4层内网穿透

实战往往会脱离使用C2,因无法使用C2自带的自动路由功能,自己搭建socks5隧道代理将内网服务的穿透出来(本实验环境是将win2016的8000端口http服务代理出来)以4层内网距离
因环境问题,IP1:192.168.239.137为模拟真实环境的公网出口ip,4台主机均已关闭防火墙

#关闭firewall
#windows
netsh advfirewall set allprofiles state off  //Windows Server 2003 系统及之后的版本
#linux
ufw disable

代理工具: 4dnat frp-0.53.2,proxifier
网络拓扑图

代理搭建方法:

方法1: frp

外网出口win2016(frps1)->ubuntu(frpc1,frps2)->win2008(frpc2)->win2016:8000

配文件如下:
frps1.toml

bindPort = 7000

frpc1.toml

serverAddr = "192.168.100.155" #服务端ip
serverPort = 7000

[[proxies]]
name = "plugin_socks5"
type = "tcp"
remotePort = 10000
[proxies.plugin]
type = "socks5"

frps2.toml

bindPort = 7000

frpc2.toml

serverAddr = "192.168.88.100" #服务端ip
serverPort = 7000

[[proxies]]
name = "plugin_socks5"
type = "tcp"
remotePort = 10000
[proxies.plugin]
type = "socks5"

windows 攻击机

方法2 4dnat+frp

外网出口win2016(4dnat-socks5)->->ubuntu(frps)->win2008(frpc)->win2016:8000

方法3 netsh +frp

外网出口win2016(frps)->->ubuntu(frpc)->win2008(netsh-7777)->win2016:8000

frpc.toml

serverAddr = "192.168.100.155" #服务端ip
serverPort = 7000

[[proxies]]
name = "plugin_socks5"
type = "tcp"
remotePort = 10000
[proxies.plugin]
type = "socks5"

win2008(netsh)

netsh interface portproxy add v4tov4 listenport=7777 connectaddress=10.0.10.10 connectport=8000

以方法二做为演示

外网出口win2016

4dnat开启socks5

4dnat.exe  -proxy socks5 10000

ubuntu

frps.toml

bindPort = 7000

win2008

frpc.toml

serverAddr = "192.168.88.100" #服务端ip
serverPort = 7000

[[proxies]]
name = "plugin_socks5"
type = "tcp"
remotePort = 11080
[proxies.plugin]
type = "socks5"

win2016 域控

python服务

python -m http.server

攻击机 win10

proxy server

注意下方代理链的顺序

proxification rules

action选择刚刚创建的代理链

chrome进行访问

proxifier也有显示有代理流量