-
Notifications
You must be signed in to change notification settings - Fork 0
/
tunning.txt
72 lines (41 loc) · 3.96 KB
/
tunning.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
'''
在VPS上安装plink工具,可以使用以下命令进行安装:
sqlCopy codesudo apt-get update
sudo apt-get install putty-tools
在VPS上运行plink命令,将内网端口映射到VPS的端口,例如:
lessCopy code
plink -L [VPS端口]:[内网IP]:[内网端口] [VPS用户名]@[VPS IP地址] -P [VPS SSH端口] -N
其中,[VPS端口]是将要映射到VPS上的端口号,[内网IP]是需要映射的内网机器的IP地址,[内网端口]是需要映射的内网端口号,[VPS用户名]是VPS的登录用户名,[VPS IP地址]是VPS的IP地址,[VPS SSH端口]是VPS的SSH端口号。
输入VPS的登录密码,等待连接成功。
现在可以通过VPS的IP地址和映射到的端口号访问内网机器的服务了。
OR
在VPS上安装SSH服务,并确保可以通过SSH连接到VPS。如果还没有安装SSH服务,可以使用以下命令在Ubuntu系统上进行安装:
sqlCopy codesudo apt-get update
sudo apt-get install openssh-server
下载并安装Putty软件。可以从Putty官方网站下载安装包,然后按照提示进行安装。
启动Putty软件,输入VPS的IP地址和SSH端口号,然后点击“Open”按钮。
在弹出的命令行窗口中输入VPS的登录用户名和密码,登录到VPS上。
在Putty的“Session”窗口中配置端口转发。选择“Connection” -> “SSH” -> “Tunnels”选项卡,在“Add new forwarded port”下方输入需要映射的端口信息,例如:
lessCopy codeSource port: [VPS端口]
Destination: [内网IP]:[内网端口]
其中,[VPS端口]是将要映射到VPS上的端口号,[内网IP]是需要映射的内网机器的IP地址,[内网端口]是需要映射的内网端口号。然后点击“Add”按钮。
点击“Session”窗口左上方的“Session”按钮,输入一个会话名称并点击“Save”按钮,保存配置。
点击“Open”按钮启动SSH连接,登录到VPS后,在命令行窗口中保持连接。
现在可以通过VPS的IP地址和映射到的端口号访问内网机器的服务了。
'''
LHOST = 192.168.1.1 TARGET = 192.168.1.2 RHOST = 192.168.0.3
FORWARDiNG
-f # Backgrounds ssh as well as its output -N # Don't execute a remote command (shell), just forward the port. If you use this option, you won't be logging into an ssh session also. -L # Local (Grab a port/service) -R # Reverse/Remote (Send a port/service) -D # Dynamic (Pivot)
-Local (-L) This command will grab the webserver on port 80 of RHOST (which you can't access normally) and forward it to 8888 of localhost, using TARGET as a proxy
$ ssh -f -N -L 8888:192.168.0.3:80 user@192.168.1.2
Now if we curl 127.0.0.1:8888 we get RHOST's webserver
-Reverse (-R) This does the complete opposite of -L. Instead of grabbing a remote port and binding it to a local interface, it takes a local service/port and sends it to a remote host. Let's say ur testing a network with an XP box. You know it's vulnerable to MS08-067 but 445 and 139 are filtered or blocked by the firewall. You get a limited shell but you really can't do anything with it.
From the TARGET box
$ ssh -f -N -R 44544:127.0.0.1:445 user@192.168.1.1
This is going to open an ssh session from TARGET to our local Kali (or whatever distro) box and bring port 445 along for the ride. Now we can access it's SMB service on 127.0.0.1:44544 and one-click pwn it with MS08.
PiVOTiNG
-Dynamic (-D) Dynamic takes an unused port and forwards it on an application level thru TARGET's ssh server. This mean's instead of grabbing or sending a server, we're basically turning TARGET into a network interface for US.
$ ssh -f -N -D 9999 user@192.168.1.2
This will create a socks proxy on 127.0.0.1:9999, forward it to TARGET's ssh server, and out the other side. Giving us access to any additional resources and subnets that TARGET has access to. Now we can forward any program through the socks proxy with proxychains just like we're on the local network.
chisel server --port 8001 --reverse
chisel client https://chisel-demo.herokuapp.com:8001 R:socks