Pivoting to exploit a system in another network
What is port forwarding?
In the field of system networking, port forwarding is an implementation of network address translation (NAT) that redirects an announcement request from one IP and port number arrangement to another while the packets are navigating a network gateway like a router or a firewall. This procedure is most generally used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the endpoint IP address and port number of the communication to an internal host.
What is pivoting?
Pivoting is the exclusive method of using an instance also known by ‘foothold’ to be able to “move” from place to place inside the compromised network. It uses the first compromised system foothold to allow us to compromise other devices and servers that are otherwise inaccessible directly.
Example: An Attacker has an IP (192.168.1.104). The attacker compromises a Windows XP system having IP 192.168.1.131 and 10.128.0.3. Now the attacker scan 10.128.0.x network and found an IP 10.128.0.1 (Linux) to be live and then he goes ahead and tries to compromise it as well. Now Point to be noted is that the IP 10.128.0.1 (Linux) is not directly accessible to the attacker, but still, it can be compromised by the technique “Pivoting.”
- Attacker (Kali)
- Linux (Metasploitable or any vulnerable Linux Machine).
VMware IP Setup
eth0 – (C Class IP) e.g. 192.168.1.104
- Ethernet – (C Class IP) eg.192.168.1.131
- Ethernet – (A Class IP) e.g. 10.128.0.3
eth0 – (A Class IP) e.g. 10.128.0.1
How to configure in VMware
- Open VMware. > Edit. >”Virtual Network Editor.”
- Click on “Add Network” and add any two networks. In my case, I am adding VMnet2 and VMnet3
- Select VMnet2 and change Subnet IP. 192.168.1.0 and Subnet mask –
- 255.255.255.0 also select “Host. Only”
- Select VMnet3 and change Subnet IP. 10.0.0.0 and Subnet mask –
- 255.0.0.0 also select “Host. Only”
- Now add Network Adapter in all three machines
- In Attacker Network Adapter Change NAT to Custom “Select VMnet2.”
- In WinXP add 2 Attacker Network Adapter
- 1st Network Adapter “Custom VMnet2.”
- 2nd Network Adapter “Custom VMnet3.”
- In Linux, add Network Adapter Change NAT to custom “Select VMnet3.”
Attacker (Kali Linux) IP is 192.168.1.104
Windows XP is connected to VMnet 2 (192.168.1.131) and VMnet 3 (10.128.0.3), so it has 2 IP address. My 183 segment is just for internet access.
Metasploitable IP is 10.128.0.1 as it is connected to VMnet 3
Try to ping XP from Kali. Try to ping Metasploitable from XP. Ping will be success full if everything is configured correctly.
Now the next thing is to take a meterpreter session of Win XP. Any feasible and continent method can be used. I have installed vulnerable BadBlue 2.72b on Win XP to take up the meterpreter session.
App can be downloaded from exploit-db badblue 2.7.2b
Checking out some basic meterpreter commands. getuid and sysinfo.
Now migrate to some stable process. explorer.exe is the best choice for that.
Now Checking out IPconfig of the exploited machine
We can see 10.128.0.3 interface present on Windows XP. It indicates that Windows XP is connected to 10.xxx series network.
We will use XP as a pivot to explore another machine on 10xxx series network.
To determine another host on 10.xxx series network, we use a meterpreter arp_scanner module.
meterpreter>run arp_scanner -r 10.128.0.1/24
It shows that the IP 10.128.0.1 is alive on the Pivot network.
Now our mission is to exploit that machine. Things become difficult when we want to exploit a machine on a pivot network.
Routing to 10.xxx series network.
Now we will make a route to 10.xxx series network using the session that we have.
To do that background the current meterpreter and enter the following command:
The 1 at the end of the route statement indicates that we are using session 1 to for the route.
Let’s check the route
Setting up a TCP scanner to scan the host 10.128.0.1 using the route of session 1 that we have added.
Then type the command run. It does a port scan and displays list of open ports on the Linux server
Scanning takes time as we are working on a pivot network. This is how we can scan the network.
Now the Question is how to determine the services enabled on each port so that we can think of further exploitation.
The answer is protfwd meterpreter command.
This will bind the local port 9999 to remote port 139 of the remote host 10.128.0.1
Verification of local port forward is done by scanning the local port 9999.
So, it is Samba smbd 3.X. There’s a working exploit for Samba in Metasploit with the name usermap_script. Configure Metasploit module as follows.
Look at Reverse shell payload and configuration carefully. Did you find anything fishy?
Attacker IP is 192.168.1.104 (Kali), and we have a reverse shell to 10.128.0.3 (XP), so practically Windows XP will have the reverse shell.
No, it is not like that. When we are using a Meterperter session and working with portfwd utility, our Meterpreter is programmed to route the reverse shell to the attacker as it knows portfwd is in use.
So, it is the responsibility of Meterpreter session to handle the route, victim session and give it back to the attacker.
Well I know it is kind of difficult to understand, but to clarify this concept you need to watch Metasploit megaprimer from Securitytube.com (Vivek Ramachandran). He explained the concept there.
Now run the command exploit
Moreover, we get the shell likewise.
Confirming list of sessions shows there’s a meterpreter and a UNIX shell that is piped.
Confirming the same at Metasploitable.
Hence, we have compromised an Internal Linux (Metasploitable) server from outside network using Windows XP as a pivot.