天道酬勤

内网渗透-判断内网连通性

判断内网的连通性是指判断机器能否上外网等。需要综合判断各种协议(TCP、HTTP、DNS、ICMP等)及端口通信的方式。

查看本机防火墙规则

netsh advfirewall firewall show rule name=all

基于ICMP协议

使用ping命令:

ping <IP地址或域名>

TCP协议

netcat(简称nc)被誉为网络安全界的”瑞士军刀”,是一个短小精悍的工具,通过使用TCP或UDP协议的网络连接读取数据。

使用方法:

nc -zv <IP地址 端口号>

Windows机器不自带nc,因此在Windows机器上需要使用Telnet,而Telnet也需要我们自己开启。

Windows10下开启Telnet命令:

#开启
dism /online /Enable-Feature /FeatureName:TelnetClient

#关闭
dism /online /Disable-Feature /FeatureName:TelnetClient

Telnet使用方法:

telnet <IP地址 端口号>

UDP协议

使用脚本 Test-PortConnectivity.ps1

下载地址:https://gist.github.com/PrateekKumarSingh/61532b4f48edac1d893b

#Test-PortConnectivity -Source '127.0.0.1' -RemoteDestination 'dc1' -Port 57766
#Test-PortConnectivity '127.0.0.1' 'dc1' 57766 -Protocol UDP -Iterate
#Test-PortConnectivity 'localhost' 'dc2' 51753 -Protocol UDP
#Test-PortConnectivity -Source $EUCAS -RemoteDestination $EUMBX -Port 135 -Iterate
#Test-PortConnectivity -Source 'localhost' -RemoteDestination '127.0.0.1' -Port 135 -Iterate -protocol TCP

Function Test-PortConnectivity()
{

Param
(
    [Parameter(Position=0)] $Source,
    [Parameter(Mandatory=$true,Position=1)] $RemoteDestination,
    [Parameter(Mandatory=$true,Position=2)][ValidateScript({
      
      If($_ -match "^[0-9]+$"){
      $True
      }
      else{
      Throw "A port should be a numeric value, and $_ is not a valid number"
      }
    })
    ]$Port,
    [Parameter(Position=3)][ValidateSet('TCP','UDP')] $Protocol = 'TCP',
    [Switch] $Iterate
)

    #If $source is a local name, invoke command is not required and we can test port, withhout credentials
    If($Source -like "127.*" -or $source -like "*$(hostname)*" -or $Source -like 'localhost')
    {
        Do
        {
                Telnet-Port $RemoteDestination $Port $Protocol;
                Start-Sleep -Seconds 1   #Initiate sleep to slow down Continous telnet

        }While($Iterate)
       
    }
    Else  #Prompt for credentials when Source is not the local machine.
    {     
        $creds = Get-Credential

        Do
        {
            Foreach($Src in $Source)
            {          
            Invoke-command -ComputerName $Src -Credential $creds -ScriptBlock ${Function:Telnet-Port} -ArgumentList $RemoteDestination,$port, $Protocol                                            
            }

            #Initiate sleep to slow down Continous telnet
            Start-Sleep -Seconds 1
        }While($Iterate)
       
    }

}
  
Function Telnet-Port($RemoteDestination, $port, $Protocol)
{
    foreach($Target in $RemoteDestination)
    {
            Foreach($CurrentPort in $Port)
            {
                If($Protocol -eq 'TCP')
                {
                    
                    try
                    {
                        If((New-Object System.Net.Sockets.TCPClient ($Target,$currentPort) -ErrorAction SilentlyContinue).connected)
                        {
                            Write-host "$((hostname).toupper()) connected to $($Target.toupper()) on $Protocol port : $currentPort " -back green -ForegroundColor White
                        }
                    }
                    catch
                    {
                            Write-host "$((hostname).toupper()) Not connected to $($Target.toupper()) on $Protocol port : $currentPort" -back red -ForegroundColor white
                    }            
                }
                Else
                {   
                                                              
                    #Create object for connecting to port on computer   
                    $UDPClient = new-Object system.Net.Sockets.Udpclient 
                    
                    #Set a timeout on receiving message, to avoid source machine to Listen forever. 
                    $UDPClient.client.ReceiveTimeout = 5000 
                    
                    #Datagrams must be sent with Bytes, hence the text is converted into Bytes
                    $ASCII = new-object system.text.asciiencoding
                    $Bytes = $ASCII.GetBytes("Hi")
                    
                    #UDP datagram is send
                    [void]$UDPClient.Send($Bytes,$Bytes.length,$Target,$Port)  
                    $RemoteEndpoint = New-Object system.net.ipendpoint([system.net.ipaddress]::Any,0)  
                     
                        Try
                        {
                            #Waits for a UDP response until timeout defined above
                            $RCV_Bytes = $UDPClient.Receive([ref]$RemoteEndpoint)  
                            $RCV_Data = $ASCII.GetString($RCV_Bytes) 
                            If ($RCV_Data) 
                            {
                           
                                Write-host "$((hostname).toupper()) connected to $($Target.toupper()) on $Protocol port : $currentPort " -back green -ForegroundColor White
                            }
                        }
                        catch
                        {
                            #if the UDP recieve is timed out
                            #it's infered that no response was received.
                            Write-host "$((hostname).toupper()) Not connected to $($Target.toupper()) on $Protocol port : $currentPort " -back red -ForegroundColor White
                        }
                        Finally
                        {

                            #Disposing Variables
                            $UDPClient.Close()
                            $RCV_Data=$RCV_Bytes=$null
                        }                                    
                }

             }
     }
}

使用方法:

powershell -exec bypass -command "& {import-module C:\Users\GU\Desktop\Test-PortConnectivity.ps1; Test-PortConnectivity 'localhost' '127.0.0.1' 7777 -Iterate -protocol UDP}"

我们先在本机使用ncat开启udp监听,再运行此脚本。

只要监听处出现Hi字样,即表示连通。

HTTP协议

使用工具curl,有的Windows自带curl,有的需要自己安装。

使用方法:

curl www.baidu.com

FTP协议

远程开启21端口,并使用ftp连接。

DNS协议

Windows下使用nslookup,linux下还可以使用dig。

#Windows
nslookup www.baidu.com

#Linux
dig www.baidu.com

或者给自己加一个txt记录

使用命令:

nslookup -type=TXT test.hackergu.com

利用工具查看开放端口

HostRecon

下载地址:https://github.com/dafthack/HostRecon

使用命令:

Import-Module .\HostRecon.ps1
Invoke-HostRecon -Portscan -TopPorts 128

代理服务器

在内网中的机器,也可能是通过代理连接内网。

检查方法:

  1. 查看内网中,与其他机器的网络连接。
  2. 查看内网中是否有主机名类似于proxy的机器。
  3. 根据pac文件的路径,将其下载下来并查看。
  4. 执行如下命令,进行确认。
curl -x proxy-ip:port www.baidu.com
赞(1) 打赏
未经允许不得转载:HackerGu‘s Blog » 内网渗透-判断内网连通性
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏