Hacking

Pivoting to exploit a system in another network

Hashim Shaikh
May 12, 2017 by
Hashim Shaikh

What is port forwarding?

In the field of system networking, port forwarding is an implementation of network address translation (NAT) that redirects an announcement request from one IP and port number arrangement to another while the packets are navigating a network gateway like a router or a firewall. This procedure is most generally used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the endpoint IP address and port number of the communication to an internal host.

What is pivoting?

Pivoting is the exclusive method of using an instance also known by 'foothold' to be able to "move" from place to place inside the compromised network. It uses the first compromised system foothold to allow us to compromise other devices and servers that are otherwise inaccessible directly.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Example: An Attacker has an IP (192.168.1.104). The attacker compromises a Windows XP system having IP 192.168.1.131 and 10.128.0.3. Now the attacker scan 10.128.0.x network and found an IP 10.128.0.1 (Linux) to be live and then he goes ahead and tries to compromise it as well. Now Point to be noted is that the IP 10.128.0.1 (Linux) is not directly accessible to the attacker, but still, it can be compromised by the technique "Pivoting."

Lab setup

Requirements

Three Machines

  1. Attacker (Kali)
  2. WinXP
  3. Linux (Metasploitable or any vulnerable Linux Machine).

VMware IP Setup

Attacker

eth0 - (C Class IP) e.g. 192.168.1.104

WinXP

  1. Ethernet - (C Class IP) eg.192.168.1.131
  2. Ethernet - (A Class IP) e.g. 10.128.0.3

Linux

eth0 - (A Class IP) e.g. 10.128.0.1

How to configure in VMware

  1. Open VMware. > Edit. >"Virtual Network Editor."
  2. Click on "Add Network" and add any two networks. In my case, I am adding VMnet2 and VMnet3
  3. Select VMnet2 and change Subnet IP. 192.168.1.0 and Subnet mask -
  4. 255.255.255.0 also select "Host. Only"
  5. Select VMnet3 and change Subnet IP. 10.0.0.0 and Subnet mask -
  6. 255.0.0.0 also select "Host. Only"
  7. Now add Network Adapter in all three machines
  8. In Attacker Network Adapter Change NAT to Custom "Select VMnet2."
  9. In WinXP add 2 Attacker Network Adapter
  10. 1st Network Adapter "Custom VMnet2."
  11. 2nd Network Adapter "Custom VMnet3."
  12. In Linux, add Network Adapter Change NAT to custom "Select VMnet3."

Attacker (Kali Linux) IP is 192.168.1.104

Windows XP is connected to VMnet 2 (192.168.1.131) and VMnet 3 (10.128.0.3), so it has 2 IP address. My 183 segment is just for internet access.

Metasploitable IP is 10.128.0.1 as it is connected to VMnet 3

Try to ping XP from Kali. Try to ping Metasploitable from XP. Ping will be success full if everything is configured correctly.

**************************LAB_SET_UP_ COMPLETED******************************

Now the next thing is to take a meterpreter session of Win XP. Any feasible and continent method can be used. I have installed vulnerable BadBlue 2.72b on Win XP to take up the meterpreter session.

App can be downloaded from exploit-db badblue 2.7.2b

Checking out some basic meterpreter commands. getuid and sysinfo.

Now migrate to some stable process. explorer.exe is the best choice for that.

Now Checking out IPconfig of the exploited machine

We can see 10.128.0.3 interface present on Windows XP. It indicates that Windows XP is connected to 10.xxx series network.

We will use XP as a pivot to explore another machine on 10xxx series network.

To determine another host on 10.xxx series network, we use a meterpreter arp_scanner module.

meterpreter>run arp_scanner -r 10.128.0.1/24

It shows that the IP 10.128.0.1 is alive on the Pivot network.

Now our mission is to exploit that machine. Things become difficult when we want to exploit a machine on a pivot network.

Routing to 10.xxx series network.

Now we will make a route to 10.xxx series network using the session that we have.

To do that background the current meterpreter and enter the following command:

The 1 at the end of the route statement indicates that we are using session 1 to for the route.

Let's check the route

Setting up a TCP scanner to scan the host 10.128.0.1 using the route of session 1 that we have added.

Then type the command run. It does a port scan and displays list of open ports on the Linux server

Scanning takes time as we are working on a pivot network. This is how we can scan the network.

Now the Question is how to determine the services enabled on each port so that we can think of further exploitation.

The answer is protfwd meterpreter command.

This will bind the local port 9999 to remote port 139 of the remote host 10.128.0.1

Verification of local port forward is done by scanning the local port 9999.

So, it is Samba smbd 3.X. There's a working exploit for Samba in Metasploit with the name usermap_script. Configure Metasploit module as follows.

Look at Reverse shell payload and configuration carefully. Did you find anything fishy?

Attacker IP is 192.168.1.104 (Kali), and we have a reverse shell to 10.128.0.3 (XP), so practically Windows XP will have the reverse shell.

No, it is not like that. When we are using a Meterperter session and working with portfwd utility, our Meterpreter is programmed to route the reverse shell to the attacker as it knows portfwd is in use.

So, it is the responsibility of Meterpreter session to handle the route, victim session and give it back to the attacker.

Well I know it is kind of difficult to understand, but to clarify this concept you need to watch Metasploit megaprimer from Securitytube.com (Vivek Ramachandran). He explained the concept there.

Now run the command exploit

Moreover, we get the shell likewise.

Confirming list of sessions shows there's a meterpreter and a UNIX shell that is piped.

Confirming the same at Metasploitable.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Hence, we have compromised an Internal Linux (Metasploitable) server from outside network using Windows XP as a pivot.

Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: http://justpentest.blogspot.in and his LinkedIn Profile here: https://in.linkedin.com/in/hashim-shaikh-oscp-45b90a48