內網滲透-判斷內網連通性
VSole2022-01-15 07:10:02
判斷內網的連通性是指判斷機器能否上外網等。需要綜合判斷各種協議(TCP、HTTP、DNS、ICMP等)及端口通信的方式。
查看本機防火墻規則
netsh advfirewall firewall show rule name=all
基于ICMP協議
使用ping命令:
ping <IP地址或域名>
TCP協議
netcat(簡稱nc)被譽為網絡安全界的”瑞士軍刀”,是一個短小精悍的工具,通過使用TCP或UDP協議的網絡連接讀取數據。
使用方法:
nc -zv <IP地址 端口號>
Windows機器不自帶nc,因此在Windows機器上需要使用Telnet,而Telnet也需要我們自己開啟。
Windows10下開啟Telnet命令:
#開啟 dism /online /Enable-Feature /FeatureName:TelnetClient#關閉 dism /online /Disable-Feature /FeatureName:TelnetClient
Telnet使用方法:
telnet <IP地址 端口號>
UDP協議
使用腳本 Test-PortConnectivity.ps1
下載地址:https://gist.github.com/PrateekKumarSingh/61532b4f48edac1d893b
#Test-PortConnectivity -Source '127.0.0.1' -RemoteDestination 'dc1' -Port 57766#Test-PortConnectivity '127.0.0.1' 'dc1' 57766 -Protocol UDP -Iterate#Test-PortConnectivity 'localhost' 'dc2' 51753 -Protocol UDP#Test-PortConnectivity -Source $EUCAS -RemoteDestination $EUMBX -Port 135 -Iterate#Test-PortConnectivity -Source 'localhost' -RemoteDestination '127.0.0.1' -Port 135 -Iterate -protocol TCPFunction Test-PortConnectivity(){Param(
[Parameter(Position=0)] $Source,
[Parameter(Mandatory=$true,Position=1)] $RemoteDestination,
[Parameter(Mandatory=$true,Position=2)][ValidateScript({
If($_ -match "^[0-9]+$"){
$True
}
else{
Throw "A port should be a numeric value, and $_ is not a valid number"
}
})
]$Port,
[Parameter(Position=3)][ValidateSet('TCP','UDP')] $Protocol = 'TCP',
[Switch] $Iterate
)
#If $source is a local name, invoke command is not required and we can test port, withhout credentials
If($Source -like "127.*" -or $source -like "*$(hostname)*" -or $Source -like 'localhost')
{
Do
{
Telnet-Port $RemoteDestination $Port $Protocol;
Start-Sleep -Seconds 1 #Initiate sleep to slow down Continous telnet
}While($Iterate)
}
Else #Prompt for credentials when Source is not the local machine.
{
$creds = Get-Credential
Do
{
Foreach($Src in $Source)
{
Invoke-command -ComputerName $Src -Credential $creds -ScriptBlock ${Function:Telnet-Port} -ArgumentList $RemoteDestination,$port, $Protocol
}
#Initiate sleep to slow down Continous telnet
Start-Sleep -Seconds 1
}While($Iterate)
}}
Function Telnet-Port($RemoteDestination, $port, $Protocol){
foreach($Target in $RemoteDestination)
{
Foreach($CurrentPort in $Port)
{
If($Protocol -eq 'TCP')
{
try
{
If((New-Object System.Net.Sockets.TCPClient ($Target,$currentPort) -ErrorAction SilentlyContinue).connected)
{
Write-host "$((hostname).toupper()) connected to $($Target.toupper()) on $Protocol port : $currentPort " -back green -ForegroundColor White
}
}
catch
{
Write-host "$((hostname).toupper()) Not connected to $($Target.toupper()) on $Protocol port : $currentPort" -back red -ForegroundColor white
}
}
Else
{
#Create object for connecting to port on computer
$UDPClient = new-Object system.Net.Sockets.Udpclient
#Set a timeout on receiving message, to avoid source machine to Listen forever.
$UDPClient.client.ReceiveTimeout = 5000
#Datagrams must be sent with Bytes, hence the text is converted into Bytes
$ASCII = new-object system.text.asciiencoding
$Bytes = $ASCII.GetBytes("Hi")
#UDP datagram is send
[void]$UDPClient.Send($Bytes,$Bytes.length,$Target,$Port)
$RemoteEndpoint = New-Object system.net.ipendpoint([system.net.ipaddress]::Any,0)
Try
{
#Waits for a UDP response until timeout defined above
$RCV_Bytes = $UDPClient.Receive([ref]$RemoteEndpoint)
$RCV_Data = $ASCII.GetString($RCV_Bytes)
If ($RCV_Data)
{
Write-host "$((hostname).toupper()) connected to $($Target.toupper()) on $Protocol port : $currentPort " -back green -ForegroundColor White
}
}
catch
{
#if the UDP recieve is timed out
#it's infered that no response was received.
Write-host "$((hostname).toupper()) Not connected to $($Target.toupper()) on $Protocol port : $currentPort " -back red -ForegroundColor White
}
Finally
{
#Disposing Variables
$UDPClient.Close()
$RCV_Data=$RCV_Bytes=$null
}
}
}
}}
使用方法:
powershell -exec bypass -command "& {import-module C:\Users\GU\Desktop\Test-PortConnectivity.ps1; Test-PortConnectivity 'localhost' '127.0.0.1' 7777 -Iterate -protocol UDP}"
我們先在本機使用ncat開啟udp監聽,再運行此腳本。
只要監聽處出現Hi字樣,即表示連通。
HTTP協議
使用工具curl,有的Windows自帶curl,有的需要自己安裝。
使用方法:
curl www.baidu.com
FTP協議
遠程開啟21端口,并使用ftp連接。
DNS協議
Windows下使用nslookup,linux下還可以使用dig。
#Windows nslookup www.baidu.com #Linux dig www.baidu.com
或者給自己加一個txt記錄
使用命令:
nslookup -type=TXT test.hackergu.com
利用工具查看開放端口
HostRecon
下載地址:https://github.com/dafthack/HostRecon
使用命令:
Import-Module .\HostRecon.ps1 Invoke-HostRecon -Portscan -TopPorts 128
代理服務器
在內網中的機器,也可能是通過代理連接內網。
檢查方法:
- 查看內網中,與其他機器的網絡連接。
- 查看內網中是否有主機名類似于
proxy的機器。 - 根據pac文件的路徑,將其下載下來并查看。
- 執行如下命令,進行確認。
curl -x proxy-ip:port www.baidu.com
VSole
網絡安全專家