Abstract
The reason for explaining this thing here is that the author found during the initial learning of internal networks that there are always only superficial explanations online about how to actually attack in a real environment, how to attack, and they teach you the basic configurations but do not tell you how to truly utilize them. This article will discuss how to use Rustdesk to truly perform post-intrusion on multi-layer internal network configurations (Windows version), and at the end of the article, I will provide the Rustdesk version, which has been personally tested and is applicable to win7, win10, and win2008.
The environment
Remote control tool:
GoToHTTP, the author of RustDesk currently uses these two, feelingRustDeskIt is more useful, of course, it needs to be tested in specific environments. The reason it is good is that it not only has the advantages of GotoHTTP, but it is also free and open source, and it supports self-built servers. Who wouldn't love it with such good intentions? Of course,Most importantlyThe point is: it can be run with ordinary permissions, and it supports pure internal network environment.
Summary: Too Timmy is very useful, it is free, and you can self-build, which means you can be very smooth in the internal network
RustDesk principle:
Public network deployment of RustDesk server,
When A client connects to the server, the server will record its id and password
When B client connects to the server, the server will record its id and password
When A wants to connect to B, because both A and B are in the internal network, so all of A's operations are passed to the server. Since the server has already established a connection with B, the server can then operate B
Shortcomings: the official RustDesk server is deployed on the public network, if the target internal network host does not go online, it cannot be utilized. Solution: set up a RustDesk server on the target boundary host
Internal network environment:
Target machine win2008: Network card: 192.168.203.128 (not going online, but the internal 203 segment network card can be accessed)
Jump box win7:
Network card 1: 192.168.159.144
Network card 2: 192.168.203.129 (this 203 segment is not going online)
Attack machine win10: 192.168.159.162 (this network card IP can access the jump box)
Detailed environment description:
The win10 attack machine can be understood as our local machine; we have already taken over the win7 jump box and the win2008 target machine. However, win7 can go online (assuming that file upload can execute commands), while win2008 cannot go online (it is completely not going online). Here, we have successfully uploaded our RustDesk to win7 through file upload (there may be a virus alert when uploading, the old version of FireWall is not alerting, 360 is alerting; it is still recommended to do some anti-aversion, but I will not demonstrate it here), and turned off its antivirus software, horizontally seized win2008 which is not going online and the antivirus software is turned to the strongest. We also do not know its account and password. At this point, our goal is to enter win2008 and turn off its antivirus software to further horizontally seize it.
Detailed setup process
The three files shown in the figure are essential; hbbr and hbbs are used to set up your own relay server
We have already uploaded RustDesk to the win7 jump box and remotely controlled win7 on it (in this demonstration, I am directly operating on win7, but it is the same in actual environment; in a real scenario, you would remotely control win7 from win10)
Run hbbr and hbbs
hbbs.exe -r 0.0.0.0
评论已关闭