Metasploit penetration with socks4a

I wrote a small article about metasploit Intranet penetration application last time. This article is a follow-up Article of the previous article.
--------------------

Application scenarios:
After obtaining a computer in the Intranet, You need to further scan the Service (without using the metasploit platform). Enable the proxy to access a service in the Intranet. etc

Lab environment:
I am at school now, and I have a poor figure. There is no vps or nothing to rebound shell or something. I don't want to drink tea, cloud, and cloud. I set up an environment in a virtual machine. The following figure shows the topology.

--------------------
Process Analysis:
The following figure shows the ipconfig/ifconfig information of backtrack5, xp1, and xp2. The target is to access the computer in the network segment 192.168.1.0/24 through the xp with two NICs.

 

 

Then use nmap for further scanning and testing. To ensure normal use of the socks4a proxy, configure the proxychains. conf file first.

Terminal execution

Vi/etc/proxychains. conf

You can also use gedit, nano, and other editors to ensure that

Then get the meterpreter session of xp1.

 

Run get_local_subnets

You can obtain the IP address range of xp. (192.168.1.0/24 and 172.10.0.0/24 are known here)

Then run meterpreter in the background

Background

Add to route table (1 is the session value)

Route add 172.10.0.0 255.255.255.0 1

You can enable the socks4a proxy after you are ready.

Use auxiliary/server/socks4a

Run

Then we can see that the socks4a proxy has run. jobs to view the verification. (sometimes the proxy is enabled and cannot be used. It may be a firewall problem.
Srvhost is set to 127.0.0.1)

Then you can use the proxychains agent to run other tools (nmap nessus, etc)
Nmap is used as an example.

Proxychains nmap-sT-Pn 192.168.1.108

Here we can see that nmap is running normally. if the-sT parameter is not added or an error occurs in other scanning methods, such as-sS etc. this problem has plagued me for a long time. After some google attacks, I found that

Proxychains allows TCPand DNS tunneling through proxies. Be aware that Proxychains only tunnels TCPand DNS; in other words, avoid using UDP and host discovering through ICMP (ping ).

Ah, I still want to know what to ping for death (when I didn't say anything in yy), and before running nmap, I can scan tcp NULL connections in section c first, then nmap can be used for tcp empty link scanning. in this way, you can perform disguised work. Because my environment is too small, I will not demonstrate it. this is the module. (for specific usage, please show options or info)

Auxiliary/users/ip/ipidseq

Then, use the-sI parameter in nmap to select the idle host. The statement looks like this.

Nmap-sT-Pn-A-sI 192.168.1.101 192.168.1.108

-ST tcp scan,-Pn does not ping,-A displays more detailed information.-sI specifies the idle host

Referer:

Http://pctechtips.org/scanning-h... ap-and-proxychains/
Http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php
Https://community.rapid7.com/docs/DOC-1028