, resulting in the loss of authority.

encryption compression

After using the encryption and compression functions, although the attack source address will also be exposed, the transmitted packets cannot be identified, avoiding the security monitoring devices in the intranet.

encryption compression

CobaltStrike (socks4a)

Turn on the socks agent under the beacon of the controlled target machine.

In the menu bar, View > proxy pivots, copy the proxy to connect to Metasploit, or directly hang socks4a in the relevant security tool.

View > Proxy Pivots

On line machine

This is the link link. As long as the main link (outgoing beacon) is offline, it will be dropped!

SMB Beacon

Official introduction to SMB beacon: SMB beacon uses named pipes to communicate with the parent beacon. When two beacons are linked, the child beacon gets the task from the parent beacon and sends it. Because the linked beans communicate using Windows named pipes, this traffic is encapsulated in the SMB protocol, so SMB beans are relatively hidden.

Create an SMB listener (host and port can be ignored), pay attention to the listener selection, and select the host derived session reachable by route in the session.

After running successfully, you can see the character ∞, which is the connection state of the derived SMB beacon.

You can use the link host link or unlink host on the main beacon to disconnect.

Link Listener

Create a listener on a live host.

Export the executable file or DLL corresponding to the listener of this type.

Select the listener you just created.

Upload the generated payload to the currently online target machine, here use psexec.exe tool. (cobalstrike itself psexec is not powerful enough)

In beacon, use psexec tool to upload the payload to the target machine that can't go out of the network, execute it automatically and go online.

SSH Login

Check the network connection status in the Linux target machine, which is actually the connection established with the previously online windows host.

Target does not go out of the network (HTTP proxy)

There may be firewalls, gateways, etc. in the target computer network, only HTTP one-way access is allowed, and the Internet cannot be accessed normally. The above socks method is not feasible, only HTTP proxy can be used for penetration.

reGeorg (socks5)

Using Metasploit to hang regorg socks agent, scanning the packets transmitted by ms17_, it is obvious that the attack behavior can be distinguished.

Neo regorg (encrypted)

With Neo regorg, the packets have been encrypted for transmission.

Ice scorpion (open Socks5)

The packet transmission of ice Scorpio is encrypted, and it also has the function of socks agent, but there is packet loss in the process of transmission. Here, we also use Metasploit to detect MS17 ﹐ 010 vulnerability, and the result shows that it does not exist. When no proxy probe is set, the actual vulnerability exists.

Although this proxy scanning method of ice Scorpio is not as accurate as regorg, port detection of small threads is feasible, such as auxiliary / scanner / portscan / TCP. The accuracy is more determined by the number of packets in the transmission process of some detection or other methods.


Reduh (single port forwarding)

When the target server middleware and other service versions are lower, regorg or ice Scorpio horse cannot be parsed normally, they need to use other HTTP proxy scripts. This is the environment encountered in a real battle:

Taking reduh as an example, although it can only forward to the specified port (not suitable for graphical connection operation), you can first use msfvenom to generate a forward shell payload, then use reduh single port forward to launch Metasploit, and finally use socks4a module to open the proxy.

Let's go through the specific process:

Upload the payload to the target server and execute.

Metasploit is the address and port after listening and forwarding.

After the reduhserver is transferred to the target machine, use the reduhclient to connect, and transfer the bounced port to the local,

You can continue to infiltrate in Metasploit, or open a socks4a to mount other security tools.

Be careful

Why do payloads use shells instead of meterpreters. Meterpreter is a high-level payload, which consumes a lot of data packets in the transmission. This kind of single port forwarding online Metasploit is not very stable. Meterpreter will make the "small water pipe" more unstable!

Isolated network (multi-level agent)

In the process of internal network penetration, there will be isolated networks, which are more often isolated logically. The way to break through is to get the authority of the springboard machine (multiple network cards, operation and maintenance machines, etc.) that can be reached by route, and establish a layer of two-level agents and three-level agents


Now I get the permission of a dual network card intranet server, which can establish a channel with FRP. This server is both the server and the client.


After the establishment of FRP, two agents are added in combination with proxifier: external network socks and internal network socks, and then the agent chain is created. (pay attention to the order of agents)

Set the proxy rules and select the corresponding proxy.

The second layer agent is successful, and the intranet isolator 445 is open for detection.


Command line proxy artifact proxychains, set the two-layer proxy and socks password. (pay attention to the order of agents)

The transmission process of the agent chain can be seen through the linkage of Metasploit and MS17.


For the use of Metasploit, as long as the route in sessions can be reached, multi-layer network penetration can be directly carried out, which is more convenient. But the main session is down, all down!

After obtaining a session of the target, you can view the IP segment information and automatically add the routing table.

The above is added in the meterpreter permission, or directly when the target routing table information is known.

You can continue to infiltrate in Metasploit, or open a socks to mount multiple penetrations on other tools.


When the intranet penetrates, the agent needs to be stable and hidden, and the idea needs to be widened constantly. After all, in the actual combat, what a complex environment will be encountered, more is to summarize different playing methods, land, and finally open the "door" of the intranet!

Have different opinions or better ways to communicate at any time^_^