SSH-2.0-OpenSSH_4.0
sent 0, rcvd 20
[root@security-lab1 ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN 2205/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2185/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 5596/cupsd
tcp 0 0 127.0.0.1:49342 127.0.0.1:22 TIME_WAIT -
tcp 0 0 10.0.64.36:49343 10.0.76.109:22 TIME_WAIT -
tcp 0 0 :::80 :::* LISTEN 18531/httpd
tcp 0 0 :::22 :::* LISTEN 2378/sshd
tcp 0 0 :::443 :::* LISTEN 18531/httpd
tcp 0 124 ::ffff:10.0.64.36:22 ::ffff:10.0.77.15:1144 ESTABLISHED 20785/0
[root@security-lab1 ~]# redir --lport=3000 --cport=22 --caddr=10.0.76.109
redir把遠程主機10。0。76。109的22端口重定向到了本地的3000端口
D:\exploit>nc -vv -n 10.0.64.36 3000
(UNKNOWN) [10.0.64.36] 3000 (?) open
SSH-2.0-OpenSSH_4.0
用ssh登陸10.0.64.36的3000端口
login as: axis
[email protected]'s password:
Last login: Thu Feb 23 14:45:52 2006
[axis@axis ~]$ /sbin/ifconfig ====> 可以看到我們實際上是登陸到了10.0.76.109的sshd
eth0 Link encap:Ethernet HWaddr 00:11:09:08:07:00
inet addr:10.0.76.109 Bcast:10.0.76.255 Mask:255.255.255.0
inet6 addr: fe80::211:9ff:fe08:700/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:583908 errors:0 dropped:0 overruns:0 frame:0
TX packets:8067 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:70442739 (67.1 MiB) TX bytes:864787 (844.5 KiB)
Interrupt:12 Base address:0xd000
[root@axis ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:* 0.0.0.0:* -
tcp 0 0 :::22 :::* LISTEN 2454/sshd
tcp 0 0 ::ffff:10.0.76.109:22 ::ffff:10.0.64.36:49347 ESTABLISHED 31393/sshd: axis [p
tcp 0 0 ::ffff:10.0.76.109:22 ::ffff:10.0.64.36:49346 TIME_WAIT -
[root@axis ~]#
可以看到,遠程主機10。0。76。109 的22端口被完全重定向到10。0。64。36的3000端口,訪問其3000端口就相當於直接訪問到10。0。76。109的22端口了
以上兩個小工具都可以在packetstorm找到