This article is about Pivoting to exploit a system in another network.
What is port forwarding?
In system networking, port forwarding is an implementation of network address translation (NAT) that redirects a notification request from one IP address and port number arrangement to another as the packets pass through a network gateway such as a router or firewall. This procedure is most often used to make services on a host located in a protected or masked (internal) network available to hosts on the opposite side of the gateway (external network) by mapping the endpoint IP address and communication port number to the internal host.
What is pivoting[Pivoting to exploit a system]?
Pivoting is an exclusive method of using an instance also known as a “foothold” to “move” from place to place inside a compromised network. It uses the first compromised system that allows us to compromise other devices and servers that are otherwise directly inaccessible.
Example: The attacker has an IP (192.168.1.104). An attacker attacks a Windows XP system with IPs 192.168.1.131 and 10.128.0.3. The attacker now scans the 10.128.0.x network and finds the IP 10.128.0.1 (Linux) which is active and then goes ahead and tries to compromise it as well. Now, it should be noted that IP 10.128.0.1 (Linux) is not directly accessible to an attacker, but can still be compromised using the “Pivoting” technique.
- attacker (Kali)
- Linux (Metasploitable or any vulnerable Linux machine).
- VMware IP settings
- eth0 – (C Class IP) eg 192.168.1.104
- Ethernet – (C Class IP) e.g. 192.168.1.131
- Ethernet – (class A IP) e.g. 10.128.0.3
eth0 – (class A IP) eg 10.128.0.1
How to configure in VMware
- Open VMware. > Edit. >”Virtual Network Editor.”
- Click “Add Network” to add any two networks. In my case I am adding VMnet2 and VMnet3
- Select VMnet2 and change the subnet IP. 192.168.1.0 and subnet mask –
- 255.255.255.0 also select “Host. Only”
- Select VMnet3 and change the subnet IP. 10.0.0.0 and subnet mask –
- 255.0.0.0 also select “Host. Only”
- Now add the network adapter to all three computers
- In the attacker’s network adapter, change the NAT to its own “Select VMnet2”.
In WinXP add 2 Attacker network adapter
- “Custom VMnet2” network adapter.
- “Custom VMnet3” network adapter.
On Linux, add Network Adapter Change NAT to your own “Select VMnet3”.
The IP of the attacker (Kali Linux) is 192.168.1.104
Windows XP is connected to VMnet 2 (192.168.1.131) and VMnet 3 (10.128.0.3) so it has 2 IP addresses. My segment 183 is for internet access only.
Metasploitable IP is 10.128.0.1 because it is connected to VMnet 3
Try pinging XP from Kali. Try pinging Metasploitable from XP. The ping will be successful if everything is configured correctly.
LAB_SET_UP_ COMPLETED**** ****
Now the next thing is to do a Win XP meter session. Any practicable and continental method may be used. I installed the vulnerable BadBlue 2.72b on Win XP to start a meterpreter session.
The application can be downloaded from exploit-db badblue 2.7.2b
Try some basic meter commands. getuid and sysinfo.
Now migrate to some stable process. explorer.exe is the best choice for this.
Now the IPconfig of the exploited computer is checked
In Windows XP we can see the interface 10.128.0.3. Indicates that Windows XP is connected to a 10.xxx series network.
We will use XP as a pivot to explore another machine in the 10xxx series network.
We use the arp_scanner meterpreter module to determine the next host in the 10.xxx series network.
meterpreter>run arp_scanner -r 10.128.0.1/24
It shows that IP 10.128.0.1 is live on the Pivot network.
Now our mission is to exploit that machine. Things become more difficult when we want to exploit a machine in a pivot network.
Routing to the 10.xxx series network.
Now we will create a route to the 10.xxx series network using the session we have.
To do this, use the current meterpreter and enter the following command:
The 1 at the end of the route command indicates that we are using session 1 to for the route.
We will check the route
Setting up the TCP scanner to scan host 10.128.0.1 using the session 1 route we added.
Then type the run command. Performs a port scan and displays a list of open ports on the Linux server
Scanning takes time because we are working on a pivot network. This is how we can scan the network.
Now the question is how to determine the services allowed on each port so that we can think about further usage.
The answer is the protfwd meterpreter command.
This will bind local port 9999 to remote port 139 of remote host 10.128.0.1
Verification of local port forwarding is done by scanning local port 9999.
So it’s Samba smbd 3.X. There is a working exploit for Samba in Metasploit called usermap_script. Configure the Metasploit module as follows.
Carefully review the payload and configuration of the Reverse shell. Did you find anything fishy?
Attacker IP is 192.168.1.104 (Kali) and we have reverse shell on 10.128.0.3 (XP) so practically Windows XP will have reverse shell.
No, it’s not like that. When we use a Meterperter session and work with the portfwd utility, our Meterpreter is programmed to direct a shellback to the attacker because it knows that portfwd is being used.
So it is the responsibility of the Meterpreter session to handle the route, the victim session and return it to the attacker.
Ok, I know it’s a bit difficult to understand, but you need to follow the Metasploit megaprimer from Securitytube.com (Vivek Ramachandran) to clarify this concept. He explained the concept there.
Now run the exploit command
In addition, we get a shell similarly.
Confirming the session list shows that there is a meterpreter and a Unix shell that is being mediated.
We confirm the same on Metasploitable.