Penetration learning notes-tools-firewall traversal (1)

Penetration learning notes-tools-firewall traversal (1)

Preparations before the experiment: 1100000000h-master.zip (the ladder we used to traverse the firewall) 2. A web page of windows server firewall, a virtual machine with only port 80, is decompressed to the root directory of the website. Open the browser and enter: http: // localhost/dvwa/The following page should appear, that is, your first step of success --------------------------- Below we will transfer our environment to the Virtual Machine ------------------------------- 1. We are using windows server 2003, you can also use xp or above. Go to the website root directory. After the wamp is installed, decompress the package and you can see the "dvwa" folder in the directory "D: \ wamp \ www \" (I am installing wamp on drive D.

(3) open a browser and access "http:/localhost/dvwa/setup. php" to create a database. # In this case, the servers with vulnerabilities are configured, but this is only the first step, because the host cannot access the servers on the Virtual Machine!

(4) Here we use the virtualbox virtual Machine. On the virtual Machine manager of the virtual box, find the running virtual Machine and right-click "set ". Then switch to the network, where you can see "network adapter 1", select "bridge network adapter" for the connection method, and select the network adapter you connected to the Internet in "interface name. After the wireless environment is configured, let's test it! Image Demo: Find the running Virtual Machine

Right-click "set"

Set network connection

 

Enter ipconfig in the command line to view the Host IP Address "192.168.1.121 ".

When the IP address of our VM is "192.168.1.119"

This is where we test connectivity in a virtual machine.

Run the command "ping 192.168.1.121". The data transmission is normal. (The premise is that your firewall must allow ping (that is, host). The simplest way is to disable your firewall ). (5) Next we start to configure the server. First open our wamp, And the wamp icon should be green when it runs normally. Click wamp and select "Apache" ---- "http. conf" from the pop-up menu. This is the configuration of the http. conf file. Run the shortcut key ctrl + f ". first, search for the "Directory" keyword. When we see the root Directory of our website (that is, the decompressed Directory of dvwa), this is "D:/wamp/www ", the location is about 205 rows! To the following lines, we can see the string "Deny from all", and there is a tag "" below.

Modify: in this case, we add "#" before "Deny from all", and then add "Allow from all" in the next line. After the modification, We need to restart all services, click the wamp icon, and then "restart all services ".

In this way, our server is configured, but it still cannot be accessed by the host, because our firewall has no rules yet. (6) configure the firewall, select "Create a rule" Port "in" exceptions ", and follow the configuration

 

 

(7) after the configuration, we can access "http: // ip/dvwa" on the host. We can see that the access is successful.

We are still 2/5 away from the end of our experiment. Come on! "Surprise!" (8) Configure php. ini. In this case, the kernel H. php. because memory H. php is used to establish a port inside the host to allow communication between the intruders and the server through ipvh. php. therefore, php must enable port extension before we can use ipvh. php crossing the firewall -------- enable: Select "PHP"> "php. ini ". Then a window is displayed. The content in this window is the php. ini we want to set. Search for the keyword "php_sockets.dll", remove the previous ";", save the file, and restart all services --------

++ Prepare the tool: 1. Decompress our unzip h-master.zip to the directory you specified. Decompress the package and open the mongoh-master folder. The two directories, mongohclient and mongohservers, are displayed. The unzip hservers contains three files, namely, mongoh. php, memory H. asp, objective H. jsp, in which memory H. php is the main character of this time, breaking through the firewall's limit of allowing only port 80, and then accessing port 3389 2 after the firewall, there is a dist subdirectory under the reDuhClient directory, we can see that there is a javashclient. jar file. php client for connection. ++

2. Start our penetration ++ tool: preparations before sfind.exe penetration: Port Scan usage: sfind-p port IP address eg: sfind-p 80 192.168.1.119sfind-p 3389 192.168.1.119 shows that we 'd better scan the specified port so that there are few threads and the speed is fast.

When multiple ports are specified, the speed will be slow!

++ 1. log on to the dvwa system with the default account: admin password: password 2. After logging on, in the left pane, we set to lower the security level and adjust the security level from "high" to "low ".

 

3. For the File Upload Vulnerability, click "select file", find our "reDup. php" file, and upload it. The path is ../hackable/uploads/reDuh. php ". This is to remove the medium "#" of the original url path and add the red path. After you press enter, you can see this information, indicating that our file has been uploaded successfully.

 

Obtain the path of the uploaded file

Original url

Remove '#' and add the upload path.

Access the uploaded file and return information

The complete path should be "http: // 192.168.1.119/dvwa/hackable/uploads/reDuh. php ". 4. Run the client. Before running the client, we need to install jdk so that we can execute javashclinet. contents in the jar package! -------- About how to install and configure: Download: Official Website Baidu download center Tutorial: Doraemon any door (win7, others please search for "java environment variable configuration") -------- (1) switch to reDuhClient first. jar package directory, and then execute java-jar unzip hclient. jarhttp: // 192.168.1.119/dvwa/hackable/uploads/reDuh. php note: the url should be filled in to get the url after you upload the file (2), and the following information is returned! The client is running and waiting for connection

(3) We need to connect our own port 1010. Here we use nc to connect nc-vv localhost 1010.

(4) if the message is displayed, enter "1234: 127.0.0.1: 3389"

(5) This is. We only need a remote desktop and enter 127.0.0.1: 1234 on the address face. you can connect to port 3389 of the server, but as we can see from the preceding scan results, port 3389 is closed! That is, we broke the limits of the firewall.

 

(6) The experiment is successful.