一、测试拓扑
eth1:10.1.1.100 eth0:192.168.211.130 eth0:192.168.211.138 eth1:20.1.1.200
I | | |
Kali1 Kali2
参考链接:https://blog.csdn.net/KNIGH_YUN/article/details/125707874
Windows 10已经安装OpenSSH客户端,也可以手动安装OpenSSH服务器,也同样支持这些参数:
C:\Users\xlladmin>ssh --help
unknown option -- -
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-J [user@]host[:port]] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] destination [command]
C:\Users\xlladmin>
二、本地转发(-L)
--就是在本地开启一个监听端口,通过连接本地的这个端口,从ssh隧道连接到指定IP的端口,对方看到的是ssh服务器的地址。
#在Kali1上执行
┌──(root㉿kali)-[~]
└─# ssh -NL 10022:20.1.1.200:22 root@192.168.211.138
root@192.168.211.138's password:
┌──(root㉿kali)-[~]
└─# netstat -an|grep 10022
tcp 0 0 127.0.0.1:10022 0.0.0.0:* LISTEN
tcp6 0 0 ::1:10022 :::* LISTEN
┌──(root㉿kali)-[~]
└─# ssh root@127.0.0.1 -p 10022
root@127.0.0.1's password:
Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 3 21:05:35 2023 from 20.1.1.200
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(root💀kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.211.138 netmask 255.255.255.0 broadcast 192.168.211.255
inet6 fe80::20c:29ff:fe44:77a6 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:44:77:a6 txqueuelen 1000 (Ethernet)
RX packets 764 bytes 82091 (80.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 637 bytes 100280 (97.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 20.1.1.200 netmask 255.255.255.0 broadcast 20.1.1.255
ether 00:0c:29:44:77:b0 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 39 bytes 13338 (13.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
..................................................................
##如果-L本地监听的是对方的代理端口,那么就可以通过这个代理访问对方内网
##Kali2开启正向代理
┌──(root💀kali)-[~/xll]
└─# ./ew -s ssocksd -l 10086
ssocksd 0.0.0.0:10086 <--[10000 usec]--> socks server
##Kali1上进行连接
┌──(root㉿kali)-[~]
└─# ssh -NL 10086:20.1.1.200:10086 root@192.168.211.138
root@192.168.211.138's password:
##kali上设置代理
┌──(root㉿kali)-[~]
└─# vi /etc/proxychains4.conf
socks5 127.0.0.1 10086
┌──(root㉿kali)-[~]
└─# proxychains ssh 20.1.1.200
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:10086 ... 20.1.1.200:22 ... OK
root@20.1.1.200's password:
Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 3 21:11:20 2023 from 20.1.1.200
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(root💀kali)-[~]
└─#
...................................................................
##上述也可以通过-D参数直接在本地开启一个代理端口
ssh -ND 10086 root@192.168.211.138 //不指定IP地址,只会在127.0.0.1地址上监听
ssh -ND 192.168.211.130:10086 root@192.168.211.138 //可以指定IP地址,那样其他主机就能连接这个端口
三、正向代理:动态转发(-D)
--这个正好与后面的-R参数相反,在本地开启一个代理端口,这个可以指定IP地址,不指定则为127.0.0.1
##Kali1上查询并测试
┌──(root㉿kali)-[~]
└─# ssh -ND 192.168.211.130:10086 root@192.168.211.138
root@192.168.211.138's password:
┌──(root㉿kali)-[~]
└─# netstat -an|grep 10086
tcp 0 0 192.168.211.130:10086 0.0.0.0:* LISTEN
┌──(root㉿kali)-[~]
└─# ssh -ND 10086 root@192.168.211.138
root@192.168.211.138's password:
└─# netstat -an|grep 10086
tcp 0 0 127.0.0.1:10086 0.0.0.0:* LISTEN
tcp6 0 0 ::1:10086 :::* LISTEN
┌──(root㉿kali)-[~]
└─# cat /etc/proxychains4.conf
socks5 127.0.0.1 10086
┌──(root㉿kali)-[~]
└─# proxychains ssh 20.1.1.200
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:10086 ... 20.1.1.200:22 ... OK
root@20.1.1.200's password:
Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 3 21:31:04 2023 from 20.1.1.200
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
三、反向代理:远程转发(-R)
--这个正好与-D参数相反,是在ssh服务器上开启一个反向代理端口,通过代理连接ssh服务器的这个端口访问ssh客户端的内网。
##在Kali1上执行
┌──(root㉿kali)-[~]
└─# ssh -NR 10086 root@192.168.211.138 //-R虽然也可以指定IP地址,但是不会有效果,如果更改Kali2的/etc/ssh/sshd_config文件,设置GatewayPorts yes,则只会监听0.0.0.0
root@192.168.211.138's password:
##在Kali2上查看并测试
┌──(root💀kali)-[~/xll]
└─# netstat -an|grep 10086
tcp 0 0 127.0.0.1:10086 0.0.0.0:* LISTEN
┌──(root💀kali)-[~/xll]
└─# vi /etc/proxychains4.conf
socks5 127.0.0.1 10086
┌──(root💀kali)-[~/xll]
└─# proxychains ssh 10.1.1.100
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] Strict chain ... 127.0.0.1:10086 ... 10.1.1.100:22 ... OK
root@10.1.1.100's password:
Linux kali 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 3 20:40:14 2023 from 192.168.211.1
四、多级代理(-J)
#多级代理首先是最终目标IP,-J参数后面可以按连接的先后顺序跟多个IP,中间以逗号分隔
#只经过一跳
┌──(root㉿kali)-[~]
└─# ssh root@192.168.211.138 -J root@192.168.211.131
root@192.168.211.131's password:
root@192.168.211.138's password:
Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Feb 4 08:37:51 2023 from 192.168.211.131
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(root💀kali)-[~]
└─# netstat -an|grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.211.138:22 192.168.211.131:54374 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 12022
unix 3 [ ] STREAM CONNECTED 15522 /run/systemd/journal/st
#经过两跳
┌──(root㉿kali)-[~]
└─# ssh root@192.168.211.138 -J root@192.168.211.131,xlladmin@192.168.211.132
root@192.168.211.131's password:
xlladmin@192.168.211.132's password:
root@192.168.211.138's password:
Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Feb 4 09:02:42 2023 from 192.168.211.131
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(root💀kali)-[~]
└─# netstat -an|grep 22|grep ESTA
tcp 0 0 192.168.211.138:22 192.168.211.132:60142 ESTABLISHED
##也可与前面的参数同时使用
┌──(root㉿kali)-[~]
└─# ssh -R 10086 root@192.168.211.138 -J root@192.168.211.131
root@192.168.211.131's password:
root@192.168.211.138's password:
Linux kali 5.14.0-kali2-amd64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Feb 4 08:38:31 2023 from 192.168.211.131
┏━(Message from Kali developers)
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(root💀kali)-[~]
└─# netstat -an|grep 10086
tcp 0 0 127.0.0.1:10086 0.0.0.0:* LISTEN