Metasploit Pivoting
What is Metasploit Pivoting?
Pivoting is a technique that Metasploit uses to route the traffic from a hacked computer toward other networks that are not accessible by a hacker machine. By using this technique a Penetration Tester can access the internal network of the compromised computer.
--Attacker End--
Operating System - Parrot OS
Network Range - 192.168.43.0/24
IP Address - 192.168.43.134
--Victim Network--
Operating System (Of 1st victim) - Windows 7 (Build 7600)
Operating System (Of 2nd victim) - Windows XP
Network Range - 192.168.31.0/24
IP Address (Of 1st victim) - 192.168.31.142
IP Address (Of 2nd victim) - 192.168.31.139
Performing Metasploit Pivoting is done in following steps:-
- At least one compromised machine on the target network (This can be done by many ways like Social Engineering, yes it works. I used payload generated by msfvenom).
- When we have meterpreter access, We have to bypass UAC (User Account Control) on the hacked machine.
- Run autoroute script in metasploit.
- Then we can use tcp port scanner in auxilary module for listing connected machines with their open ports ( I scanned for specific port 445 ).
- After attacking the vulnerable machine we can own that too.
I performed this attack on vmware,
1. Exploited first machine by transfering the payload to victim (192.168.31.142) and got meterpreter session here.
2. We can use exploit "windows/local/bypassuac_injection" in order to bypass UAC. Set session id in options and run the exploit. It will open an another session but this time with bypasssed UAC.
3. Now we have to run the autoroute script "post/multi/manage/autoroute" by setting all the required options to add all subnets to our route.
4. We can use tcp port scanner in auxilary module "auxilary/scanner/portscan/tcp" to scan connected devices with their open ports by which we can scan for vulnerabilities. Set "rhosts", "ports" (I searched for port 445), "threads" in options and run the exploit.
5. As we can see our 2nd victim has a port open on 445. I am using exploit ms17_010_psexec (vulnerability was known to me). We have to set all the required options for the exploit and then run it. This will give us a meterpreter on the 2nd victim.
In this way we can exploit the internal network by pivoting in metasploit.
Thank you for giving your time to read this article. Feel free to post your suggestions in comment section below.
Pivoting is a technique that Metasploit uses to route the traffic from a hacked computer toward other networks that are not accessible by a hacker machine. By using this technique a Penetration Tester can access the internal network of the compromised computer.
Operating System (Of 2nd victim) - Windows XP
IP Address (Of 2nd victim) - 192.168.31.139
- At least one compromised machine on the target network (This can be done by many ways like Social Engineering, yes it works. I used payload generated by msfvenom).
- When we have meterpreter access, We have to bypass UAC (User Account Control) on the hacked machine.
- Run autoroute script in metasploit.
- Then we can use tcp port scanner in auxilary module for listing connected machines with their open ports ( I scanned for specific port 445 ).
- After attacking the vulnerable machine we can own that too.
I performed this attack on vmware,
1. Exploited first machine by transfering the payload to victim (192.168.31.142) and got meterpreter session here.
2. We can use exploit "windows/local/bypassuac_injection" in order to bypass UAC. Set session id in options and run the exploit. It will open an another session but this time with bypasssed UAC.
3. Now we have to run the autoroute script "post/multi/manage/autoroute" by setting all the required options to add all subnets to our route.
4. We can use tcp port scanner in auxilary module "auxilary/scanner/portscan/tcp" to scan connected devices with their open ports by which we can scan for vulnerabilities. Set "rhosts", "ports" (I searched for port 445), "threads" in options and run the exploit.
5. As we can see our 2nd victim has a port open on 445. I am using exploit ms17_010_psexec (vulnerability was known to me). We have to set all the required options for the exploit and then run it. This will give us a meterpreter on the 2nd victim.
In this way we can exploit the internal network by pivoting in metasploit.
Thank you for giving your time to read this article. Feel free to post your suggestions in comment section below.
